Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ws_ftp le 508.exe

Overview

General Information

Sample name:ws_ftp le 508.exe
Analysis ID:1438423
MD5:64a58dd55cc3af76fea415ebdbec7af9
SHA1:3ca099902c524527fecfb7f5e2bbc5d0e7c4a76b
SHA256:9d23f416f03f351c8441fbe390893cacf00c3ec09beb7a8947023847d2428d2b
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Found evasive API chain (date check)
PE file contains executable resources (Code or Archives)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • ws_ftp le 508.exe (PID: 6704 cmdline: "C:\Users\user\Desktop\ws_ftp le 508.exe" MD5: 64A58DD55CC3AF76FEA415EBDBEC7AF9)
    • SFS5D46.tmp (PID: 6196 cmdline: "C:\Users\user\Desktop\SFS5D46.tmp" MD5: EC184194C54DBAB8D0D84CEF50C3189A)
      • SFS5D75.tmp (PID: 4600 cmdline: "C:\Users\user\Desktop\SFS5D75.tmp" MD5: 6993AF44351EE82C42D77CCF5D550A29)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Desktop\SFS5D46.tmpReversingLabs: Detection: 22%
Multi AV Scanner detection for submitted file
Source: ws_ftp le 508.exeReversingLabs: Detection: 22%
Source: ws_ftp le 508.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\ws_ftp le 508.exeCode function: 0_2_004012CE sprintf,FindFirstFileA,0_2_004012CE
Source: SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.drString found in binary or memory: HTTP://www.ipswitch.com
Source: SFS5D46.tmp.0.drString found in binary or memory: http://www.ipswitch.com
Source: SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.drString found in binary or memory: http://www.ipswitch.com/downloads/ws_ftp_PRO.html
Source: SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.drString found in binary or memory: http://www.ipswitch.com/products/ws_ftp/
Source: SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.drString found in binary or memory: http://www.ipswitch.com/products/ws_ftp/DLG_NOT_AUTHRemoveDIRWS_FTPINSTOPTSWS_FTPWS_FTP.exe%s
Source: SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.drString found in binary or memory: http://www.ipswitch.comopenHTTP://www.ipswitch.comWS_FTPhttp://www.ipswitch.com/downloads/ws_ftp_PRO
Source: SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.drString found in binary or memory: https://buy.ipswitch.com/cgi-ole/buypro.showform/wsftppro/?000001767Ipswitch
Source: C:\Users\user\Desktop\SFS5D75.tmpCode function: 2_2_00406259 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,2_2_00406259
Source: C:\Users\user\Desktop\SFS5D75.tmpCode function: 2_2_0040AA002_2_0040AA00
Source: SFS5D75.tmp.1.drStatic PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 4039 bytes
Source: SFS5D75.tmp.1.drStatic PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 368128 bytes
Source: SFS5D75.tmp.1.drStatic PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 428032 bytes
Source: SFS5D75.tmp.1.drStatic PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 246726 bytes
Source: SFS5D75.tmp.1.drStatic PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 2455 bytes
Source: SFS5D75.tmp.1.drStatic PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 102912 bytes
Source: SFS5D75.tmp.1.drStatic PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 6699 bytes
Source: SFS5D75.tmp.1.drStatic PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 12118 bytes
Source: SFS5D75.tmp.1.drStatic PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 14354 bytes
Source: SFS5D75.tmp.1.drStatic PE information: Resource name: EXE type: MS Compress archive data, SZDD variant, original size: 10008 bytes
Source: SFS5D75.tmp.1.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: ws_ftp le 508.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal56.winEXE@5/2@0/0
Source: C:\Users\user\Desktop\SFS5D75.tmpCode function: 2_2_00406259 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,2_2_00406259
Source: C:\Users\user\Desktop\SFS5D75.tmpCode function: 2_2_004086E4 StretchDIBits,GlobalUnlock,FreeResource,ReleaseDC,ValidateRect,2_2_004086E4
Source: C:\Users\user\Desktop\ws_ftp le 508.exeFile created: C:\Users\user\Desktop\SFS5D46.tmpJump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmpFile created: C:\Users\user\AppData\Local\Temp\WFT5DD2.tmpJump to behavior
Source: ws_ftp le 508.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SFS5D75.tmpFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\ws_ftp le 508.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: ws_ftp le 508.exeReversingLabs: Detection: 22%
Source: C:\Users\user\Desktop\ws_ftp le 508.exeFile read: C:\Users\user\Desktop\ws_ftp le 508.exeJump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmpEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_2-4345
Source: unknownProcess created: C:\Users\user\Desktop\ws_ftp le 508.exe "C:\Users\user\Desktop\ws_ftp le 508.exe"
Source: C:\Users\user\Desktop\ws_ftp le 508.exeProcess created: C:\Users\user\Desktop\SFS5D46.tmp "C:\Users\user\Desktop\SFS5D46.tmp"
Source: C:\Users\user\Desktop\SFS5D46.tmpProcess created: C:\Users\user\Desktop\SFS5D75.tmp "C:\Users\user\Desktop\SFS5D75.tmp"
Source: C:\Users\user\Desktop\ws_ftp le 508.exeProcess created: C:\Users\user\Desktop\SFS5D46.tmp "C:\Users\user\Desktop\SFS5D46.tmp"Jump to behavior
Source: C:\Users\user\Desktop\SFS5D46.tmpProcess created: C:\Users\user\Desktop\SFS5D75.tmp "C:\Users\user\Desktop\SFS5D75.tmp"Jump to behavior
Source: C:\Users\user\Desktop\ws_ftp le 508.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ws_ftp le 508.exeSection loaded: fddint.dllJump to behavior
Source: C:\Users\user\Desktop\SFS5D46.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SFS5D46.tmpSection loaded: fddint.dllJump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmpSection loaded: lz32.dllJump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SFS5D75.tmpSection loaded: textshaping.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SFS5D75.tmpWindow detected: Number of UI elements: 11
Source: C:\Users\user\Desktop\ws_ftp le 508.exeCode function: 0_2_004014D6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcessId,FreeLibrary,GetModuleFileNameA,_getcwd,_chdir,_chdir,strcat,LoadLibraryA,GetProcAddress,remove,FreeLibrary,_chdir,memset,GetVersion,strlen,strlen,MoveFileA,strcpy,??2@YAPAXI@Z,strcpy,strcat,strcat,CreateProcessA,??3@YAXPAX@Z,CreateProcessA,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,remove,0_2_004014D6
Source: C:\Users\user\Desktop\ws_ftp le 508.exeCode function: 0_2_00401800 push eax; ret 0_2_0040182E
Source: C:\Users\user\Desktop\SFS5D75.tmpCode function: 2_2_004092D0 push eax; ret 2_2_004092FE
Source: C:\Users\user\Desktop\ws_ftp le 508.exeFile created: C:\Users\user\Desktop\SFS5D46.tmpJump to dropped file
Source: C:\Users\user\Desktop\SFS5D46.tmpFile created: C:\Users\user\Desktop\SFS5D75.tmpJump to dropped file
Source: C:\Users\user\Desktop\SFS5D75.tmpCode function: 2_2_0040481A MessageBoxA,GetVersionExA,GetSystemDirectoryA,wsprintfA,GetSystemDirectoryA,wsprintfA,GetSystemDirectoryA,wsprintfA,GetSystemDirectoryA,wsprintfA,GetProfileStringA,lstrlenA,MessageBoxA,MessageBoxA,MessageBoxA,GetProfileStringA,MessageBoxA,GetProfileIntA,wsprintfA,lstrlenA,wsprintfA,lstrlenA,wsprintfA,lstrlenA,CreateDialogParamA,GetDlgItem,GetDlgItem,lstrcpyA,GetDlgItem,GetDlgItem,GetDlgItem,wsprintfA,wsprintfA,wsprintfA,MessageBoxA,GetDlgItem,GetDlgItem,wsprintfA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetDlgItem,SetWindowTextA,SetActiveWindow,DestroyWindow,GetProfileStringA,wsprintfA,WriteProfileStringA,WriteProfileStringA,WriteProfileStringA,WriteProfileStringA,wsprintfA,wsprintfA,WriteProfileStringA,WriteProfileStringA,WriteProfileStringA,WriteProfileStringA,wsprintfA,wsprintfA,WriteProfileStringA,WriteProfileStringA,WriteProfileStringA,WriteProfileStringA,wsprintfA,lstrcpyA,wsprintfA,MessageBoxA,wsprintfA,WritePrivateProfileStringA,WriteProfileStringA,WriteProfileStringA,WriteProfileStringA,wsprintfA,WriteProfileStringA,MessageBoxA,2_2_0040481A
Source: C:\Users\user\Desktop\SFS5D75.tmpEvasive API call chain: GetSystemTime,DecisionNodesgraph_2-5075
Source: C:\Users\user\Desktop\SFS5D75.tmpCode function: 2_2_004098C0 GetSystemTime followed by cmp: cmp word ptr [00412c9ah], cx and CTI: jne 0040992Bh2_2_004098C0
Source: C:\Users\user\Desktop\SFS5D75.tmpCode function: 2_2_004098C0 GetSystemTime followed by cmp: cmp word ptr [00412c98h], ax and CTI: jne 0040992Bh2_2_004098C0
Source: C:\Users\user\Desktop\SFS5D75.tmpCode function: 2_2_004098C0 GetSystemTime followed by cmp: cmp word ptr [00412c96h], ax and CTI: jne 0040992Bh2_2_004098C0
Source: C:\Users\user\Desktop\SFS5D75.tmpCode function: 2_2_004098C0 GetSystemTime followed by cmp: cmp word ptr [00412c92h], ax and CTI: jne 0040992Bh2_2_004098C0
Source: C:\Users\user\Desktop\SFS5D75.tmpCode function: 2_2_004098C0 GetSystemTime followed by cmp: cmp word ptr [00412c90h], ax and CTI: jne 0040992Bh2_2_004098C0
Source: C:\Users\user\Desktop\ws_ftp le 508.exeCode function: 0_2_004012CE sprintf,FindFirstFileA,0_2_004012CE
Source: C:\Users\user\Desktop\ws_ftp le 508.exeCode function: 0_2_004014D6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcessId,FreeLibrary,GetModuleFileNameA,_getcwd,_chdir,_chdir,strcat,LoadLibraryA,GetProcAddress,remove,FreeLibrary,_chdir,memset,GetVersion,strlen,strlen,MoveFileA,strcpy,??2@YAPAXI@Z,strcpy,strcat,strcat,CreateProcessA,??3@YAXPAX@Z,CreateProcessA,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,remove,0_2_004014D6
Source: SFS5D75.tmp, 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.drBinary or memory string: 5Program Manager Group
Source: SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpBinary or memory string: WFT\OSNTWSInstalAPP_MAINWS_FTP Limited Edition Install (32)IPSWITCHWS_FTP LE HelpWS_FTP LE Release NotesUninstall WS_FTP LEWS_FTP Icon PlacementWS_FTP Explorer HelpWS_BMP%s (*.*)|*.*|WS_FTP95.exeDLG_GETSRCDIRDLG_BROWSEaws_ftp\WS_FTPDLG_GETDIRPROGMAN/\\[DeleteItem("%s")]/\\[DeleteItem("%s")][AddItem("%s","%s",,,,,%s)]WS_FTP[DeleteGroup(%s)][CreateGroup(%s)]PROGMANGroups
Source: SFS5D75.tmp, 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.drBinary or memory string: Please enter the name of the Program Manager group for this software:
Source: SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.drBinary or memory string: Ipswitch0Software\Microsoft\Windows\CurrentVersionRunOnceRunServicesOnceRunOnceRunServicesOnce%uSeShutdownPrivilegeWFT\OSNTWSInstalAPP_MAINWS_FTP Limited Edition Install (32)IPSWITCHWS_FTP LE HelpWS_FTP LE Release NotesUninstall WS_FTP LEWS_FTP Icon PlacementWS_FTP Explorer HelpWS_BMP%s (*.*)|*.*|WS_FTP95.exeDLG_GETSRCDIRDLG_BROWSEaws_ftp\WS_FTPDLG_GETDIRPROGMAN/\\[DeleteItem("%s")]/\\[DeleteItem("%s")][AddItem("%s","%s",,,,,%s)]WS_FTP[DeleteGroup(%s)][CreateGroup(%s)]PROGMANGroups
Source: SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: PROGMAN
Source: C:\Users\user\Desktop\SFS5D75.tmpCode function: 2_2_004098C0 GetLocalTime,GetSystemTime,GetTimeZoneInformation,2_2_004098C0
Source: C:\Users\user\Desktop\SFS5D75.tmpCode function: 2_2_004098C0 GetLocalTime,GetSystemTime,GetTimeZoneInformation,2_2_004098C0
Source: C:\Users\user\Desktop\ws_ftp le 508.exeCode function: 0_2_004014D6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcessId,FreeLibrary,GetModuleFileNameA,_getcwd,_chdir,_chdir,strcat,LoadLibraryA,GetProcAddress,remove,FreeLibrary,_chdir,memset,GetVersion,strlen,strlen,MoveFileA,strcpy,??2@YAPAXI@Z,strcpy,strcat,strcat,CreateProcessA,??3@YAXPAX@Z,CreateProcessA,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,remove,0_2_004014D6

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Access Token Manipulation		1
Masquerading		OS Credential Dumping12
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts21
Native API		Boot or Logon Initialization Scripts2
Process Injection		1
Access Token Manipulation		LSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		2
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS2
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets3
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1438423 Sample: ws_ftp le 508.exe Startdate: 08/05/2024 Architecture: WINDOWS Score: 56 20 Multi AV Scanner detection for submitted file 2->20 7 ws_ftp le 508.exe 1 2->7         started        process3 file4 16 C:\Users\user\Desktop\SFS5D46.tmp, PE32 7->16 dropped 10 SFS5D46.tmp 1 7->10         started        process5 file6 18 C:\Users\user\Desktop\SFS5D75.tmp, PE32 10->18 dropped 22 Multi AV Scanner detection for dropped file 10->22 14 SFS5D75.tmp 1 10->14         started        signatures7 process8

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ws_ftp le 508.exe22%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Desktop\SFS5D46.tmp22%ReversingLabs
C:\Users\user\Desktop\SFS5D75.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.ipswitch.comopenHTTP://www.ipswitch.comWS_FTPhttp://www.ipswitch.com/downloads/ws_ftp_PRO0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.ipswitch.comSFS5D46.tmp.0.drfalse
    		high
    https://buy.ipswitch.com/cgi-ole/buypro.showform/wsftppro/?000001767IpswitchSFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.drfalse
      		high
      HTTP://www.ipswitch.comSFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.drfalse
        		high
        http://www.ipswitch.com/downloads/ws_ftp_PRO.htmlSFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.drfalse
          		high
          http://www.ipswitch.comopenHTTP://www.ipswitch.comWS_FTPhttp://www.ipswitch.com/downloads/ws_ftp_PROSFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.ipswitch.com/products/ws_ftp/SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.drfalse
            		high
            http://www.ipswitch.com/products/ws_ftp/DLG_NOT_AUTHRemoveDIRWS_FTPINSTOPTSWS_FTPWS_FTP.exe%sSFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.drfalse
              		high

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1438423
              Start date and time:2024-05-08 17:52:47 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 12s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:8
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:ws_ftp le 508.exe
              Detection:MAL
              Classification:mal56.winEXE@5/2@0/0
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 21
              • Number of non-executed functions: 58
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • VT rate limit hit for: ws_ftp le 508.exe

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\Desktop\SFS5D46.tmp

              Download File
              Process:C:\Users\user\Desktop\ws_ftp le 508.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):727552
              Entropy (8bit):7.266125935401919
              Encrypted:false
              SSDEEP:12288:dvHjaC8X3QI2u/t4UoaUPGE8cxgorFTtMwHhE9qZfdP1dr0jy5rlunptp4qm:LQA9u/t4ULcxgITK7qFdPbr0O5rlcH4
              MD5:EC184194C54DBAB8D0D84CEF50C3189A
              SHA1:DA7BCDA14A77659042EFFBF909A4ECE23D71A5BE
              SHA-256:E00D900CFE979ABE531F353112372F472F305387F361A87AC0E07C6269B1FC5A
              SHA-512:453D902CCD8068F7CB63F885B54006F1225A9B010E02130703C332C57583665AA1A787A8F0518D21FA1B77FB4B9F3169FE0B8D7182D8EAC78DE1C6157046435A
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 22%
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~S...=...=...=..?7...=.p.3...=..?9...=......=...<...=..?6...=.4.;...=.Rich..=.................PE..L...3..8.....................0......B........ ....@..........................P...............................................!..P....@............................................................................... ...............................text............................... ..`.rdata....... ....... ..............@..@.data...@....0.......0..............@....rsrc........@.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\Desktop\SFS5D75.tmp

              Download File
              Process:C:\Users\user\Desktop\SFS5D46.tmp
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):707072
              Entropy (8bit):7.361872641098785
              Encrypted:false
              SSDEEP:12288:ovHjaC8X3QI2u/t4UoaUPGE8cxgorFTtMwHhE9qZfdP1dr0jy5rlunptp4qm:aQA9u/t4ULcxgITK7qFdPbr0O5rlcH4
              MD5:6993AF44351EE82C42D77CCF5D550A29
              SHA1:5E14F5084710C1856DE15747F9ABDE647FD81D6A
              SHA-256:88D64F61C68CDB3A3A875A18393B23E32ED6DEEB4C4071CB851B91E9B5B6A661
              SHA-512:2C585AB9D754D2466DD4E7180BF256142B2D6E3A0E4862D985BCAF7443106EA2C8C37290692A94F69D7766DC3D194B3137A02484D70E084250859D4C69986BAB
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.8.........................................@.......................... ...............................................P.......p...............................................................................S...............................text............................... ..`.rdata..............................@..@.data....L.......&..................@....idata.......P......................@....rsrc........p......."..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):7.171228185522057
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:ws_ftp le 508.exe
              File size:748'032 bytes
              MD5:64a58dd55cc3af76fea415ebdbec7af9
              SHA1:3ca099902c524527fecfb7f5e2bbc5d0e7c4a76b
              SHA256:9d23f416f03f351c8441fbe390893cacf00c3ec09beb7a8947023847d2428d2b
              SHA512:5daae789b606ffd6a40a408c969b4184e4eb367c5a779483814c7a112a2ef4a6f929f9448e6c81a7fc0ee577f5f8ffce46536d982709c8ec65a0d82d9724c6de
              SSDEEP:12288:QvHjaC8X3QI2u/t4UoaUPGE8cxgorFTtMwHhE9qZfdP1dr0jy5rlunptp4qm:yQA9u/t4ULcxgITK7qFdPbr0O5rlcH4
              TLSH:B1F4DF11FBFCC290F1B66A319DB186B549377C74FB31D44BA290365E99B3A81C920B27
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~S...=...=...=..?7...=.p.3...=..?9...=.......=...<...=..?6...=.4.;...=.Rich..=.................PE..L...3..8...................

              File Icon

              Icon Hash:6070db9bd6a79b9b

              Static PE Info

              General

              Entrypoint:0x401842
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              DLL Characteristics:
              Time Stamp:0x38F2F833 [Tue Apr 11 10:02:27 2000 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:eb140edabf6cc30fb6de453bcbc882f4

              Entrypoint Preview

              Instruction
              push ebp
              mov ebp, esp
              push FFFFFFFFh
              push 004020F8h
              push 004019D0h
              mov eax, dword ptr fs:[00000000h]
              push eax
              mov dword ptr fs:[00000000h], esp
              sub esp, 68h
              push ebx
              push esi
              push edi
              mov dword ptr [ebp-18h], esp
              xor ebx, ebx
              mov dword ptr [ebp-04h], ebx
              push 00000002h
              call dword ptr [004020E0h]
              pop ecx
              or dword ptr [00403134h], FFFFFFFFh
              or dword ptr [00403138h], FFFFFFFFh
              call dword ptr [004020DCh]
              mov ecx, dword ptr [00403130h]
              mov dword ptr [eax], ecx
              call dword ptr [004020D8h]
              mov ecx, dword ptr [0040312Ch]
              mov dword ptr [eax], ecx
              mov eax, dword ptr [004020D4h]
              mov eax, dword ptr [eax]
              mov dword ptr [0040313Ch], eax
              call 00007F04F942C305h
              cmp dword ptr [00403110h], ebx
              jne 00007F04F942C1FEh
              push 004019BEh
              call dword ptr [004020D0h]
              pop ecx
              call 00007F04F942C2D7h
              push 0040300Ch
              push 00403008h
              call 00007F04F942C2C2h
              mov eax, dword ptr [00403128h]
              mov dword ptr [ebp-6Ch], eax
              lea eax, dword ptr [ebp-6Ch]
              push eax
              push dword ptr [00403124h]
              lea eax, dword ptr [ebp-64h]
              push eax
              lea eax, dword ptr [ebp-70h]
              push eax
              lea eax, dword ptr [ebp-60h]
              push eax
              call dword ptr [004020C8h]
              push 00403004h
              push 00403000h
              call 00007F04F942C28Fh

              Rich Headers

              Programming Language:
              • [LNK] VC++ 6.0 SP5 build 8804
              • [EXP] VC++ 6.0 SP5 build 8804

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x21040x50.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x3a0.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000xf8.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x9dc0x1000bae576c1f4049f288e2a5f62c89f79c9False0.423095703125data4.411963957342886IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x20000x5b60x1000503e775b1bc7ce0f249f8c9325ac87d8False0.1953125data2.283776335987302IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x30000x1400x1000c4590b5e069a69502aae18028b3e67a7False0.051025390625Matlab v4 mat-file (little endian) VersionR, numeric, rows 0, columns 00.5032120759742087IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x40000x3a00x10008db07c772559061d24c652cf850b4b0dFalse0.080810546875data1.062044026204254IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0x40a00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.33064516129032256
              RT_GROUP_ICON0x43880x14dataEnglishUnited States1.2

              Imports

              DLLImport
              KERNEL32.dllCreateFileA, MapViewOfFile, CreateFileMappingA, OpenFile, FindFirstFileA, GetTempPathA, GetTempFileNameA, GetCurrentDirectoryA, _lclose, UnmapViewOfFile, MoveFileA, GetVersion, GetModuleFileNameA, FreeLibrary, GetCurrentProcessId, GetProcAddress, LoadLibraryA, WriteFile, CreateProcessA, WaitForSingleObject, GetStartupInfoA, GetModuleHandleA, CloseHandle
              ADVAPI32.dllRegOpenKeyExA, RegQueryValueExA, RegCloseKey
              MSVCRT.dllfopen, atoi, malloc, remove, strcat, memcpy, strcmp, strstr, _strlwr, strlen, sprintf, fclose, ??3@YAXPAX@Z, ??2@YAPAXI@Z, memset, fread, _chdir, _getcwd, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _access, strcpy

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              No network behavior found

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:17:53:31
              Start date:08/05/2024
              Path:C:\Users\user\Desktop\ws_ftp le 508.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\ws_ftp le 508.exe"
              Imagebase:0x400000
              File size:748'032 bytes
              MD5 hash:64A58DD55CC3AF76FEA415EBDBEC7AF9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:1
              Start time:17:53:31
              Start date:08/05/2024
              Path:C:\Users\user\Desktop\SFS5D46.tmp
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\SFS5D46.tmp"
              Imagebase:0x400000
              File size:727'552 bytes
              MD5 hash:EC184194C54DBAB8D0D84CEF50C3189A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Antivirus matches:
              • Detection: 22%, ReversingLabs
              Reputation:low
              Has exited:true

              General

              Target ID:2
              Start time:17:53:31
              Start date:08/05/2024
              Path:C:\Users\user\Desktop\SFS5D75.tmp
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\SFS5D75.tmp"
              Imagebase:0x400000
              File size:707'072 bytes
              MD5 hash:6993AF44351EE82C42D77CCF5D550A29
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Antivirus matches:
              • Detection: 0%, ReversingLabs
              Reputation:low
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:51.9%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:37.2%
                Total number of Nodes:86
                Total number of Limit Nodes:5
                execution_graph 156 401842 __set_app_type __p__fmode __p__commode 157 4018b1 156->157 158 4018c5 157->158 159 4018b9 __setusermatherr 157->159 168 4019ac _controlfp 158->168 159->158 161 4018ca _initterm __getmainargs _initterm 162 40191e GetStartupInfoA 161->162 164 401952 GetModuleHandleA 162->164 169 4014d6 LoadLibraryA 164->169 168->161 170 401549 FreeLibrary GetModuleFileNameA 169->170 171 4014fb GetProcAddress GetProcAddress GetProcAddress 169->171 173 40156c 170->173 174 4016ca exit _XcptFilter 170->174 171->170 172 401521 171->172 172->170 183 401539 GetCurrentProcessId 172->183 203 401342 173->203 179 4015b0 _getcwd _chdir strcat LoadLibraryA 181 401645 FreeLibrary _chdir 179->181 182 4015f5 GetProcAddress 179->182 180 40165a 180->174 185 401667 memset 180->185 181->180 182->181 184 401601 182->184 186 401548 183->186 191 40163d 184->191 192 40162d remove 184->192 231 4011bb OpenFile 185->231 186->170 189 4016a1 190 401783 CreateProcessA 189->190 193 4016aa strlen strlen 189->193 194 4017a5 WaitForSingleObject 190->194 191->181 192->181 193->174 195 4016d2 193->195 196 4017c1 remove 194->196 197 4017b6 WaitForSingleObject 194->197 198 401734 6 API calls 195->198 242 401248 strlen 195->242 196->174 197->174 197->196 198->194 200 4016f0 250 4012ce 200->250 254 401800 203->254 206 401371 fread 256 401118 memcpy 206->256 207 401369 207->174 220 401000 RegOpenKeyExA 207->220 209 4013a1 210 4013a8 209->210 212 4013ba malloc memcpy GetCurrentDirectoryA GetTempFileNameA CreateFileA 209->212 211 4014c5 fclose 210->211 211->207 213 401455 WriteFile 212->213 214 40141c GetTempPathA GetTempFileNameA CreateFileA 212->214 215 4014b9 213->215 216 40146e fread 213->216 214->210 214->213 218 4014bc FindCloseChangeNotification 215->218 216->218 219 40148f WriteFile 216->219 218->211 219->215 219->216 221 401027 220->221 222 40102e RegQueryValueExA 220->222 221->179 221->180 223 401107 RegCloseKey 222->223 224 40105f strcat strcpy strcat _access 222->224 223->221 224->223 225 4010a1 RegQueryValueExA 224->225 225->223 226 4010c5 atoi 225->226 227 401103 226->227 228 4010d6 226->228 227->223 228->223 229 4010d8 RegQueryValueExA 228->229 229->223 230 4010f7 atoi 229->230 230->223 230->227 232 401243 GetVersion 231->232 233 4011df CreateFileMappingA 231->233 232->189 232->190 234 4011f3 MapViewOfFile 233->234 235 40123a _lclose 233->235 236 401230 FindCloseChangeNotification 234->236 237 401206 234->237 235->232 236->235 259 40115c 237->259 243 401261 strcpy _strlwr 242->243 244 40125c 242->244 245 40127c strstr 243->245 244->200 246 401293 strlen 245->246 247 40128e 245->247 248 4012a0 strcpy 246->248 249 4012ad 246->249 247->245 248->249 249->200 251 4012ea 250->251 252 4012fc sprintf FindFirstFileA 251->252 253 401334 MoveFileA strcpy 251->253 252->251 252->253 253->198 255 40134f fopen 254->255 255->206 255->207 257 401133 256->257 258 401137 memcpy 256->258 257->209 258->209 260 401184 UnmapViewOfFile 259->260 261 401166 259->261 260->236 261->260 262 401170 strcmp 261->262 262->260 263 401994 _exit

                Callgraph

                Executed Functions

                Function 004014D6 Relevance: 66.8, APIs: 31, Strings: 7, Instructions: 256stringlibraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • LoadLibraryA.KERNELBASE(fddint.dll,?,?,00000000), ref: 004014E7
                • GetProcAddress.KERNEL32(00000000,LoadSecurityFdd), ref: 00401501
                • GetProcAddress.KERNEL32(00000000,DelSuspectProcess), ref: 0040150C
                • GetProcAddress.KERNEL32(00000000,SetParam), ref: 00401517
                • GetCurrentProcessId.KERNEL32(00000000), ref: 0040153B
                • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0040154A
                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000), ref: 0040155E
                • _getcwd.MSVCRT ref: 004015B8
                • _chdir.MSVCRT ref: 004015CB
                • strcat.MSVCRT(?,\SFSLogic.DLL,?,?,00000000), ref: 004015D9
                • LoadLibraryA.KERNEL32(?), ref: 004015E8
                • GetProcAddress.KERNEL32(00000000,RunProcessUsingCom), ref: 004015FB
                • remove.MSVCRT(?), ref: 00401634
                • FreeLibrary.KERNEL32(?), ref: 00401648
                • _chdir.MSVCRT ref: 00401655
                • memset.MSVCRT ref: 00401670
                • GetVersion.KERNEL32(?,?,?,?,?,?,00000000), ref: 00401690
                • strlen.MSVCRT ref: 004016AD
                • strlen.MSVCRT ref: 004016BB
                • MoveFileA.KERNEL32(?,?), ref: 00401719
                • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040172D
                • ??2@YAPAXI@Z.MSVCRT ref: 00401735
                • strcpy.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00401744
                • strcat.MSVCRT(00000000,0040309C,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040174F
                • strcat.MSVCRT(00000000,00401976,00000000,0040309C,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00401758
                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000800,00000000,00000000,?,?), ref: 00401774
                • ??3@YAXPAX@Z.MSVCRT ref: 0040177B
                • CreateProcessA.KERNELBASE(?,00401976,00000000,00000000,00000000,00000800,00000000,00000000,?,?), ref: 0040179F
                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,00000000), ref: 004017B0
                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,00000000), ref: 004017BB
                • remove.MSVCRT(?,?,?,?,?,?,?,00000000), ref: 004017C8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1905014804.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1904999977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905038239.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905053034.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905075873.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_ws_ftp le 508.jbxd
                Similarity
                • API ID: AddressLibraryProc$Processstrcat$CreateFileFreeLoadObjectSingleWait_chdirremovestrcpystrlen$??2@??3@CurrentModuleMoveNameVersion_getcwdmemset
                • String ID: .exe$DelSuspectProcess$LoadSecurityFdd$RunProcessUsingCom$SetParam$\SFSLogic.DLL$fddint.dll
                • API String ID: 3916422402-60373743
                • Opcode ID: d5a1c937f75c8d7b89c17025dc390320e5124bf3b09acbbe6bc4dff956bcb20b
                • Instruction ID: 59754085575d6863a064e487a5cb80b000d6e00c00894dd9b8ca2cba1f24dfd1
                • Opcode Fuzzy Hash: d5a1c937f75c8d7b89c17025dc390320e5124bf3b09acbbe6bc4dff956bcb20b
                • Instruction Fuzzy Hash: DE8161B2C00218ABDF11EBA09D89EDF7B7CAB04314F1445BBF605B3191DB399A45CB68
                Function 00401000 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 102registrystringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 45 401000-401025 RegOpenKeyExA 46 401027-401029 45->46 47 40102e-401059 RegQueryValueExA 45->47 48 401115-401117 46->48 49 401107-401114 RegCloseKey 47->49 50 40105f-40109f strcat strcpy strcat _access 47->50 49->48 50->49 51 4010a1-4010c3 RegQueryValueExA 50->51 51->49 52 4010c5-4010d4 atoi 51->52 53 401103 52->53 54 4010d6 52->54 53->49 54->49 55 4010d8-4010f5 RegQueryValueExA 54->55 55->49 56 4010f7-401101 atoi 55->56 56->49 56->53
                APIs
                • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Finjan\SurfinShield\install\install1,00000000,00000001,?,00000000), ref: 0040101D
                • RegQueryValueExA.ADVAPI32(?,Directory,00000000,?,004015A7,004015A7,00000104,74DEF550), ref: 00401055
                • strcat.MSVCRT(00000104,\bin), ref: 00401067
                • strcpy.MSVCRT(?,00000104,00000104,\bin), ref: 00401076
                • strcat.MSVCRT(?,\winsfcm.exe,?,00000104,00000104,\bin), ref: 00401087
                • _access.MSVCRT ref: 00401094
                • RegQueryValueExA.ADVAPI32(?,VersionL,00000000,?,00000104,00000104), ref: 004010BF
                • atoi.MSVCRT ref: 004010CF
                • RegQueryValueExA.ADVAPI32(?,VersionR,00000000,?,00000104,00000104), ref: 004010F1
                • atoi.MSVCRT ref: 004010FB
                • RegCloseKey.ADVAPI32(?), ref: 0040110A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1905014804.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1904999977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905038239.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905053034.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905075873.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_ws_ftp le 508.jbxd
                Similarity
                • API ID: QueryValue$atoistrcat$CloseOpen_accessstrcpy
                • String ID: Directory$SOFTWARE\Finjan\SurfinShield\install\install1$VersionL$VersionR$\bin$\winsfcm.exe
                • API String ID: 2098520314-31041771
                • Opcode ID: 65e61885fb17c18efb209aa3b213dab9104abb256decaeed14945547a4f2da6b
                • Instruction ID: 9587274f73c2fef2bab9d487080f71abeba12e663352ca29afcb3d9e2aef618b
                • Opcode Fuzzy Hash: 65e61885fb17c18efb209aa3b213dab9104abb256decaeed14945547a4f2da6b
                • Instruction Fuzzy Hash: 0A31387690021DBAEF11DBA1DD85EEE7B7CAB44749F104077EA00F60A1D6B49A48CB68
                Function 00401342 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139fileCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1905014804.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1904999977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905038239.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905053034.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905075873.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_ws_ftp le 508.jbxd
                Similarity
                • API ID: fclosefopenfread
                • String ID: SFS
                • API String ID: 2679521937-3321536822
                • Opcode ID: 07c20854c58d725c210bb6ec4e4aaead1d06585420e296d01c4f77d64915ae2c
                • Instruction ID: f27f53a31cbd0b6726bd87a240828b5473448072a7a66b4a0719d91ee750a7be
                • Opcode Fuzzy Hash: 07c20854c58d725c210bb6ec4e4aaead1d06585420e296d01c4f77d64915ae2c
                • Instruction Fuzzy Hash: BD41AF71800218BBDF219FA0DD89EDF7B79EB44314F2082A6FA14B21E0D7758A80CB64
                Function 00401842 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1905014804.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1904999977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905038239.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905053034.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905075873.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_ws_ftp le 508.jbxd
                Similarity
                • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                • String ID:
                • API String ID: 801014965-0
                • Opcode ID: 0ca6625504e637513bd96cbb638093d5bc478517c42de4c0199a25ecba63a2d9
                • Instruction ID: de05a624fc009e4da56da73807b390ec82bf9ce71630cb5b19aea30ce5b6d9a5
                • Opcode Fuzzy Hash: 0ca6625504e637513bd96cbb638093d5bc478517c42de4c0199a25ecba63a2d9
                • Instruction Fuzzy Hash: 78417FB1940344AFDB209FA5DE59AAA7FB8BB09711F20013BE581B72E1C7784940CB58
                Function 004011BB Relevance: 9.1, APIs: 6, Instructions: 60fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 98 4011bb-4011dd OpenFile 99 401243-401247 98->99 100 4011df-4011f1 CreateFileMappingA 98->100 101 4011f3-401204 MapViewOfFile 100->101 102 40123a-40123d _lclose 100->102 103 401230-401239 FindCloseChangeNotification 101->103 104 401206-401211 call 40115c 101->104 102->99 103->102 107 401213-401215 104->107 108 401226 104->108 107->108 109 401217-401219 107->109 110 401228 108->110 112 401222-401224 109->112 113 40121b-401220 109->113 111 401229-40122a UnmapViewOfFile 110->111 111->103 112->110 113->111
                APIs
                • OpenFile.KERNEL32(00000000,?,00000000), ref: 004011D2
                • CreateFileMappingA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 004011E6
                • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000,00000000), ref: 004011FA
                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401233
                  • Part of subcall function 0040115C: strcmp.MSVCRT ref: 00401179
                • UnmapViewOfFile.KERNEL32(00000000,00000000), ref: 0040122A
                • _lclose.KERNEL32(00000044), ref: 0040123D
                Memory Dump Source
                • Source File: 00000000.00000002.1905014804.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1904999977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905038239.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905053034.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905075873.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_ws_ftp le 508.jbxd
                Similarity
                • API ID: File$View$ChangeCloseCreateFindMappingNotificationOpenUnmap_lclosestrcmp
                • String ID:
                • API String ID: 3924220424-0
                • Opcode ID: b8582ee5dd1678f429b3e7bbcd9c487ff6e80fc0e92aea0628cb8115f69b0676
                • Instruction ID: 82b49617ec877ee4a5b9ee3c69f4470f3cece88bbbf1705d35c8fa18a954340e
                • Opcode Fuzzy Hash: b8582ee5dd1678f429b3e7bbcd9c487ff6e80fc0e92aea0628cb8115f69b0676
                • Instruction Fuzzy Hash: 01018071501228B7DB202B61EE4DEDB3E6CEB04791F004476F605F51F0CAB48A40C6F9

                Non-executed Functions

                Function 004012CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 126 4012ce-4012e5 127 4012ea-4012ef 126->127 128 4012f1 127->128 129 4012f3-4012f8 127->129 128->129 130 4012fa 129->130 131 4012fc-401329 sprintf FindFirstFileA 129->131 130->131 132 401336 131->132 133 40132b-401332 131->133 135 40133a-401341 132->135 133->127 134 401334 133->134 134->135
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1905014804.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1904999977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905038239.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905053034.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905075873.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_ws_ftp le 508.jbxd
                Similarity
                • API ID: FileFindFirstsprintf
                • String ID: 1@$%s%s%s%d.%s
                • API String ID: 3993882898-1896060921
                • Opcode ID: 3c8a879eb24ad21090cfa5a1977792dfd58f59d0efa1e2c30578c45b5b199129
                • Instruction ID: 471a128e66f5f84d16eb59ce74ef87f75afeba4c2c2b12453901c8599d1e9b9f
                • Opcode Fuzzy Hash: 3c8a879eb24ad21090cfa5a1977792dfd58f59d0efa1e2c30578c45b5b199129
                • Instruction Fuzzy Hash: 99F0F932A00114BBDB105F9DDC49ADF7A29F744325F10027AFA29F21F0D2748E159798
                Function 00401248 Relevance: 7.6, APIs: 6, Instructions: 59stringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 114 401248-40125a strlen 115 401261-40127a strcpy _strlwr 114->115 116 40125c-401260 114->116 117 40127c-40128c strstr 115->117 118 401293-40129e strlen 117->118 119 40128e-401291 117->119 120 4012a0-4012ab strcpy 118->120 121 4012ad-4012b0 118->121 119->117 122 4012b3-4012bb 120->122 121->122 123 4012c4 122->123 124 4012bd-4012c2 122->124 125 4012c7-4012cd 123->125 124->125
                APIs
                • strlen.MSVCRT ref: 0040124F
                • strcpy.MSVCRT(?,?,00000000,?,00000000,00401976,?,004016F0,?,?,?), ref: 0040126B
                • _strlwr.MSVCRT ref: 00401271
                • strstr.MSVCRT ref: 00401282
                • strlen.MSVCRT ref: 00401294
                • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000000), ref: 004012A4
                Memory Dump Source
                • Source File: 00000000.00000002.1905014804.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1904999977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905038239.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905053034.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1905075873.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_ws_ftp le 508.jbxd
                Similarity
                • API ID: strcpystrlen$_strlwrstrstr
                • String ID:
                • API String ID: 3295458005-0
                • Opcode ID: 95523ea8d987552f3c620344cdd5b956a4d76afb22a49ff5c4a793c8705fb119
                • Instruction ID: 56e7d78fca775b5d2133a094132e44fbdaa6b348b5623ce95af93673cf18c57d
                • Opcode Fuzzy Hash: 95523ea8d987552f3c620344cdd5b956a4d76afb22a49ff5c4a793c8705fb119
                • Instruction Fuzzy Hash: C90126325082566BD7019F79DC45A9B3BA8EF02364F2000BFF500F71E2D7B8D8019299

                Execution Graph

                Execution Coverage:7.8%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:11.9%
                Total number of Nodes:1420
                Total number of Limit Nodes:20
                execution_graph 5412 402840 GetClientRect BeginPaint 5413 402878 5412->5413 5414 402b9b GetDlgItem 5412->5414 5416 402885 GetDlgItem 5413->5416 5417 40289c SetBkMode GetTextMetricsA LocalAlloc GetSystemDefaultLangID 5413->5417 5415 4025c0 9 API calls 5414->5415 5420 402baf ValidateRect 5415->5420 5453 4025c0 5416->5453 5418 402900 CreateFontIndirectA SelectObject 5417->5418 5419 4028ee lstrcpyA 5417->5419 5460 4027d7 5418->5460 5419->5418 5423 402bbe 5420->5423 5428 4029b2 5431 401000 2 API calls 5428->5431 5429 40299b lstrcpyA 5430 402a0e CreateFontIndirectA SelectObject 5429->5430 5432 4027d7 2 API calls 5430->5432 5433 4029c6 5431->5433 5434 402a49 5432->5434 5435 401000 2 API calls 5433->5435 5436 4027d7 2 API calls 5434->5436 5437 4029dd 5435->5437 5438 402a65 5436->5438 5439 401000 2 API calls 5437->5439 5440 4027d7 2 API calls 5438->5440 5441 4029f4 5439->5441 5442 402a81 5440->5442 5443 401000 2 API calls 5441->5443 5445 4027d7 2 API calls 5442->5445 5444 402a0b 5443->5444 5444->5430 5446 402aa1 SelectObject DeleteObject 5445->5446 5447 408e50 5446->5447 5448 402ad0 GetSystemDefaultLangID 5447->5448 5449 402ae5 lstrcpyA 5448->5449 5450 402af7 CreateFontIndirectA SelectObject 5448->5450 5449->5450 5451 4027d7 2 API calls 5450->5451 5452 402b4c SelectObject DeleteObject LocalFree SetBkMode EndPaint 5451->5452 5452->5423 5454 4025e1 GetClientRect GetDC SelectPalette RealizePalette LockResource 5453->5454 5455 4025d3 InvalidateRect 5453->5455 5456 40266c GlobalUnlock ReleaseDC 5454->5456 5455->5454 5458 4027d2 5456->5458 5459 4027c8 UpdateWindow 5456->5459 5458->5417 5459->5458 5468 408eb0 5460->5468 5463 408eb0 5464 402808 TextOutA 5463->5464 5465 40283b SelectObject DeleteObject 5464->5465 5466 408e50 5465->5466 5467 402986 GetSystemDefaultLangID 5466->5467 5467->5428 5467->5429 5469 4027ed GetTextExtentPoint32A 5468->5469 5469->5463 5470 408a40 5471 408b11 5470->5471 5472 408a54 5471->5472 5473 408a94 5471->5473 5474 406c48 4 API calls 5472->5474 5476 408aa4 GetDlgItemTextA EndDialog 5473->5476 5477 408af8 5473->5477 5479 408b02 5473->5479 5475 408a5f SetDlgItemTextA SetDlgItemTextA 5474->5475 5475->5479 5476->5479 5478 408ad3 EndDialog 5477->5478 5477->5479 5478->5479 5480 403340 5481 40335b 5480->5481 5487 403356 5480->5487 5482 409100 23 API calls 5481->5482 5483 40336a 5482->5483 5483->5487 5488 409090 5483->5488 5486 409020 9 API calls 5486->5487 5495 409e20 5488->5495 5494 40338c 5494->5486 5496 409e2f 5495->5496 5497 40b000 HeapAlloc 5496->5497 5498 40909d 5496->5498 5497->5498 5499 409f10 5498->5499 5500 4090b2 5499->5500 5505 409f42 __aulldiv __aullrem 5499->5505 5506 409ec0 5500->5506 5501 40a8f0 6 API calls 5501->5505 5502 40a940 6 API calls 5502->5505 5503 40a980 6 API calls 5503->5505 5504 40c740 WideCharToMultiByte 5504->5505 5505->5500 5505->5501 5505->5502 5505->5503 5505->5504 5507 409ef8 5506->5507 5508 409ecc 5506->5508 5510 409d10 5 API calls 5507->5510 5512 409f04 5507->5512 5509 409d10 5 API calls 5508->5509 5508->5512 5511 409ed8 5509->5511 5510->5512 5511->5494 5512->5494 5751 4060c0 RegOpenKeyExA 5752 40611b RegOpenKeyExA 5751->5752 5758 406245 5751->5758 5753 406194 5752->5753 5754 40615b RegCreateKeyA 5752->5754 5756 40621b 5753->5756 5757 4061af RegQueryValueExA 5753->5757 5754->5753 5755 4061a0 5754->5755 5755->5752 5761 406236 RegCloseKey 5756->5761 5762 40622c RegCloseKey 5756->5762 5759 4061f2 lstrlenA RegSetValueExA 5757->5759 5760 4061d4 wsprintfA 5757->5760 5759->5756 5760->5757 5761->5758 5762->5761 4676 406a45 4677 406be6 4676->4677 4678 406bf3 4677->4678 4679 406c18 4677->4679 4680 406bf9 4678->4680 4681 406a5f 4678->4681 4682 406c25 4679->4682 4683 406b6f 4679->4683 4689 406c06 4680->4689 4690 406ade 8 API calls 4680->4690 4882 4062f0 BeginPaint 4681->4882 4684 406a70 4682->4684 4685 406c13 4682->4685 4686 406b8b DestroyWindow 4683->4686 4687 406b7e PostQuitMessage 4683->4687 4692 406a68 4684->4692 4700 40481a 4684->4700 4691 406bc6 DefWindowProcA 4685->4691 4693 406b95 DeleteObject 4686->4693 4687->4693 4689->4685 4689->4693 4690->4692 4691->4692 4694 406bba DeleteObject 4693->4694 4695 406bae DeleteObject 4693->4695 4694->4691 4695->4694 4701 404827 4700->4701 4889 403d71 4701->4889 4704 4048b5 4707 4048cb 4704->4707 4895 404116 DialogBoxParamA 4704->4895 4705 40485a 4896 4084db DialogBoxParamA 4705->4896 4708 4048ec 4707->4708 4904 40413d lstrcpyA GetProfileStringA 4707->4904 4874 403240 GetTempPathA lstrlenA 4708->4874 4712 4048b0 4978 409640 4712->4978 4713 404878 4714 401000 2 API calls 4713->4714 4716 40488e MessageBoxA 4714->4716 4716->4708 4717 40490c 4718 404946 4717->4718 4981 4034d5 4718->4981 4721 404a65 GetSystemDirectoryA wsprintfA 4724 404a91 GetProfileStringA 4721->4724 4722 4049ab 4723 4049f6 4722->4723 4725 4049c5 GetSystemDirectoryA wsprintfA 4722->4725 4726 404a03 GetSystemDirectoryA wsprintfA 4723->4726 4727 404a34 GetSystemDirectoryA wsprintfA 4723->4727 4728 404ac3 4724->4728 4729 404a60 4725->4729 4726->4729 4727->4729 4730 401000 2 API calls 4728->4730 4729->4724 4735 404b01 4730->4735 4731 404c1e 4733 404c63 4731->4733 4734 404c2b 4731->4734 4737 4034d5 4 API calls 4733->4737 4736 401000 2 API calls 4734->4736 4735->4731 4739 404b40 lstrlenA 4735->4739 4746 401000 2 API calls 4735->4746 4748 401000 2 API calls 4735->4748 4987 407249 lstrcpyA lstrcpyA DialogBoxParamA 4735->4987 4994 4035e0 CreateDirectoryA 4735->4994 5007 40108e FormatMessageA 4735->5007 4740 404c41 MessageBoxA 4736->4740 4738 404c68 4737->4738 4742 404c85 GetProfileStringA 4738->4742 4990 409220 4739->4990 4740->4708 4744 404cba 4742->4744 4745 401000 2 API calls 4744->4745 4760 404ce6 4745->4760 4747 404b83 MessageBoxA 4746->4747 4747->4735 4748->4735 4750 404db2 4752 4034d5 4 API calls 4750->4752 4754 404db7 GetProfileIntA wsprintfA 4752->4754 4753 407249 4 API calls 4753->4760 5009 409190 GetFileAttributesA 4754->5009 4756 4035e0 8 API calls 4756->4760 4757 404dfe 4758 404e47 wsprintfA 4757->4758 4759 404e09 lstrlenA 4757->4759 4761 409190 2 API calls 4758->4761 4762 409190 2 API calls 4759->4762 4760->4750 4760->4753 4760->4756 4764 401000 2 API calls 4760->4764 4768 40108e FormatMessageA 4760->4768 4765 404e76 4761->4765 4763 404e38 4762->4763 4763->4758 4764->4760 4766 404e81 lstrlenA 4765->4766 4767 404ebf wsprintfA 4765->4767 4769 409190 2 API calls 4766->4769 4770 409190 2 API calls 4767->4770 4771 404d92 MessageBoxA 4768->4771 4772 404eb0 4769->4772 4773 404eee 4770->4773 4771->4760 4772->4767 4774 404ef9 lstrlenA 4773->4774 4776 404f28 4773->4776 4775 409190 2 API calls 4774->4775 4775->4776 4777 4034d5 4 API calls 4776->4777 4778 404fec 4777->4778 4779 404ff9 CreateDialogParamA 4778->4779 4780 40559b 4778->4780 4781 405032 GetDlgItem 4779->4781 4782 4050d3 lstrcpyA 4779->4782 4783 4034d5 4 API calls 4780->4783 5013 403706 4781->5013 4785 405157 4782->4785 4786 40510a 4782->4786 4787 4055a0 4783->4787 4791 40518d GetDlgItem 4785->4791 4832 4051cd 4785->4832 4786->4785 4789 405117 GetDlgItem 4786->4789 4790 405996 4787->4790 4795 4055bc GetProfileStringA 4787->4795 4794 403706 53 API calls 4789->4794 4792 4034d5 4 API calls 4790->4792 4797 403706 53 API calls 4791->4797 4798 4059c6 4792->4798 4793 4052ad 4799 40532b 4793->4799 4804 4052db wsprintfA wsprintfA 4793->4804 4794->4785 4800 4055ef 4795->4800 4796 405085 GetDlgItem 4801 403706 53 API calls 4796->4801 4797->4832 4802 4059d3 4798->4802 4803 405a09 7 API calls 4798->4803 4805 405349 wsprintfA 4799->4805 4806 40548a wsprintfA 4799->4806 5055 405c22 DialogBoxParamA 4800->5055 4809 40507c 4801->4809 4810 401000 2 API calls 4802->4810 4812 401000 2 API calls 4803->4812 5038 4091e0 MoveFileA 4804->5038 5041 409100 4805->5041 4807 405530 WritePrivateProfileStringA 4806->4807 4808 4054b8 GetPrivateProfileStringA 4806->4808 4817 401000 2 API calls 4807->4817 4816 409220 19 API calls 4808->4816 4809->4782 4818 4059e9 MessageBoxA 4810->4818 4819 405ad1 4812->4819 4821 4054f3 4816->4821 4822 405559 GetDlgItem SetWindowTextA SetActiveWindow DestroyWindow 4817->4822 4823 405b07 4818->4823 4824 401000 2 API calls 4819->4824 4820 405247 GetDlgItem 4829 403706 53 API calls 4820->4829 4830 405512 WritePrivateProfileStringA 4821->4830 4822->4780 4823->4708 4827 405aea MessageBoxA 4824->4827 4825 405391 5044 409020 4825->5044 4826 405436 GetDlgItem 4831 403706 53 API calls 4826->4831 4827->4823 4829->4832 4830->4807 4839 40540f 4831->4839 4832->4793 4832->4820 4833 40539d 4835 401000 2 API calls 4833->4835 4834 405617 4834->4790 5057 4077ba DdeInitializeA 4834->5057 4836 4053b6 MessageBoxA 4835->4836 4836->4839 4840 4053dd GetDlgItem 4836->4840 4839->4806 4841 403706 53 API calls 4840->4841 4841->4839 4842 40566b wsprintfA 5061 407520 4842->5061 4843 40570e 4845 4057d7 4843->4845 4846 405718 wsprintfA wsprintfA 4843->4846 4849 4058a0 4845->4849 4850 4057e1 wsprintfA wsprintfA 4845->4850 4848 407520 12 API calls 4846->4848 4853 405774 4848->4853 4855 407520 12 API calls 4849->4855 4854 407520 12 API calls 4850->4854 4851 4056e7 WriteProfileStringA WriteProfileStringA 4851->4843 4852 4056bb WriteProfileStringA WriteProfileStringA 4852->4843 4858 4057b0 WriteProfileStringA WriteProfileStringA 4853->4858 4859 405784 WriteProfileStringA WriteProfileStringA 4853->4859 4856 40583d 4854->4856 4857 4058bb 4855->4857 4860 405879 WriteProfileStringA WriteProfileStringA 4856->4860 4861 40584d WriteProfileStringA WriteProfileStringA 4856->4861 4862 407520 12 API calls 4857->4862 4858->4845 4859->4845 4860->4849 4861->4849 4863 4058d9 wsprintfA 4862->4863 4864 409190 2 API calls 4863->4864 4865 40590b 4864->4865 4866 405934 lstrcpyA wsprintfA 4865->4866 4867 407520 12 API calls 4865->4867 4868 407520 12 API calls 4866->4868 4869 405931 4867->4869 4870 405984 4868->4870 4869->4866 4871 4034d5 4 API calls 4870->4871 4872 40598c 4871->4872 5070 407844 4872->5070 4875 40329a lstrlenA 4874->4875 4876 40327c lstrlenA 4874->4876 4877 4032bb lstrcatA 4875->4877 4876->4875 4876->4877 4881 4032dc 4877->4881 4878 403334 PostMessageA 4878->4692 4879 4032ef lstrcpyA lstrcatA 4880 409180 2 API calls 4879->4880 4880->4881 4881->4878 4881->4879 4883 406317 GetClientRect CreateCompatibleDC 4882->4883 4884 40646b 4882->4884 4885 4063dd 4883->4885 4886 40633f GetObjectA SelectObject BitBlt SelectObject 4883->4886 4884->4692 4887 406453 DeleteDC EndPaint 4885->4887 4888 4063ea GetObjectA SelectObject BitBlt SelectObject 4885->4888 4886->4885 4887->4884 4888->4887 4890 403d96 4889->4890 4891 403dca 4890->4891 4892 403df0 DialogBoxParamA 4890->4892 4894 403e3f DialogBoxParamA 4890->4894 5073 405e17 DialogBoxParamA 4890->5073 4891->4704 4891->4705 4892->4890 4892->4891 4894->4890 4894->4891 4895->4707 4897 408539 4896->4897 4898 40850d WriteProfileStringA WriteProfileStringA 4896->4898 4900 408572 WriteProfileStringA WriteProfileStringA 4897->4900 4901 408543 4897->4901 4899 404863 4898->4899 4899->4712 4899->4713 4900->4899 5075 4098c0 GetLocalTime GetSystemTime 4901->5075 4905 404184 GetProfileIntA 4904->4905 4906 4047db 4904->4906 4905->4906 4907 4041a9 wsprintfA 4905->4907 4908 401000 2 API calls 4906->4908 5159 409180 4907->5159 4910 4047f1 MessageBoxA 4908->4910 4949 4047d6 4910->4949 4912 409180 2 API calls 4913 404206 wsprintfA 4912->4913 4914 409180 2 API calls 4913->4914 4915 404236 wsprintfA 4914->4915 4916 409180 2 API calls 4915->4916 4917 404266 wsprintfA 4916->4917 4918 409180 2 API calls 4917->4918 4919 404296 wsprintfA 4918->4919 4920 409180 2 API calls 4919->4920 4921 4042c6 wsprintfA 4920->4921 4922 409190 2 API calls 4921->4922 4923 4042f8 4922->4923 4924 404303 wsprintfA MessageBoxA 4923->4924 4929 40434a 4923->4929 4925 40433e 4924->4925 4924->4929 4927 409180 2 API calls 4925->4927 4926 40436f wsprintfA 4928 409180 2 API calls 4926->4928 4927->4929 4928->4929 4929->4926 4934 4043ad 4929->4934 4930 40440d wsprintfA 4933 409180 2 API calls 4930->4933 4931 4043cf wsprintfA 4932 409180 2 API calls 4931->4932 4932->4934 4935 404435 4933->4935 4934->4930 4934->4931 4936 404447 GetProfileStringA 4935->4936 4937 404473 4936->4937 4938 404719 WriteProfileStringA 4936->4938 5162 4076e0 DdeInitializeA 4937->5162 4940 404785 4938->4940 4941 40474d 4938->4941 4944 401000 2 API calls 4940->4944 4943 401000 2 API calls 4941->4943 4946 404763 MessageBoxA 4943->4946 4947 40479b wsprintfA MessageBoxA 4944->4947 4946->4949 4947->4949 4949->4708 4951 407399 11 API calls 4952 404519 wsprintfA 4951->4952 4953 407399 11 API calls 4952->4953 4954 404557 wsprintfA 4953->4954 4955 407399 11 API calls 4954->4955 4956 40459a wsprintfA 4955->4956 4957 407399 11 API calls 4956->4957 4958 4045d8 4957->4958 4959 407399 11 API calls 4958->4959 4960 4045f6 4959->4960 4961 407399 11 API calls 4960->4961 4962 404614 4961->4962 4963 407399 11 API calls 4962->4963 4964 404632 lstrcpyA 4963->4964 4965 407399 11 API calls 4964->4965 4966 404664 4965->4966 4967 407399 11 API calls 4966->4967 4968 404682 4967->4968 4969 407399 11 API calls 4968->4969 4970 4046a0 wsprintfA 4969->4970 4971 407399 11 API calls 4970->4971 4972 4046df 4971->4972 4973 407399 11 API calls 4972->4973 4974 4046fd 4973->4974 5171 407736 4974->5171 5198 409660 4978->5198 4980 409651 4980->4717 4982 4034de PeekMessageA 4981->4982 4985 403536 GetVersionExA 4982->4985 4986 4034f8 4982->4986 4983 403505 IsDialogMessageA 4984 40351d TranslateMessage DispatchMessageA 4983->4984 4983->4986 4984->4986 4985->4721 4985->4722 4986->4982 4986->4983 4986->4984 4988 407297 lstrcpyA 4987->4988 4989 4072a6 4987->4989 4988->4989 4989->4735 4991 409243 4990->4991 4993 409231 4990->4993 4991->4735 4992 40ae40 19 API calls 4992->4993 4993->4991 4993->4992 4995 403605 GetLastError 4994->4995 5001 40361b 4994->5001 5000 403627 4995->5000 4995->5001 4996 4036f9 4996->4735 4997 401000 2 API calls 4998 4036a4 GetLastError 4997->4998 4999 40108e FormatMessageA 4998->4999 5002 4036c5 4999->5002 5000->5001 5003 4035e0 3 API calls 5000->5003 5001->4996 5001->4997 5004 401000 2 API calls 5002->5004 5005 40365a CreateDirectoryA 5003->5005 5006 4036de MessageBoxA 5004->5006 5005->5001 5006->4996 5008 4010c2 MessageBoxA 5007->5008 5008->4735 5010 4091a0 GetLastError 5009->5010 5011 4091b5 5009->5011 5012 4091ac 5010->5012 5011->4757 5012->4757 5014 401000 2 API calls 5013->5014 5015 403728 5014->5015 5016 40108e FormatMessageA 5015->5016 5017 40374e SetWindowTextA 5016->5017 5018 403762 lstrlenA 5017->5018 5019 403798 wsprintfA 5018->5019 5020 40377d lstrlenA 5018->5020 5022 4037d7 wsprintfA 5019->5022 5020->5019 5021 4037ba wsprintfA 5020->5021 5021->5022 5023 4034d5 4 API calls 5022->5023 5024 4037fa 5023->5024 5024->5018 5027 401000 2 API calls 5024->5027 5028 40384e 5024->5028 5030 403842 5024->5030 5033 4034d5 4 API calls 5024->5033 5036 409180 2 API calls 5024->5036 5212 403101 FindResourceA 5024->5212 5222 4033a0 5024->5222 5029 403896 GetLastError 5027->5029 5028->4796 5028->4809 5031 40108e FormatMessageA 5029->5031 5032 409180 2 API calls 5030->5032 5034 4038bb 5031->5034 5032->5028 5033->5024 5035 401000 2 API calls 5034->5035 5037 4038d4 MessageBoxA 5035->5037 5036->5024 5037->5024 5037->5028 5039 4091f9 GetLastError 5038->5039 5040 4091ff 5038->5040 5039->5040 5040->4799 5233 4090d0 5041->5233 5043 40537b 5043->4825 5043->4826 5045 409032 5044->5045 5046 40903e 5044->5046 5045->4833 5047 409066 5046->5047 5351 409d10 5046->5351 5047->4833 5052 409bb0 3 API calls 5053 40905f 5052->5053 5053->5047 5054 409b90 HeapFree 5053->5054 5054->5047 5056 405c50 5055->5056 5056->4834 5058 405656 5057->5058 5059 4077fd wsprintfA 5057->5059 5058->4790 5058->4842 5058->4843 5060 4072c0 6 API calls 5059->5060 5060->5058 5062 407536 5061->5062 5063 409640 4 API calls 5062->5063 5064 407544 5062->5064 5063->5064 5065 40766a wsprintfA 5064->5065 5066 4072c0 6 API calls 5065->5066 5067 407695 wsprintfA 5066->5067 5068 4072c0 6 API calls 5067->5068 5069 4056ab 5068->5069 5069->4851 5069->4852 5071 407857 DdeUninitialize 5070->5071 5072 40786f 5070->5072 5071->5072 5072->4790 5074 405e4c 5073->5074 5074->4890 5076 40992b GetTimeZoneInformation 5075->5076 5077 4098eb 5075->5077 5079 409923 5076->5079 5077->5076 5077->5079 5081 40b080 5079->5081 5080 40854c wsprintfA 5080->4899 5082 40b156 5081->5082 5083 40b09a 5081->5083 5082->5080 5083->5082 5086 40d7b0 5083->5086 5085 40b0c8 5085->5080 5087 40d7be 5086->5087 5088 40d7b9 5086->5088 5087->5085 5090 40d7d0 5088->5090 5091 409380 22 API calls 5090->5091 5092 40d7f5 5091->5092 5093 40d802 GetTimeZoneInformation 5092->5093 5094 40d8dc 5092->5094 5096 40d815 5093->5096 5108 40da10 5093->5108 5095 409b90 HeapFree 5094->5095 5094->5108 5097 40d931 5095->5097 5110 40e820 5096->5110 5099 40b000 HeapAlloc 5097->5099 5103 40d945 5099->5103 5100 40d8a5 5101 40e820 5 API calls 5100->5101 5102 40d8ba 5101->5102 5102->5087 5103->5108 5127 40e770 5103->5127 5106 40e770 8 API calls 5107 40d9de 5106->5107 5107->5108 5109 40e770 8 API calls 5107->5109 5108->5087 5109->5108 5111 40e839 5110->5111 5112 40e83d 5111->5112 5113 40ea18 5111->5113 5114 40e84d 5111->5114 5112->5100 5115 40ea21 5113->5115 5116 40ea36 WideCharToMultiByte 5113->5116 5117 40e8d0 WideCharToMultiByte 5114->5117 5118 40e89e 5114->5118 5121 40e863 5114->5121 5115->5100 5116->5118 5119 40e8f8 5117->5119 5120 40e90e 5117->5120 5118->5100 5119->5100 5120->5119 5123 40e919 GetLastError 5120->5123 5122 40e87d WideCharToMultiByte 5121->5122 5122->5118 5123->5119 5125 40e928 5123->5125 5124 40e92c WideCharToMultiByte 5124->5125 5126 40e980 5124->5126 5125->5124 5125->5126 5126->5100 5129 40e77d 5127->5129 5131 40e7b0 5129->5131 5133 40d0a0 5129->5133 5130 40d0a0 8 API calls 5130->5131 5131->5130 5132 40d9ab 5131->5132 5132->5106 5132->5108 5134 40d0b2 5133->5134 5135 40d0c7 5133->5135 5134->5129 5138 40e510 5135->5138 5137 40d111 5137->5129 5139 40e520 GetStringTypeA 5138->5139 5140 40e53c 5138->5140 5139->5140 5141 40e543 GetStringTypeW 5139->5141 5143 40e5a9 5140->5143 5144 40e57c GetStringTypeA 5140->5144 5141->5140 5142 40e562 5141->5142 5142->5137 5146 40e626 5143->5146 5147 40e5c5 MultiByteToWideChar 5143->5147 5144->5137 5146->5137 5148 40e620 5147->5148 5149 40e5e2 5147->5149 5150 409b90 HeapFree 5148->5150 5155 40dff0 5149->5155 5150->5146 5153 40e5f3 MultiByteToWideChar 5153->5148 5154 40e60c GetStringTypeW 5153->5154 5154->5148 5156 40dfff 5155->5156 5157 40e018 HeapAlloc 5156->5157 5158 40e03d 5156->5158 5157->5156 5158->5148 5158->5153 5183 409150 DeleteFileA 5159->5183 5161 4041d6 wsprintfA 5161->4912 5163 404493 wsprintfA 5162->5163 5164 407399 5163->5164 5165 4073af 5164->5165 5166 409640 4 API calls 5165->5166 5167 4073bd 5165->5167 5166->5167 5168 4074e3 wsprintfA 5167->5168 5186 4072c0 5168->5186 5172 40470a 5171->5172 5173 40774f 5171->5173 5180 40ebf0 RemoveDirectoryA 5172->5180 5194 40eb60 5173->5194 5176 407796 DdeUninitialize 5176->5172 5177 407768 wsprintfA 5178 4072c0 6 API calls 5177->5178 5179 407793 5178->5179 5179->5176 5181 40ec04 GetLastError 5180->5181 5182 40ec0a 5180->5182 5181->5182 5182->4938 5184 409164 GetLastError 5183->5184 5185 40916a 5183->5185 5184->5185 5185->5161 5187 4044d6 wsprintfA 5186->5187 5188 4072dd DdeCreateStringHandleA 5186->5188 5187->4951 5188->5187 5189 4072fd DdeConnect 5188->5189 5190 40736b DdeFreeStringHandle 5189->5190 5191 40731d lstrlenA DdeClientTransaction 5189->5191 5190->5187 5192 407362 DdeDisconnect 5191->5192 5193 40735b 5191->5193 5192->5190 5193->5192 5195 40775d 5194->5195 5196 40ebb3 5194->5196 5195->5176 5195->5177 5196->5195 5197 40ae40 19 API calls 5196->5197 5197->5196 5199 4096d3 GetCurrentDirectoryA 5198->5199 5200 409674 5198->5200 5205 4096e3 5199->5205 5208 409790 5200->5208 5202 40967a 5203 4096a1 GetFullPathNameA 5202->5203 5204 409681 5202->5204 5203->5205 5204->4980 5206 409715 5205->5206 5207 40b000 HeapAlloc 5205->5207 5206->4980 5207->5206 5209 4097a4 GetDriveTypeA 5208->5209 5210 40979b 5208->5210 5211 4097c8 5209->5211 5210->5202 5211->5202 5213 40322e 5212->5213 5214 40313d SizeofResource LoadResource 5212->5214 5213->5024 5214->5213 5215 403169 lstrcpyA lstrlenA 5214->5215 5216 403198 lstrcatA 5215->5216 5217 4031aa lstrcatA CreateFileA 5215->5217 5216->5217 5218 403224 FreeResource 5217->5218 5219 4031e7 WriteFile 5217->5219 5218->5213 5220 40321a CloseHandle 5219->5220 5221 403207 5219->5221 5220->5218 5221->5220 5223 40eb60 19 API calls 5222->5223 5224 4033c3 5223->5224 5225 4033ce 5224->5225 5226 4033e1 LZOpenFileA 5224->5226 5225->5024 5227 403460 LZOpenFileA 5226->5227 5228 403429 LZOpenFileA 5226->5228 5229 403488 LZCopy 5227->5229 5230 4034b9 LZClose 5227->5230 5228->5225 5228->5227 5231 4034a3 5229->5231 5232 4034ad LZClose 5229->5232 5230->5225 5231->5232 5232->5230 5239 40ac10 5233->5239 5236 4090d9 5236->5043 5238 4090f1 5238->5043 5240 40ac1e 5239->5240 5241 4090d5 5239->5241 5240->5241 5242 40b000 HeapAlloc 5240->5242 5241->5236 5243 40aa00 5241->5243 5242->5241 5245 40aa17 5243->5245 5244 40aa21 5244->5238 5245->5244 5248 40ca20 5245->5248 5247 40ab63 5247->5238 5250 40ca45 5248->5250 5249 40ca89 5249->5247 5250->5249 5282 40c130 5250->5282 5253 40cc30 5253->5247 5254 40cc51 CreateFileA 5255 40cc98 GetFileType 5254->5255 5256 40cc7c GetLastError 5254->5256 5258 40cca3 CloseHandle GetLastError 5255->5258 5259 40ccc6 5255->5259 5257 40cc88 5256->5257 5257->5247 5260 40ccb6 5258->5260 5286 40c1f0 5259->5286 5260->5247 5262 40cdd0 5262->5247 5265 40cd33 5266 40cd63 5265->5266 5267 40cd3d 5265->5267 5308 40e2a0 5266->5308 5267->5262 5300 409bb0 5267->5300 5270 40cd75 5272 40cda8 5270->5272 5319 40e130 5270->5319 5271 40cd53 5271->5247 5273 40df30 2 API calls 5272->5273 5274 40cdb2 5273->5274 5274->5262 5278 409bb0 3 API calls 5274->5278 5276 40cd8a 5276->5272 5277 40cd92 5276->5277 5279 409bb0 3 API calls 5277->5279 5280 40cdc0 5278->5280 5281 40cd98 5279->5281 5280->5247 5281->5247 5284 40c142 5282->5284 5283 40b000 HeapAlloc 5285 40c187 5283->5285 5284->5283 5284->5285 5285->5253 5285->5254 5287 40c238 5286->5287 5288 40c1ff 5286->5288 5287->5262 5294 40df30 5287->5294 5288->5287 5289 40c23a SetStdHandle 5288->5289 5290 40c22e 5288->5290 5289->5287 5291 40c233 5290->5291 5292 40c249 SetStdHandle 5290->5292 5291->5287 5293 40c258 SetStdHandle 5291->5293 5292->5287 5293->5287 5295 40df43 5294->5295 5296 40df74 5294->5296 5295->5296 5297 40df87 SetFilePointer 5295->5297 5296->5265 5298 40dfa6 GetLastError 5297->5298 5299 40dfac 5297->5299 5298->5299 5299->5265 5301 409c59 5300->5301 5302 409bc4 5300->5302 5301->5271 5302->5301 5303 409c11 CloseHandle 5302->5303 5304 409c29 5302->5304 5303->5304 5305 409c1f GetLastError 5303->5305 5337 40c2a0 5304->5337 5305->5304 5307 409c31 5307->5271 5309 40e4d8 5308->5309 5310 40e2b7 5308->5310 5309->5270 5310->5309 5311 40e323 ReadFile 5310->5311 5312 40e389 5311->5312 5313 40e33d GetLastError 5311->5313 5315 40e4af 5312->5315 5316 40e410 ReadFile 5312->5316 5318 40df30 2 API calls 5312->5318 5314 40e348 5313->5314 5314->5270 5315->5270 5316->5312 5317 40e438 GetLastError 5316->5317 5317->5312 5318->5312 5321 40e13a 5319->5321 5320 40e27d 5320->5276 5321->5320 5322 40df30 2 API calls 5321->5322 5323 40e17a 5322->5323 5324 40e26d 5323->5324 5325 40df30 2 API calls 5323->5325 5324->5276 5326 40e193 5325->5326 5326->5324 5327 40e213 5326->5327 5332 40e1ae 5326->5332 5328 40e1f0 5327->5328 5329 40df30 2 API calls 5327->5329 5330 40df30 2 API calls 5328->5330 5331 40e21e 5329->5331 5333 40e25d 5330->5333 5334 40e227 SetEndOfFile 5331->5334 5332->5328 5341 40c3f0 5332->5341 5333->5276 5334->5328 5336 40e23b GetLastError 5334->5336 5336->5328 5338 40c2ae 5337->5338 5340 40c2ee 5337->5340 5339 40c300 SetStdHandle 5338->5339 5338->5340 5339->5340 5340->5307 5342 40c44c 5341->5342 5344 40c40a 5341->5344 5342->5332 5343 40c467 5345 40c506 WriteFile 5343->5345 5348 40c47e 5343->5348 5344->5342 5344->5343 5346 40df30 2 API calls 5344->5346 5347 40c535 GetLastError 5345->5347 5350 40c504 5345->5350 5346->5343 5347->5350 5349 40c4cd WriteFile 5348->5349 5348->5350 5349->5347 5349->5348 5350->5332 5352 409d26 5351->5352 5354 409048 5351->5354 5353 40c3f0 5 API calls 5352->5353 5352->5354 5353->5354 5355 409c80 5354->5355 5356 409053 5355->5356 5357 409c8c 5355->5357 5356->5052 5357->5356 5358 409b90 HeapFree 5357->5358 5358->5356 5783 4070c9 5784 40721c 5783->5784 5785 40711d 5784->5785 5786 4070dd 5784->5786 5788 40719d 5785->5788 5790 4071a2 GetDlgItemTextA EndDialog 5785->5790 5791 4071f6 5785->5791 5787 406c48 4 API calls 5786->5787 5789 4070e8 SetDlgItemTextA SetDlgItemTextA 5787->5789 5789->5788 5790->5788 5792 40712d 5791->5792 5793 4071d1 EndDialog 5791->5793 5792->5788 5794 40713e GetDlgItemTextA 5792->5794 5793->5788 5798 406eb9 5794->5798 5797 407183 SetDlgItemTextA 5797->5788 5799 406ed1 lstrcpyA 5798->5799 5800 406edf 5798->5800 5799->5800 5801 401000 2 API calls 5800->5801 5802 406ef5 wsprintfA 5801->5802 5803 406f14 5802->5803 5804 401000 2 API calls 5803->5804 5805 406f5c 5804->5805 5806 40eb60 19 API calls 5805->5806 5807 406ff0 GetOpenFileNameA 5806->5807 5809 4070b9 5807->5809 5810 407033 5807->5810 5809->5788 5809->5797 5811 40705d lstrcmpA 5810->5811 5811->5809 5812 407074 lstrcpyA 5811->5812 5816 40ecd0 5812->5816 5814 407096 5814->5809 5815 4070aa lstrcatA 5814->5815 5815->5809 5817 40ed07 5816->5817 5821 40ecde 5816->5821 5818 40ce40 12 API calls 5817->5818 5819 40ed24 5818->5819 5820 40ed53 5819->5820 5822 40b000 HeapAlloc 5819->5822 5823 409b90 HeapFree 5820->5823 5821->5814 5824 40ed33 5822->5824 5825 40ed81 5823->5825 5824->5820 5826 40ce40 12 API calls 5824->5826 5825->5814 5826->5820 4305 4099d0 GetVersion 4327 40be00 HeapCreate 4305->4327 4307 409a36 4328 40bc20 4307->4328 4309 409a42 4342 40bc10 4309->4342 4313 409a57 4314 409a70 4313->4314 4435 40ad30 4313->4435 4373 40b530 GetModuleFileNameA 4314->4373 4317 409a78 4379 40b450 4317->4379 4319 409ad7 GetStartupInfoA 4321 409af3 4319->4321 4322 409afb GetModuleHandleA 4319->4322 4320 409a7d 4320->4319 4321->4322 4390 4064e3 GetTempPathA lstrlenA 4322->4390 4325 40ad30 3 API calls 4326 409b13 4325->4326 4327->4307 4438 40b000 4328->4438 4331 40bc41 GetStartupInfoA 4334 40bc9a 4331->4334 4336 40bd68 4331->4336 4334->4336 4338 40bd1b 4334->4338 4340 40b000 HeapAlloc 4334->4340 4335 40bd9d GetStdHandle 4335->4336 4337 40bda7 GetFileType 4335->4337 4336->4335 4339 40bddf SetHandleCount 4336->4339 4337->4336 4338->4336 4341 40bd35 GetFileType 4338->4341 4339->4309 4340->4334 4341->4338 4477 40b950 4342->4477 4344 409a47 GetCommandLineA 4345 40b7b0 4344->4345 4346 40b7c6 GetEnvironmentStringsW 4345->4346 4349 40b7ce 4345->4349 4347 40b7da GetEnvironmentStrings 4346->4347 4346->4349 4348 40b7f2 4347->4348 4347->4349 4348->4313 4350 40b811 4349->4350 4351 40b8b3 4349->4351 4352 40b815 GetEnvironmentStringsW 4350->4352 4357 40b827 4350->4357 4353 40b937 4351->4353 4355 40b8c0 GetEnvironmentStrings 4351->4355 4358 40b8d6 4351->4358 4354 40b81d 4352->4354 4352->4357 4353->4313 4354->4313 4355->4358 4361 40b8cc 4355->4361 4356 40b841 WideCharToMultiByte 4359 40b861 4356->4359 4360 40b8a2 FreeEnvironmentStringsW 4356->4360 4357->4356 4357->4357 4362 40b000 HeapAlloc 4358->4362 4363 40b000 HeapAlloc 4359->4363 4360->4313 4361->4313 4364 40b8f4 4362->4364 4365 40b867 4363->4365 4366 40b910 FreeEnvironmentStringsA 4364->4366 4367 40b8ff FreeEnvironmentStringsA 4364->4367 4365->4360 4368 40b870 WideCharToMultiByte 4365->4368 4366->4313 4367->4313 4369 40b891 FreeEnvironmentStringsW 4368->4369 4370 40b886 4368->4370 4369->4313 4488 409b90 4370->4488 4374 40b558 4373->4374 4375 40b000 HeapAlloc 4374->4375 4376 40b586 4375->4376 4377 40b596 4376->4377 4378 409b60 7 API calls 4376->4378 4377->4317 4378->4377 4380 40b464 4379->4380 4381 40b000 HeapAlloc 4380->4381 4382 40b48b 4381->4382 4383 409b60 7 API calls 4382->4383 4388 40b4a0 4382->4388 4383->4388 4384 40b50f 4385 409b90 HeapFree 4384->4385 4386 40b51a 4385->4386 4386->4320 4387 40b000 HeapAlloc 4387->4388 4388->4384 4388->4387 4389 409b60 7 API calls 4388->4389 4389->4388 4391 406557 lstrlenA 4390->4391 4392 406539 lstrlenA 4390->4392 4393 406578 4391->4393 4392->4391 4392->4393 4491 40ec20 SetCurrentDirectoryA 4393->4491 4395 406584 4396 406598 GetTempFileNameA 4395->4396 4397 4065c0 4396->4397 4398 4065d6 lstrlenA 4397->4398 4399 4065f9 lstrcatA GetVersion 4397->4399 4400 4065f6 4398->4400 4500 409380 4399->4500 4400->4399 4402 40663b 4403 40682e GetDesktopWindow GetWindowRect 4402->4403 4406 40673f LoadIconA LoadCursorA CreateSolidBrush RegisterClassA 4402->4406 4404 40686a CreateWindowExA 4403->4404 4407 406924 4404->4407 4408 406976 ShowWindow 4404->4408 4406->4403 4409 4067dc 4406->4409 4412 406940 4407->4412 4413 406931 4407->4413 4410 4069a0 PostMessageA 4408->4410 4411 406991 4408->4411 4414 4067f8 4409->4414 4415 4067e9 4409->4415 4418 4069b5 KiUserCallbackDispatcher 4410->4418 4416 40308b DestroyWindow 4411->4416 4420 401000 2 API calls 4412->4420 4419 40308b DestroyWindow 4413->4419 4508 401000 4414->4508 4506 40308b DestroyWindow 4415->4506 4422 40699d 4416->4422 4424 4069d0 4418->4424 4425 406a17 4418->4425 4426 40693d 4419->4426 4427 406956 MessageBoxA 4420->4427 4422->4410 4423 40680e MessageBoxA 4429 406a33 4423->4429 4424->4418 4430 4069f8 TranslateMessage DispatchMessageA 4424->4430 4431 4069dd IsDialogMessageA 4424->4431 4425->4429 4432 406a24 4425->4432 4426->4412 4427->4429 4429->4325 4430->4424 4431->4424 4431->4430 4433 40308b DestroyWindow 4432->4433 4434 406a30 4433->4434 4434->4429 4654 40ad70 4435->4654 4447 40b020 4438->4447 4440 40b010 4440->4331 4441 409b60 4440->4441 4442 409b69 4441->4442 4443 409b6e 4441->4443 4454 40bf00 4442->4454 4460 40bf40 4443->4460 4446 409b78 4446->4331 4448 40b030 4447->4448 4449 40b02b 4447->4449 4451 40b034 4448->4451 4449->4440 4452 40b05b 4451->4452 4453 40b060 HeapAlloc 4451->4453 4452->4440 4453->4451 4455 40bf0a 4454->4455 4456 40bf39 4455->4456 4457 40bf40 7 API calls 4455->4457 4456->4443 4458 40bf21 4457->4458 4459 40bf40 7 API calls 4458->4459 4459->4456 4463 40bf58 4460->4463 4461 40c122 4461->4446 4462 40c0e7 4464 40c0f4 GetStdHandle 4462->4464 4465 40c0fe WriteFile 4462->4465 4463->4461 4463->4462 4466 40bf9e 4463->4466 4464->4465 4465->4461 4466->4461 4467 40bfaa GetModuleFileNameA 4466->4467 4469 40bfc5 4467->4469 4471 40de90 4469->4471 4470 40c0d9 4470->4446 4472 40de9d LoadLibraryA 4471->4472 4475 40dedf 4471->4475 4473 40df1c 4472->4473 4474 40deae GetProcAddress 4472->4474 4473->4470 4474->4473 4476 40dec5 GetProcAddress GetProcAddress 4474->4476 4475->4470 4476->4475 4483 40bb30 4477->4483 4480 40b9ae GetCPInfo 4482 40b9c3 4480->4482 4481 40b96e 4481->4344 4482->4344 4484 40bb53 4483->4484 4485 40bb43 GetOEMCP 4483->4485 4486 40b961 4484->4486 4487 40bb58 GetACP 4484->4487 4485->4484 4486->4480 4486->4481 4487->4486 4489 409ba7 4488->4489 4490 409b98 HeapFree 4488->4490 4489->4369 4490->4489 4492 40ec35 GetCurrentDirectoryA 4491->4492 4493 40eca9 GetLastError 4491->4493 4492->4493 4494 40ec49 4492->4494 4495 40ecb5 4493->4495 4496 40ec61 4494->4496 4512 40ed90 4494->4512 4495->4395 4496->4395 4498 40ec7b SetEnvironmentVariableA 4498->4493 4499 40eca0 4498->4499 4499->4395 4501 40938e 4500->4501 4504 40939c 4500->4504 4501->4504 4558 40af70 4501->4558 4503 4093a0 4503->4402 4504->4503 4553 40af30 4504->4553 4507 4030a2 4506->4507 4507->4414 4509 40101d LoadStringA 4508->4509 4511 401016 4508->4511 4510 40103d wsprintfA 4509->4510 4509->4511 4510->4511 4511->4423 4513 40eda0 4512->4513 4514 40ee04 4512->4514 4515 40edb5 4513->4515 4518 40ce40 4513->4518 4514->4498 4515->4498 4517 40ede0 4517->4498 4519 40ce4d LCMapStringA 4518->4519 4522 40ce6b 4518->4522 4520 40ce72 LCMapStringW 4519->4520 4519->4522 4521 40ce95 4520->4521 4520->4522 4521->4517 4523 40cece LCMapStringA 4522->4523 4524 40ceef 4522->4524 4523->4517 4525 40cf0e MultiByteToWideChar 4524->4525 4545 40cfca 4524->4545 4526 40cf32 4525->4526 4527 40cf2b 4525->4527 4528 40b000 HeapAlloc 4526->4528 4527->4517 4529 40cf3f 4528->4529 4530 40cf48 4529->4530 4531 40cf4f MultiByteToWideChar 4529->4531 4530->4517 4532 40cf68 LCMapStringW 4531->4532 4533 40cfbb 4531->4533 4532->4533 4534 40cf84 4532->4534 4535 409b90 HeapFree 4533->4535 4536 40cfd4 4534->4536 4537 40cf8b 4534->4537 4538 40cfc1 4535->4538 4541 40b000 HeapAlloc 4536->4541 4537->4533 4539 40d052 4537->4539 4544 40cf9b LCMapStringW 4537->4544 4540 409b90 HeapFree 4538->4540 4543 409b90 HeapFree 4539->4543 4540->4545 4542 40cfe1 4541->4542 4542->4533 4546 40cfea LCMapStringW 4542->4546 4547 40d058 4543->4547 4544->4533 4544->4539 4545->4517 4546->4533 4548 40d002 4546->4548 4549 409b90 HeapFree 4547->4549 4550 40d02e WideCharToMultiByte 4548->4550 4551 40d00e WideCharToMultiByte 4548->4551 4552 40d061 4549->4552 4550->4533 4550->4539 4551->4533 4551->4539 4552->4517 4554 40af38 4553->4554 4555 40af3b 4553->4555 4554->4504 4567 40d140 4555->4567 4557 40af5a 4557->4504 4559 40afd5 4558->4559 4560 40af7f 4558->4560 4559->4504 4560->4559 4561 40af85 WideCharToMultiByte 4560->4561 4563 40b000 HeapAlloc 4560->4563 4564 40afad WideCharToMultiByte 4560->4564 4596 40d460 4560->4596 4561->4560 4562 40afdc 4561->4562 4562->4504 4563->4560 4564->4560 4565 40aff0 4564->4565 4565->4504 4568 40d150 CompareStringA 4567->4568 4571 40d16c 4567->4571 4569 40d190 CompareStringW 4568->4569 4568->4571 4570 40d1b8 4569->4570 4569->4571 4570->4557 4572 40d209 4571->4572 4573 40d1ed CompareStringA 4571->4573 4574 40d33a MultiByteToWideChar 4572->4574 4575 40d23f 4572->4575 4578 40d270 GetCPInfo 4572->4578 4573->4557 4576 40d355 4574->4576 4577 40d35f 4574->4577 4575->4557 4576->4557 4579 40b000 HeapAlloc 4577->4579 4580 40d284 4578->4580 4581 40d28e 4578->4581 4582 40d36b 4579->4582 4580->4557 4581->4574 4595 40d292 4581->4595 4583 40d380 MultiByteToWideChar 4582->4583 4584 40d376 4582->4584 4585 40d407 4583->4585 4586 40d39d MultiByteToWideChar 4583->4586 4584->4557 4587 409b90 HeapFree 4585->4587 4586->4585 4588 40d3b6 4586->4588 4590 40d411 4587->4590 4589 40b000 HeapAlloc 4588->4589 4591 40d3c3 4589->4591 4592 409b90 HeapFree 4590->4592 4591->4585 4593 40d3ce MultiByteToWideChar 4591->4593 4592->4575 4593->4585 4594 40d3e3 CompareStringW 4593->4594 4594->4585 4595->4557 4597 40d6a2 4596->4597 4598 40d472 4596->4598 4597->4560 4598->4597 4599 40d4ba 4598->4599 4626 40d710 4598->4626 4601 40d4e4 4599->4601 4603 40d4f9 4599->4603 4604 40d4df 4599->4604 4613 40d4ec 4601->4613 4635 40d6b0 4601->4635 4606 40d500 4603->4606 4609 40d51a 4603->4609 4612 40b000 HeapAlloc 4603->4612 4607 40af70 21 API calls 4604->4607 4606->4560 4607->4601 4608 40d5da 4610 40d698 4608->4610 4615 40e640 3 API calls 4608->4615 4609->4601 4614 40b000 HeapAlloc 4609->4614 4617 40d526 4609->4617 4610->4560 4611 40d595 4616 409b90 HeapFree 4611->4616 4624 40d5c8 4611->4624 4612->4609 4613->4560 4614->4601 4615->4624 4618 40d5a7 4616->4618 4617->4560 4639 40e640 4618->4639 4619 40d600 4619->4560 4620 40b000 HeapAlloc 4622 40d63f 4620->4622 4622->4619 4623 40d648 SetEnvironmentVariableA 4622->4623 4625 409b90 HeapFree 4623->4625 4624->4619 4624->4620 4625->4619 4627 40d723 4626->4627 4628 40d71d 4626->4628 4629 40b000 HeapAlloc 4627->4629 4628->4599 4630 40d743 4629->4630 4631 40d755 4630->4631 4632 409b60 7 API calls 4630->4632 4633 40d778 4631->4633 4650 40e740 4631->4650 4632->4631 4633->4599 4637 40d6be 4635->4637 4638 40d587 4635->4638 4636 40af30 11 API calls 4636->4637 4637->4636 4637->4638 4638->4608 4638->4611 4640 40e65c 4639->4640 4641 40e64f 4639->4641 4643 40e660 4640->4643 4649 40e66f 4640->4649 4642 40b000 HeapAlloc 4641->4642 4644 40e655 4642->4644 4645 409b90 HeapFree 4643->4645 4644->4624 4646 40e666 4645->4646 4646->4624 4647 40e683 HeapReAlloc 4647->4649 4648 40e6a9 4648->4624 4649->4647 4649->4648 4651 40e74d 4650->4651 4652 40b000 HeapAlloc 4651->4652 4653 40e755 4652->4653 4653->4631 4655 40ad80 GetCurrentProcess TerminateProcess 4654->4655 4656 40ad8e 4654->4656 4655->4656 4657 40adfe ExitProcess 4656->4657 4658 40ad3e 4656->4658 4658->4314 5578 406d10 5579 406e8c 5578->5579 5580 406d29 SetDlgItemTextA PostMessageA 5579->5580 5581 406d58 5579->5581 5591 406d9a 5580->5591 5582 406e51 5581->5582 5584 406d9f 5581->5584 5581->5591 5583 406d6d 5582->5583 5585 406e57 5582->5585 5586 406d84 PostMessageA 5583->5586 5583->5591 5588 406e10 5584->5588 5589 406db5 PostMessageA 5584->5589 5584->5591 5587 406e24 PostMessageA 5585->5587 5585->5591 5586->5591 5587->5591 5590 406dd0 GetDlgItem PostMessageA 5588->5590 5588->5591 5589->5591 5590->5591 5827 40e0d2 5828 409b60 7 API calls 5827->5828 5829 40e0d7 5828->5829 5592 409b15 5595 40b260 5592->5595 5594 409b2c 5596 40b26c 5595->5596 5597 40b3b1 UnhandledExceptionFilter 5596->5597 5598 40b282 5596->5598 5597->5594 5598->5594 5517 407f58 5522 407f5c 5517->5522 5518 40817c 5520 4081a1 5518->5520 5521 408189 EnableWindow DestroyWindow 5518->5521 5519 40816f EndDoc 5519->5518 5523 4081b5 5520->5523 5524 4081ab LocalFree 5520->5524 5521->5520 5527 40800b StartPage 5522->5527 5532 408020 5522->5532 5525 4081e4 DeleteDC 5523->5525 5526 4081bf SelectObject DeleteObject LocalFree 5523->5526 5524->5523 5528 4081fb 5525->5528 5526->5525 5529 40802c 5527->5529 5527->5532 5530 408036 SelectObject 5529->5530 5531 408047 5529->5531 5530->5531 5533 4080df EndPage 5531->5533 5534 408087 5531->5534 5535 40808c SendMessageA 5531->5535 5532->5518 5532->5519 5533->5532 5534->5533 5535->5531 5536 4080b8 TextOutA 5535->5536 5536->5531 5599 40be18 5602 40be20 5599->5602 5600 40beb2 5602->5600 5603 40b164 RtlUnwind 5602->5603 5604 40b17c 5603->5604 5604->5602 5830 407bd8 5831 407c50 5830->5831 5832 407bec GetSystemMenu EnableMenuItem 5831->5832 5833 407c5d 5831->5833 5834 407c6a 5832->5834 5833->5834 5835 407c10 GetParent EnableWindow DestroyWindow 5833->5835 5835->5834 5537 406259 5538 40626c 5537->5538 5539 4062d4 ExitWindowsEx 5538->5539 5540 40628c GetCurrentProcess OpenProcessToken LookupPrivilegeValueA AdjustTokenPrivileges 5538->5540 5541 4062e5 5539->5541 5540->5539 5605 402219 5606 402551 5605->5606 5607 40222d 5606->5607 5608 4023fb 5606->5608 5609 406c48 4 API calls 5607->5609 5613 402421 IsDlgButtonChecked 5608->5613 5614 40252b 5608->5614 5620 402414 5608->5620 5610 402238 CheckDlgButton CheckDlgButton CheckDlgButton CheckDlgButton CheckDlgButton 5609->5610 5611 4022e9 CheckRadioButton 5610->5611 5612 4022cb CheckRadioButton 5610->5612 5615 402302 14 API calls 5611->5615 5612->5615 5616 402442 5613->5616 5617 402448 IsDlgButtonChecked 5613->5617 5618 40240b 5614->5618 5619 402506 EndDialog 5614->5619 5615->5620 5616->5617 5621 402466 IsDlgButtonChecked 5617->5621 5622 40245f 5617->5622 5618->5620 5623 4021af DialogBoxParamA 5618->5623 5619->5620 5624 402484 IsDlgButtonChecked 5621->5624 5625 40247d 5621->5625 5622->5621 5623->5620 5626 4024a2 IsDlgButtonChecked 5624->5626 5627 40249b 5624->5627 5625->5624 5628 4024c0 IsDlgButtonChecked 5626->5628 5629 4024b9 5626->5629 5627->5626 5630 4024d7 EndDialog 5628->5630 5629->5628 5630->5620 5836 4087dc 5837 4089ac 5836->5837 5838 4089bc 5837->5838 5841 4088c7 5837->5841 5839 4089c2 5838->5839 5840 4087f6 5838->5840 5842 40898d 5839->5842 5843 4089cf 5839->5843 5844 406c48 4 API calls 5840->5844 5845 408966 5841->5845 5846 408928 EndDialog 5841->5846 5860 4088a8 5841->5860 5861 4087aa GetDlgItem 5842->5861 5848 4088af PostMessageA 5843->5848 5843->5860 5859 408801 5844->5859 5849 408973 5845->5849 5850 40893e EndDialog 5845->5850 5846->5860 5848->5860 5852 4088da ShellExecuteA 5849->5852 5849->5860 5850->5860 5851 408826 LoadStringA 5853 408884 GetDlgItem 5851->5853 5851->5859 5854 408900 GetDlgItem 5852->5854 5852->5860 5856 407b56 4 API calls 5853->5856 5857 407d10 30 API calls 5854->5857 5855 401000 2 API calls 5858 408863 wsprintfA 5855->5858 5856->5859 5857->5860 5858->5853 5859->5851 5859->5855 5859->5860 5862 4087ca 5861->5862 5862->5860 5632 40821e 5633 408498 5632->5633 5634 4084a5 5633->5634 5635 40835c PostMessageA 5633->5635 5636 408374 5634->5636 5637 408238 5634->5637 5654 408355 5635->5654 5640 408462 5636->5640 5641 40843d 5636->5641 5636->5654 5638 406c48 4 API calls 5637->5638 5639 408243 GetDlgItem SetFocus GetStockObject SendDlgItemMessageA 5638->5639 5642 4082b1 5639->5642 5643 408282 5639->5643 5646 408387 5640->5646 5647 408398 ShellExecuteA 5640->5647 5644 408443 5641->5644 5645 4083e6 EndDialog 5641->5645 5653 4082d3 LoadStringA 5642->5653 5642->5654 5659 401000 2 API calls 5642->5659 5648 401000 2 API calls 5643->5648 5649 408450 5644->5649 5650 4083fc EndDialog 5644->5650 5645->5654 5646->5654 5667 408a07 DialogBoxParamA 5646->5667 5652 4083be GetDlgItem 5647->5652 5647->5654 5651 408298 SetDlgItemTextA 5648->5651 5649->5654 5655 408412 EndDialog 5649->5655 5650->5654 5651->5642 5669 407d10 5652->5669 5653->5642 5658 408331 GetDlgItem 5653->5658 5655->5654 5662 407b56 5658->5662 5661 408310 wsprintfA 5659->5661 5661->5658 5663 407bd3 5662->5663 5664 407b6c IsWindow 5662->5664 5663->5642 5664->5663 5665 407b7e 5664->5665 5666 407b8e SendMessageA SendMessageA SendMessageA 5665->5666 5666->5663 5668 408a37 5667->5668 5668->5654 5670 407d2c 5669->5670 5671 407d53 PrintDlgA 5670->5671 5672 407d91 SendMessageA 5671->5672 5688 407d87 5671->5688 5673 407dbe GetTextMetricsA 5672->5673 5672->5688 5674 407dd9 LocalAlloc 5673->5674 5675 407deb 5673->5675 5674->5675 5676 407e62 9 API calls 5675->5676 5677 407dfc lstrcpyA CreateFontIndirectA 5675->5677 5689 407f4d 5676->5689 5696 408020 5676->5696 5678 407e38 LocalFree 5677->5678 5679 407e4e SelectObject 5677->5679 5678->5676 5679->5676 5680 40817c 5682 4081a1 5680->5682 5683 408189 EnableWindow DestroyWindow 5680->5683 5681 40816f EndDoc 5681->5680 5684 4081b5 5682->5684 5685 4081ab LocalFree 5682->5685 5683->5682 5686 4081e4 DeleteDC 5684->5686 5687 4081bf SelectObject DeleteObject LocalFree 5684->5687 5685->5684 5686->5688 5687->5686 5688->5654 5690 40800b StartPage 5689->5690 5689->5696 5691 40802c 5690->5691 5690->5696 5692 408036 SelectObject 5691->5692 5698 408047 5691->5698 5692->5698 5693 4080df EndPage 5693->5696 5694 408087 5694->5693 5695 40808c SendMessageA 5697 4080b8 TextOutA 5695->5697 5695->5698 5696->5680 5696->5681 5697->5698 5698->5693 5698->5694 5698->5695 4281 405c60 4282 405de4 4281->4282 4283 405d28 4282->4283 4284 405c7a 4282->4284 4287 405dc8 4283->4287 4288 405d3b IsDlgButtonChecked 4283->4288 4292 405d1e 4283->4292 4297 406c48 GetWindowRect GetDesktopWindow GetWindowRect 4284->4297 4286 405c85 CheckRadioButton GetProfileStringA 4289 405d06 GetDlgItem KiUserCallbackDispatcher 4286->4289 4290 405cca GetProfileIntA 4286->4290 4287->4292 4294 405da0 EndDialog 4287->4294 4293 405d5e IsDlgButtonChecked 4288->4293 4296 405d52 KiUserCallbackDispatcher 4288->4296 4289->4292 4290->4289 4291 405ce9 GetDlgItem EnableWindow 4290->4291 4291->4292 4293->4296 4294->4292 4296->4292 4298 406cce MoveWindow 4297->4298 4298->4286 5542 405e60 5543 40604c 5542->5543 5544 405e74 5543->5544 5547 405f5e 5543->5547 5545 406c48 4 API calls 5544->5545 5546 405e7f 11 API calls 5545->5546 5548 405f77 5546->5548 5547->5548 5549 405f84 IsDlgButtonChecked 5547->5549 5550 406026 5547->5550 5551 405fa5 5549->5551 5552 405fab IsDlgButtonChecked 5549->5552 5553 405f6e 5550->5553 5554 406001 EndDialog 5550->5554 5551->5552 5555 405fc2 5552->5555 5556 405fc9 IsDlgButtonChecked 5552->5556 5553->5548 5560 4021af DialogBoxParamA 5553->5560 5554->5548 5555->5556 5557 405fe0 5556->5557 5558 405fe7 EndDialog 5556->5558 5557->5558 5558->5548 5561 4021df 5560->5561 5561->5548 5562 402160 5563 40218f 5562->5563 5564 402174 EndDialog 5563->5564 5565 40219c 5563->5565 5564->5565 5699 40be20 5700 40beb2 5699->5700 5702 40be3e 5699->5702 5701 40b164 RtlUnwind 5701->5702 5702->5700 5702->5701 5703 405b20 5704 405bf5 5703->5704 5705 405b78 5704->5705 5706 405b34 5704->5706 5710 405b88 GetDlgItemTextA EndDialog 5705->5710 5711 405bdc 5705->5711 5713 405be6 5705->5713 5707 406c48 4 API calls 5706->5707 5708 405b3f GetDlgItem 5707->5708 5715 407888 DdeInitializeA 5708->5715 5710->5713 5711->5713 5714 405bb7 EndDialog 5711->5714 5714->5713 5716 405b57 SetDlgItemTextA 5715->5716 5717 4078c9 DdeCreateStringHandleA DdeCreateStringHandleA DdeConnect 5715->5717 5716->5713 5718 407a3c DdeUninitialize 5717->5718 5719 40791f DdeClientTransaction DdeAccessData 5717->5719 5718->5716 5720 40795d DdeUnaccessData DdeDisconnect DdeFreeStringHandle DdeFreeStringHandle 5719->5720 5725 4079bd 5720->5725 5722 4079e4 lstrcmpiA 5724 4079fb SendMessageA 5722->5724 5722->5725 5723 407a15 DdeUninitialize 5723->5716 5724->5725 5725->5722 5725->5723 5726 40c621 5727 40c649 5726->5727 5728 40dff0 HeapAlloc 5727->5728 5729 40c656 5728->5729 5730 40dff0 HeapAlloc 5729->5730 5733 40c688 5729->5733 5731 40c675 5730->5731 5732 409b60 7 API calls 5731->5732 5731->5733 5732->5733 5867 4021e4 DialogBoxParamA 5868 402214 5867->5868 5893 402ea4 5894 402ec0 5893->5894 5895 402ed1 7 API calls 5894->5895 5896 402fba ShowWindow UpdateWindow GetTickCount 5895->5896 5897 40302e GetLastError 5895->5897 5898 402fde PeekMessageA 5896->5898 5899 401000 2 API calls 5897->5899 5900 40300a TranslateMessage DispatchMessageA 5898->5900 5901 402ffb GetTickCount 5898->5901 5902 403050 wsprintfA MessageBoxA 5899->5902 5900->5898 5901->5900 5903 403029 5901->5903 5902->5903 5869 407ae7 5870 407b51 5869->5870 5871 407afd IsWindow 5869->5871 5871->5870 5872 407b0f 5871->5872 5873 407b1f SendMessageA SendMessageA 5872->5873 5873->5870 5874 401fe9 wsprintfA lstrcatA 5876 40202d 5874->5876 5875 402097 wsprintfA 5875->5876 5876->5875 5877 4020c5 5876->5877 5878 4020fb wsprintfA 5877->5878 5879 40214f 5877->5879 5878->5877 5924 4086ac 5925 4086fc GlobalUnlock FreeResource ReleaseDC ValidateRect 5924->5925 5927 4087a5 5925->5927 5384 403aaf 5385 403d4b 5384->5385 5386 403ba8 5385->5386 5387 403ac9 5385->5387 5390 403d26 5386->5390 5391 403bb8 IsDlgButtonChecked 5386->5391 5399 403d3a 5386->5399 5388 406c48 4 API calls 5387->5388 5389 403ad4 8 API calls 5388->5389 5389->5399 5394 403d30 5390->5394 5395 403ceb EndDialog 5390->5395 5392 403bd6 5391->5392 5393 403bdf IsDlgButtonChecked 5391->5393 5392->5393 5396 403bf6 5393->5396 5397 403bff IsDlgButtonChecked 5393->5397 5398 403d01 EndDialog 5394->5398 5394->5399 5395->5399 5396->5397 5400 403c16 5397->5400 5401 403c1f IsDlgButtonChecked 5397->5401 5398->5399 5400->5401 5402 403c36 5401->5402 5403 403c3f IsDlgButtonChecked 5401->5403 5402->5403 5404 403c56 5403->5404 5405 403c5f IsDlgButtonChecked 5403->5405 5404->5405 5406 403c76 5405->5406 5407 403c7f IsDlgButtonChecked 5405->5407 5406->5407 5408 403c96 5407->5408 5409 403c9f IsDlgButtonChecked 5407->5409 5408->5409 5410 403cb6 KiUserCallbackDispatcher 5409->5410 5410->5399 4300 40ad70 4301 40ad80 GetCurrentProcess TerminateProcess 4300->4301 4302 40ad8e 4300->4302 4301->4302 4303 40adfe ExitProcess 4302->4303 4304 40ae0f 4302->4304 5734 409b30 5737 40ad50 5734->5737 5738 40ad70 3 API calls 5737->5738 5739 409b3c 5738->5739 5880 40c6f0 5886 409d80 5880->5886 5882 40c703 5883 409020 9 API calls 5884 40c6f5 5883->5884 5884->5882 5884->5883 5885 409b90 HeapFree 5884->5885 5885->5884 5889 409d90 5886->5889 5890 409d87 5889->5890 5891 409da7 5889->5891 5890->5884 5891->5890 5892 409cc0 7 API calls 5891->5892 5892->5891 5928 4030b0 5929 4030c4 5928->5929 5930 406c48 4 API calls 5929->5930 5931 4030cf 5929->5931 5930->5931 4659 403931 4660 403a89 4659->4660 4661 403991 4660->4661 4662 40394b 4660->4662 4664 403a78 4661->4664 4666 4039a1 IsDlgButtonChecked 4661->4666 4667 403a64 4661->4667 4663 406c48 4 API calls 4662->4663 4665 403956 CheckRadioButton 4663->4665 4665->4664 4671 4039c4 IsDlgButtonChecked 4666->4671 4675 4039b8 KiUserCallbackDispatcher 4666->4675 4669 403a29 EndDialog 4667->4669 4670 403a6e 4667->4670 4669->4664 4670->4664 4672 403a3f EndDialog 4670->4672 4674 4039e7 IsDlgButtonChecked 4671->4674 4671->4675 4672->4664 4674->4675 4675->4664 5566 406477 5567 4064b4 5566->5567 5568 4064a5 5567->5568 5569 406496 SetBkColor 5567->5569 5569->5568 5359 403ffb 5360 4040e9 5359->5360 5361 404027 5360->5361 5362 40400f 5360->5362 5364 40401a 5361->5364 5365 4040b0 5361->5365 5366 4040c5 5361->5366 5363 406c48 4 API calls 5362->5363 5363->5364 5369 4040b6 5365->5369 5370 404037 5365->5370 5367 4040d2 5366->5367 5368 40406d 5366->5368 5367->5364 5371 404052 5367->5371 5373 403f2b 4 API calls 5368->5373 5369->5364 5374 404088 KiUserCallbackDispatcher 5369->5374 5377 403f2b 5370->5377 5376 403f2b 4 API calls 5371->5376 5375 404045 5373->5375 5374->5364 5375->5364 5376->5375 5378 403f41 ShellExecuteA 5377->5378 5380 403f81 LoadStringA 5378->5380 5381 403ff6 5378->5381 5382 403fa8 wsprintfA MessageBoxA 5380->5382 5381->5375 5382->5381 5570 407c7d 5571 407c86 5570->5571 5572 407c93 PeekMessageA 5571->5572 5573 407cd2 TranslateMessage DispatchMessageA 5571->5573 5574 407cba IsDialogMessageA 5571->5574 5575 407ceb 5571->5575 5572->5571 5572->5575 5573->5571 5574->5571 5574->5573 5748 408b3e lstrcpyA lstrcpyA DialogBoxParamA 5749 408b9b 5748->5749 5750 408b8c lstrcpyA 5748->5750 5750->5749

                Executed Functions

                Function 0040481A Relevance: 323.1, APIs: 75, Strings: 109, Instructions: 1140windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004084DB: DialogBoxParamA.USER32(00400000,DLG_LICENSE,?,0040821E,00000000), ref: 004084FA
                  • Part of subcall function 004084DB: WriteProfileStringA.KERNEL32(WS_FTP,VERSION,2000.02.23), ref: 0040851C
                  • Part of subcall function 004084DB: WriteProfileStringA.KERNEL32(WS_FTP,EVAL,00000000), ref: 0040852E
                • MessageBoxA.USER32(?,?,00411010,00000000), ref: 004048A3
                • GetVersionExA.KERNEL32(00000094), ref: 0040499D
                • GetSystemDirectoryA.KERNEL32(?,00000200), ref: 004049D1
                • wsprintfA.USER32 ref: 004049E8
                • GetProfileStringA.KERNEL32(WS_FTP,DIR,?,00000000,00000100), ref: 00404AB5
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: ProfileString$Write$DialogDirectoryMessageParamSystemVersionwsprintf
                • String ID: %s%s$%s%s$%s%s$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s$%s\remove.exe$2000.02.23$2000.02.23$2000.02.23$DEFDIR$DEFDIR$DIR$DIR$DLG_COPY$EVAL$EVAL$EVAL$EVAL$EVAL$EVAL$GROUP$GROUP$INSTOPTS$INSTOPTS$MAILADDR$MAILADDR$MAILADDR$Uninstall WS_FTP LE$VERSION$VERSION$VERSION$VERSION$VERSION$VERSION$WSFTP16.dll$WSFTP32.dll$WSFTP32.dll$WS_FTP$WS_FTP$WS_FTP$WS_FTP$WS_FTP$WS_FTP$WS_FTP$WS_FTP$WS_FTP$WS_FTP$WS_FTP$WS_FTP$WS_FTP$WS_FTP$WS_FTP LE$WS_FTP LE Help$WS_FTP LE Manual$WS_FTP LE Release Notes$WS_FTP.exe$WS_FTP.exe$WS_FTP.exe$WS_FTP.hlp$WS_FTP.ini$WS_FTP.ini$WS_FTP.ini$WS_FTP.ini$WS_FTP.ini$WS_FTP.pdf$WS_FTP.pdf$WS_FTP32$WS_FTP32$WS_FTP32$WS_FTP32$WS_FTP32 LE$WS_FTP32.exe$WS_FTP32.exe$WS_FTP95$WS_FTP95$WS_FTP95$WS_FTP95$WS_FTP95$WS_FTP95$WS_FTP95$WS_FTP95$WS_FTP95$WS_FTP95$WS_FTP95 LE$WS_FTP95.exe$WS_FTP95.exe$WS_FTP95.exe$\Program Files\WS_FTP$\WIN32APP\WS_FTP$\WS_FTP$\WS_FTP$_$_config_$_config_$_config_$guest@$remove.exe$remove.exe$remove32.exe$whatsnew.txt$wsftp605@$wsftple@
                • API String ID: 2404108836-3145078816
                • Opcode ID: b8c9dc46e6588e77c7316e89cd5879afd513945bd0a8b6c32b8218fa648718e9
                • Instruction ID: 00bd2da8d0ae1a8ef62b34529ab5d44e0785eb2630597541a76622a9778d434d
                • Opcode Fuzzy Hash: b8c9dc46e6588e77c7316e89cd5879afd513945bd0a8b6c32b8218fa648718e9
                • Instruction Fuzzy Hash: EEA240B5940218ABDB10DB94DC49FDA77BCAB48705F0480B6F708F21D2E7789A848F6D
                Function 004064E3 Relevance: 51.0, APIs: 23, Strings: 6, Instructions: 298windowstringregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 292 4064e3-406533 GetTempPathA lstrlenA 293 406557-406570 lstrlenA 292->293 294 406539-406551 lstrlenA 292->294 295 406578-4065d0 call 40ec20 call 408e50 GetTempFileNameA call 409120 293->295 294->293 294->295 302 4065d6-4065f6 lstrlenA call 409420 295->302 303 4065f9-40664b lstrcatA GetVersion call 409380 295->303 302->303 308 406651-406667 call 409300 303->308 309 4066a4-4066ab 303->309 308->309 316 40666d-40669f 308->316 310 4066b1-4066b8 309->310 311 4066eb-406709 309->311 310->311 314 4066be-4066e6 310->314 315 406713-406729 call 408f30 311->315 314->315 319 40682e-406864 GetDesktopWindow GetWindowRect 315->319 320 40672f-4067d6 call 408e50 LoadIconA LoadCursorA CreateSolidBrush RegisterClassA 315->320 316->315 321 406874-406899 319->321 322 40686a 319->322 320->319 329 4067dc-4067e3 320->329 324 4068a9-40691e CreateWindowExA 321->324 325 40689f 321->325 322->321 327 406924-40692b 324->327 328 406976-40698b ShowWindow 324->328 325->324 332 406940-406971 call 401000 MessageBoxA 327->332 333 406931-40693d call 40308b 327->333 330 4069a0-4069af PostMessageA 328->330 331 406991-40699d call 40308b 328->331 334 4067f8-406829 call 401000 MessageBoxA 329->334 335 4067e9-4067f5 call 40308b 329->335 338 4069b5-4069ca KiUserCallbackDispatcher 330->338 331->330 349 406a3e-406a42 332->349 333->332 334->349 335->334 344 4069d0-4069d7 338->344 345 406a17-406a1e 338->345 350 4069f8-406a0c TranslateMessage DispatchMessageA 344->350 351 4069dd-4069f2 IsDialogMessageA 344->351 352 406a33-406a39 345->352 353 406a24-406a30 call 40308b 345->353 354 406a12 350->354 351->350 351->354 352->349 353->352 354->338
                APIs
                • GetTempPathA.KERNEL32(00000100,?,?,?), ref: 00406515
                • lstrlenA.KERNEL32(?,?,?), ref: 00406522
                • lstrlenA.KERNEL32(?,?,?), ref: 00406540
                • lstrlenA.KERNEL32(?,?,?), ref: 0040655E
                • GetTempFileNameA.KERNELBASE(?,WFT,00000000,WFT5DD2.tmp), ref: 004065AE
                • lstrlenA.KERNEL32(00000000), ref: 004065DD
                • lstrcatA.KERNEL32(?,004115D4), ref: 00406605
                • GetVersion.KERNEL32 ref: 0040660B
                • LoadIconA.USER32(00400000,APP_MAIN), ref: 00406780
                • LoadCursorA.USER32(00000000,00007F00), ref: 00406793
                • CreateSolidBrush.GDI32(00808000), ref: 004067A4
                • RegisterClassA.USER32(0000200B), ref: 004067CB
                • MessageBoxA.USER32(00000000,?,00000000,00000030), ref: 0040681E
                • GetDesktopWindow.USER32 ref: 00406832
                • GetWindowRect.USER32(00000000), ref: 00406839
                • CreateWindowExA.USER32(00000000,WSInstal,WS_FTP Limited Edition Install (32),02C80000,?,?,00000258,00000190,00000000,00000000,00400000,00000000), ref: 0040690C
                • MessageBoxA.USER32(00000000,?,00000000,00000030), ref: 00406966
                • ShowWindow.USER32(0002044E,00000001), ref: 0040697E
                • PostMessageA.USER32(0002044E,00000111,00000064,00000000), ref: 004069AF
                • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 004069C2
                • IsDialogMessageA.USER32(00000000,?), ref: 004069EA
                • TranslateMessage.USER32(?), ref: 004069FF
                • DispatchMessageA.USER32(?), ref: 00406A0C
                  • Part of subcall function 0040308B: DestroyWindow.USER32(0j@,?,?,?,?,00406A30,00000000), ref: 00403095
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: Message$Window$lstrlen$CreateLoadTemp$BrushCallbackClassCursorDesktopDestroyDialogDispatchDispatcherFileIconNamePathPostRectRegisterShowSolidTranslateUserVersionlstrcat
                • String ID: APP_MAIN$WFT$WFT5DD2.tmp$WSInstal$WSInstal$WS_FTP Limited Edition Install (32)
                • API String ID: 882306480-2460812804
                • Opcode ID: 6da9ebbad4ad1128a3a7247eab9633f63d2eb1363ff4f0f7c1e62b4d6dbe1793
                • Instruction ID: 6aa823dbcf9b747cb28b3bb7b43084bdf57f66e68e56781b1ef511cba06a127d
                • Opcode Fuzzy Hash: 6da9ebbad4ad1128a3a7247eab9633f63d2eb1363ff4f0f7c1e62b4d6dbe1793
                • Instruction Fuzzy Hash: D3D131B1A00218EFDB21DF64DC49BDD77B8EB04706F1080B6E649E62D0D7B89A94CF59
                Function 00406A45 Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 122stringwindowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 357 406a45-406bed 359 406bf3 357->359 360 406c18-406c1f 357->360 361 406bf9-406c00 359->361 362 406a5f-406a6b call 4062f0 359->362 363 406c25-406c2f 360->363 364 406b6f-406b78 360->364 370 406c06-406c0d 361->370 371 406ade-406b6a LoadBitmapA lstrcpyA * 5 LoadBitmapA CreateSolidBrush 361->371 378 406c41-406c45 362->378 365 406a70-406ace 363->365 366 406c35 363->366 367 406b8b-406b8f DestroyWindow 364->367 368 406b7e-406b86 PostQuitMessage 364->368 381 406a83-406abd call 40481a call 403240 PostMessageA 365->381 382 406ad4 365->382 372 406bc6-406bdc DefWindowProcA 366->372 374 406b95-406ba8 DeleteObject 367->374 368->374 370->374 377 406c13 370->377 373 406c3a-406c3c 371->373 372->378 373->378 379 406bba-406bc0 DeleteObject 374->379 380 406bae-406bb4 DeleteObject 374->380 377->372 379->372 380->379 383 406ad9 381->383 382->383 383->373
                APIs
                • LoadBitmapA.USER32(00400000,IPSWITCH), ref: 00406AE9
                • lstrcpyA.KERNEL32(WS_FTP LE Help,WS_FTP LE Help), ref: 00406AFE
                • lstrcpyA.KERNEL32(WS_FTP LE Release Notes,WS_FTP LE Release Notes), ref: 00406B0E
                • lstrcpyA.KERNEL32(Uninstall WS_FTP LE,Uninstall WS_FTP LE), ref: 00406B1E
                • lstrcpyA.KERNEL32(WS_FTP Icon Placement,WS_FTP Icon Placement), ref: 00406B2E
                • lstrcpyA.KERNEL32(WS_FTP Explorer Help,WS_FTP Explorer Help), ref: 00406B3E
                • LoadBitmapA.USER32(00400000,WS_BMP), ref: 00406B4F
                • CreateSolidBrush.GDI32(00C0C0C0), ref: 00406B5F
                • DeleteObject.GDI32(80050DCC), ref: 00406B9B
                • DeleteObject.GDI32(2F050DE9), ref: 00406BB4
                • DeleteObject.GDI32(10100DE8), ref: 00406BC0
                • DefWindowProcA.USER32(?,?,?,?), ref: 00406BD6
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: lstrcpy$DeleteObject$BitmapLoad$BrushCreateProcSolidWindow
                • String ID: IPSWITCH$Uninstall WS_FTP LE$Uninstall WS_FTP LE$WS_BMP$WS_FTP Explorer Help$WS_FTP Explorer Help$WS_FTP Icon Placement$WS_FTP Icon Placement$WS_FTP LE Help$WS_FTP LE Help$WS_FTP LE Release Notes$WS_FTP LE Release Notes$d
                • API String ID: 3189719223-1049329174
                • Opcode ID: afd370393dcc3e61c370d8e39c01adb4afc0dabf8e63583fef7b8d7b80086d20
                • Instruction ID: 8cda597b1dbf26d671badf92cf0063951e3bc435f85b83474f0ac230575785ec
                • Opcode Fuzzy Hash: afd370393dcc3e61c370d8e39c01adb4afc0dabf8e63583fef7b8d7b80086d20
                • Instruction Fuzzy Hash: A6416DB1604214EFCB109FA8ED49FD937B8EB58742F148476F647E72A0C6789990CB1D
                Function 00403AAF Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 191COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 388 403aaf-403d52 390 403d58-403d5f 388->390 391 403ac9-403acf call 406c48 388->391 392 403d65 390->392 393 403ba8-403d20 390->393 397 403ad4-403ba3 CheckDlgButton * 8 391->397 396 403d3f-403d41 392->396 399 403d26-403d2a 393->399 400 403bb8-403bd0 IsDlgButtonChecked 393->400 398 403d6a-403d6e 396->398 397->398 403 403d30-403d34 399->403 404 403ceb-403cfc EndDialog 399->404 401 403bd6-403bda 400->401 402 403bdf-403bf0 IsDlgButtonChecked 400->402 401->402 405 403bf6-403bfa 402->405 406 403bff-403c10 IsDlgButtonChecked 402->406 407 403d01-403d12 EndDialog 403->407 408 403d3a 403->408 404->398 405->406 409 403c16-403c1a 406->409 410 403c1f-403c30 IsDlgButtonChecked 406->410 407->398 408->396 409->410 411 403c36-403c3a 410->411 412 403c3f-403c50 IsDlgButtonChecked 410->412 411->412 413 403c56-403c5a 412->413 414 403c5f-403c70 IsDlgButtonChecked 412->414 413->414 415 403c76-403c7a 414->415 416 403c7f-403c90 IsDlgButtonChecked 414->416 415->416 417 403c96-403c9a 416->417 418 403c9f-403cb0 IsDlgButtonChecked 416->418 417->418 419 403cc2-403cc6 418->419 420 403cb6-403cbd 418->420 421 403cd3-403ce6 KiUserCallbackDispatcher 419->421 422 403ccc 419->422 420->419 421->398 422->421
                APIs
                • CheckDlgButton.USER32(00000110,00000976,?), ref: 00403AE7
                • CheckDlgButton.USER32(00000110,00000977,?), ref: 00403B00
                • CheckDlgButton.USER32(00000110,00000978,?), ref: 00403B19
                • CheckDlgButton.USER32(00000110,00000979,?), ref: 00403B32
                • CheckDlgButton.USER32(00000110,0000097A,?), ref: 00403B4B
                • CheckDlgButton.USER32(00000110,0000097B,?), ref: 00403B64
                • CheckDlgButton.USER32(00000110,0000097C,?), ref: 00403B7D
                • CheckDlgButton.USER32(00000110,0000097D,?), ref: 00403B98
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: ButtonCheck
                • String ID: @
                • API String ID: 83588225-2766056989
                • Opcode ID: d4192ab5e582f465debaf320fa58ec8ca6353ecfff21f76111d2e7630dba6dd5
                • Instruction ID: 6e910f93d41afd629374aee162e22e6f7f537e8d87cc65e4d8e047c8bbb76c06
                • Opcode Fuzzy Hash: d4192ab5e582f465debaf320fa58ec8ca6353ecfff21f76111d2e7630dba6dd5
                • Instruction Fuzzy Hash: B261FB76A15608FFEB10CF98C949ADE7FBDEB04742F108426F546EB290C678DB409B19
                Function 00405C60 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 105COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 423 405c60-405dee 425 405df4-405dfe 423->425 426 405c7a-405cc4 call 406c48 CheckRadioButton GetProfileStringA 423->426 427 405e04 425->427 428 405d28-405dc2 425->428 436 405d06-405d18 GetDlgItem KiUserCallbackDispatcher 426->436 437 405cca-405ce3 GetProfileIntA 426->437 430 405e09-405e0b 427->430 434 405dc8-405dcf 428->434 435 405d3b-405d4c IsDlgButtonChecked 428->435 433 405e10-405e14 430->433 442 405da0-405db1 EndDialog 434->442 443 405dd5-405dda 434->443 440 405d52-405d59 435->440 441 405d5e-405d6f IsDlgButtonChecked 435->441 439 405d1e-405d23 436->439 437->436 438 405ce9-405d01 GetDlgItem EnableWindow 437->438 438->439 439->433 444 405d88-405d9b KiUserCallbackDispatcher 440->444 445 405d81 441->445 446 405d75-405d7c 441->446 442->433 443->430 444->433 445->444 446->444
                APIs
                • CheckRadioButton.USER32(?,0000073B,0000073C,0000073B), ref: 00405C9B
                • GetProfileStringA.KERNEL32(WS_FTP,DEFDIR,00411500,?,00000100), ref: 00405CBC
                • GetProfileIntA.KERNEL32(WS_FTP,INSTOPTS,00000000), ref: 00405CD6
                • GetDlgItem.USER32(?,0000073C), ref: 00405CF4
                • EnableWindow.USER32(00000000), ref: 00405CFB
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: Profile$ButtonCheckEnableItemRadioStringWindow
                • String ID: DEFDIR$INSTOPTS$WS_FTP$WS_FTP
                • API String ID: 2788321495-3855382250
                • Opcode ID: 80b65d23e32e508649bb91a3bd778256950a19d1fce81bf16b8b38bfeeb2225c
                • Instruction ID: 7402c9404ba12bcccc2f0bdf46cd120c891bed680ed92d051f0d0311fee1ba70
                • Opcode Fuzzy Hash: 80b65d23e32e508649bb91a3bd778256950a19d1fce81bf16b8b38bfeeb2225c
                • Instruction Fuzzy Hash: C1314A74A44604FBEB109F94CC4DBDB3B69EF44741F208467B60AEA2D1C2BC9A81DF59
                Function 0040D140 Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 448 40d140-40d14e 449 40d150-40d16a CompareStringA 448->449 450 40d176-40d17c 448->450 451 40d190-40d1aa CompareStringW 449->451 452 40d16c 449->452 453 40d1c2 450->453 454 40d17e-40d18e call 40d430 450->454 456 40d1b8-40d1c1 451->456 457 40d1ac-40d1b6 451->457 452->450 458 40d1c6-40d1cc 453->458 454->458 457->450 459 40d1e0 458->459 460 40d1ce-40d1de call 40d430 458->460 463 40d1e4-40d1eb 459->463 460->463 465 40d209-40d210 463->465 466 40d1ed-40d208 CompareStringA 463->466 467 40d425-40d42c 465->467 468 40d216-40d224 465->468 469 40d226-40d22b 468->469 470 40d22f-40d231 468->470 469->470 471 40d233-40d235 470->471 472 40d23b-40d23d 470->472 471->472 473 40d33a-40d353 MultiByteToWideChar 471->473 474 40d24c-40d24f 472->474 475 40d23f-40d24b 472->475 476 40d355-40d35e 473->476 477 40d35f-40d374 call 40b000 473->477 478 40d251-40d25d 474->478 479 40d25e-40d261 474->479 488 40d380-40d39b MultiByteToWideChar 477->488 489 40d376-40d37f 477->489 480 40d270-40d282 GetCPInfo 479->480 481 40d263-40d26f 479->481 483 40d284-40d28d 480->483 484 40d28e-40d290 480->484 486 40d292-40d297 484->486 487 40d2e4-40d2e6 484->487 490 40d2a6-40d2af 486->490 491 40d299-40d2a5 486->491 487->473 492 40d2e8-40d2ed 487->492 493 40d407-40d422 call 409b90 * 2 488->493 494 40d39d-40d3b4 MultiByteToWideChar 488->494 496 40d2b1-40d2b6 490->496 497 40d2ca-40d2d6 490->497 498 40d2fc-40d305 492->498 499 40d2ef-40d2fb 492->499 493->467 494->493 500 40d3b6-40d3cc call 40b000 494->500 496->497 505 40d2b8-40d2bc 496->505 502 40d320-40d32c 498->502 503 40d307-40d30c 498->503 500->493 511 40d3ce-40d3e1 MultiByteToWideChar 500->511 503->502 507 40d30e-40d312 503->507 509 40d2c2-40d2c8 505->509 510 40d2be-40d2c0 505->510 512 40d314-40d316 507->512 513 40d318-40d31e 507->513 509->496 509->497 510->509 515 40d2d7-40d2e3 510->515 511->493 516 40d3e3-40d403 CompareStringW 511->516 512->513 517 40d32d-40d339 512->517 513->502 513->503 516->493
                APIs
                • CompareStringA.KERNELBASE(00000000,00000000,0040F34C,00000001,0040F34C,00000001,024F0C50,?,?,FFFFFFFE,?,FFFFFFFE,?,?,?), ref: 0040D162
                • CompareStringW.KERNEL32(00000000,00000000,0040F350,00000001,0040F350,00000001,?,?,?,?,0040663B,004115D8), ref: 0040D1A2
                • CompareStringA.KERNEL32(?,?,?,?,?,?,024F0C50,?,?,FFFFFFFE,?,FFFFFFFE,?,?,?), ref: 0040D1FB
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: CompareString
                • String ID:
                • API String ID: 1825529933-0
                • Opcode ID: 1a8b79c94fde63c2d1adcd9f462e1673e0e85a039392aabb915b774bf46f4ae0
                • Instruction ID: f9fce229bb88f211719382ffdb0721d7cf90932293ee3565554149a7e3adf5ce
                • Opcode Fuzzy Hash: 1a8b79c94fde63c2d1adcd9f462e1673e0e85a039392aabb915b774bf46f4ae0
                • Instruction Fuzzy Hash: 6391FA72B043106BD7209BD5EC81BABB7A8DB85365F44047BF940E6280D57FE84D87AA
                Function 00403931 Relevance: 10.6, APIs: 7, Instructions: 96COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 518 403931-403a90 520 403a96-403a9d 518->520 521 40394b-403951 call 406c48 518->521 523 403991-403a5e 520->523 524 403aa3 520->524 525 403956-40395d 521->525 529 4039a1-4039b2 IsDlgButtonChecked 523->529 530 403a64-403a68 523->530 527 403aa8-403aac 524->527 528 403a7d-403a7f 524->528 531 403963 525->531 532 40396a-40398c CheckRadioButton 525->532 528->527 535 4039c4-4039d5 IsDlgButtonChecked 529->535 536 4039b8-4039bf 529->536 533 403a29-403a3a EndDialog 530->533 534 403a6e-403a72 530->534 531->532 532->527 533->527 537 403a78 534->537 538 403a3f-403a50 EndDialog 534->538 540 4039e7-4039f8 IsDlgButtonChecked 535->540 541 4039db-4039e2 535->541 539 403a11-403a24 KiUserCallbackDispatcher 536->539 537->528 538->527 539->527 542 403a0a 540->542 543 4039fe-403a05 540->543 541->539 542->539 543->539
                APIs
                • CheckRadioButton.USER32(00000110,0000073B,0000073E,-0000073A), ref: 00403981
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: ButtonCheckRadio
                • String ID:
                • API String ID: 2493629399-0
                • Opcode ID: dbc05ff49b0c900893eb71ca2a9881250b1c0e5f97c8ae091de0a2ed1427cce0
                • Instruction ID: ae9914eddabf1d7a4451d0649c056647c244a805527381bb06534f228f0defb9
                • Opcode Fuzzy Hash: dbc05ff49b0c900893eb71ca2a9881250b1c0e5f97c8ae091de0a2ed1427cce0
                • Instruction Fuzzy Hash: 0431F8B5B04208FBEB10CF98C849BDA7FADAB04346F108426B545AB2C0D27CDB45DF5A
                Function 0040EC20 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 544 40ec20-40ec33 SetCurrentDirectoryA 545 40ec35-40ec47 GetCurrentDirectoryA 544->545 546 40eca9-40ecc3 GetLastError call 40ac90 544->546 545->546 547 40ec49-40ec4e 545->547 549 40ec50-40ec55 547->549 550 40ec57-40ec5f 547->550 549->550 552 40ec6a-40ec9e call 40ed90 SetEnvironmentVariableA 549->552 550->552 553 40ec61-40ec69 550->553 552->546 556 40eca0-40eca8 552->556
                APIs
                • SetCurrentDirectoryA.KERNELBASE(?), ref: 0040EC2B
                • GetCurrentDirectoryA.KERNEL32(00000105,?), ref: 0040EC3F
                • SetEnvironmentVariableA.KERNEL32(0000005C,?), ref: 0040EC96
                • GetLastError.KERNEL32 ref: 0040ECA9
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: CurrentDirectory$EnvironmentErrorLastVariable
                • String ID: /$:
                • API String ID: 373561786-4222935259
                • Opcode ID: 5800be77dd3a4d5b16c417f98cfdd3cd3fed30e0ab49c82dadbf7a7ed143fba0
                • Instruction ID: 3e44c1927b87fded5810ae1b30d801f600d11ce2a96b1e3263037d11be6f8aef
                • Opcode Fuzzy Hash: 5800be77dd3a4d5b16c417f98cfdd3cd3fed30e0ab49c82dadbf7a7ed143fba0
                • Instruction Fuzzy Hash: 38018E6050C380AAF711D775A8097AB7BD85B81B04F48CD7DB4D8D22C1E67EC868EB67
                Function 00403D71 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 105COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 557 403d71-403d8f 558 403d96-403d9a 557->558 559 403da0-403e97 558->559 560 403ebb-403ebf 558->560 564 403dab-403db5 call 405e17 559->564 565 403e9d-403ea1 559->565 561 403ec5-403ec9 560->561 562 403ee8-403eec 560->562 566 403ed9-403ede 561->566 567 403ecf-403ed3 561->567 568 403ef2-403ef6 562->568 569 403f0b-403f0f 562->569 581 403dba-403dc4 564->581 570 403df0-403e15 DialogBoxParamA 565->570 571 403ea7-403eab 565->571 572 403f26-403f2a 566->572 567->562 567->566 568->569 573 403efc-403f01 568->573 574 403f15-403f1a 569->574 575 403f1f-403f21 569->575 579 403e25-403e29 570->579 580 403e1b-403e20 570->580 577 403eb1-403eb6 571->577 578 403e3f-403e64 DialogBoxParamA 571->578 573->572 574->572 574->575 575->572 577->560 587 403e74-403e78 578->587 588 403e6a-403e6f 578->588 585 403e37 579->585 586 403e2f-403e32 579->586 580->572 582 403dd4-403dd8 581->582 583 403dca-403dcf 581->583 589 403de8-403deb 582->589 590 403dde-403de3 582->590 583->572 591 403e3a 585->591 586->591 592 403e86 587->592 593 403e7e-403e81 587->593 588->572 589->558 590->572 591->558 594 403e89 592->594 593->594 594->558
                APIs
                • DialogBoxParamA.USER32(00400000,DLG_FUNCTION,00000002,Function_00003931,00000000), ref: 00403E08
                • DialogBoxParamA.USER32(00400000,DLG_FTP_USE,00000002,Function_00003AAF,00000000), ref: 00403E57
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: DialogParam
                • String ID: DLG_FTP_USE$DLG_FUNCTION
                • API String ID: 665744214-1741520859
                • Opcode ID: 33314d246c416ce3cc7aecdb0801773efc0e0e17494086ab5372d94db4b38e5e
                • Instruction ID: da105ce1ee023838a847b9b87191b81ccf3187952505922d3ffb8d72c63baa46
                • Opcode Fuzzy Hash: 33314d246c416ce3cc7aecdb0801773efc0e0e17494086ab5372d94db4b38e5e
                • Instruction Fuzzy Hash: 1941A270D08209EADB10CF94C9497BEBFB8AF05326F204677E521B62D1C3794B45DB9A
                Function 00403FFB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 595 403ffb-4040f0 597 4040f6-4040fd 595->597 598 40400f-404015 call 406c48 595->598 599 404103 597->599 600 404027-4040aa 597->600 602 40401a-404022 598->602 604 404108-40410a 599->604 606 4040b0 600->606 607 4040c5-4040cc 600->607 605 40410f-404113 602->605 604->605 610 4040b6-4040ba 606->610 611 404037-40404d call 403f2b 606->611 608 4040d2-4040d9 607->608 609 40406d-404083 call 403f2b 607->609 612 404052-404068 call 403f2b 608->612 613 4040df 608->613 609->605 616 4040c0 610->616 617 404088-404099 KiUserCallbackDispatcher 610->617 611->605 612->605 618 4040e4 613->618 616->618 617->605 618->604
                Strings
                • http://www.ipswitch.com/downloads/ws_ftp_PRO.html, xrefs: 00404037
                • https://buy.ipswitch.com/cgi-ole/buypro.showform/wsftppro/?000001767Ipswitch+Inc, xrefs: 00404052
                • http://www.ipswitch.com/products/ws_ftp/, xrefs: 0040406D
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID:
                • String ID: http://www.ipswitch.com/downloads/ws_ftp_PRO.html$http://www.ipswitch.com/products/ws_ftp/$https://buy.ipswitch.com/cgi-ole/buypro.showform/wsftppro/?000001767Ipswitch+Inc
                • API String ID: 0-2351002988
                • Opcode ID: 5f1340747332a71e15a10f4fb326fff5565ddcb7113a7eb510d6c60262a9153e
                • Instruction ID: 287d8b5b8386b54366d1a56125878b1f819d8532d2fedd08a0727f5bc58b309e
                • Opcode Fuzzy Hash: 5f1340747332a71e15a10f4fb326fff5565ddcb7113a7eb510d6c60262a9153e
                • Instruction Fuzzy Hash: 142169B5A08205F7DB10DA58C84A7DE76689B90345F208437BB06BB2C0D2FCCAC5975B
                Function 004099D0 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 623 4099d0-409a5e GetVersion call 40be00 call 40bc20 call 40bc10 GetCommandLineA call 40b7b0 632 409a60-409a67 623->632 633 409a69-409a70 call 40ad30 623->633 632->633 634 409a73-409a8c call 40b530 call 40b450 call 40ad00 632->634 633->634 643 409a9a-409a9e 634->643 644 409a8e-409a90 634->644 647 409aa0 643->647 648 409ac6 643->648 645 409a92-409a96 644->645 646 409ac7-409aca 644->646 645->645 651 409a98 645->651 649 409ad7-409af1 GetStartupInfoA 646->649 650 409acc-409acf 646->650 652 409aa3-409aa7 647->652 648->646 654 409af3-409af6 649->654 655 409afb-409b08 GetModuleHandleA call 4064e3 649->655 650->649 653 409ad1-409ad5 650->653 651->646 656 409ac1-409ac4 652->656 657 409aa9-409ab8 call 40b3f0 652->657 653->649 653->650 654->655 660 409b0d-409b55 call 40ad30 655->660 656->646 656->648 663 409aba 657->663 664 409abb-409abf 657->664 663->664 664->652 664->656
                APIs
                • GetVersion.KERNEL32 ref: 004099F6
                  • Part of subcall function 0040BE00: HeapCreate.KERNELBASE(00000001,00001000,00000000,00409A36), ref: 0040BE09
                  • Part of subcall function 0040BC20: GetStartupInfoA.KERNEL32(?), ref: 0040BC88
                  • Part of subcall function 0040BC20: GetFileType.KERNEL32(00000000), ref: 0040BD36
                • GetCommandLineA.KERNEL32 ref: 00409A47
                  • Part of subcall function 0040B7B0: GetEnvironmentStringsW.KERNEL32 ref: 0040B7C6
                  • Part of subcall function 0040B7B0: GetEnvironmentStringsW.KERNEL32 ref: 0040B815
                • GetStartupInfoA.KERNEL32(?), ref: 00409AE2
                • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B01
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: EnvironmentInfoStartupStrings$CommandCreateFileHandleHeapLineModuleTypeVersion
                • String ID:
                • API String ID: 4198008335-0
                • Opcode ID: 59f1854a89c2f5bb9b1186e1d773dbab684a1d78de87c00385bbf79efcb552c5
                • Instruction ID: e8feff56f09fcb000cd912d670c7754ddaf711f84c9b9c3108bebf31642246aa
                • Opcode Fuzzy Hash: 59f1854a89c2f5bb9b1186e1d773dbab684a1d78de87c00385bbf79efcb552c5
                • Instruction Fuzzy Hash: 4B41F4B19042859EE721AFB5D80579ABFA4EF41350F28453AE484A22D3E73C4941CF9D
                Function 0040AD70 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 667 40ad70-40ad7e 668 40ad80-40ad88 GetCurrentProcess TerminateProcess 667->668 669 40ad8e-40ada7 667->669 668->669 670 40ade8-40adfc call 40ae20 669->670 671 40ada9-40adb0 669->671 679 40adfe-40ae09 ExitProcess 670->679 680 40ae0f-40ae12 670->680 673 40adb2-40adc1 671->673 674 40add6-40ade5 call 40ae20 671->674 673->674 676 40adc3-40adc7 673->676 674->670 681 40adc9 676->681 682 40adcb-40add4 676->682 681->682 682->674 682->676
                APIs
                • GetCurrentProcess.KERNEL32(?,?,?,?,0040AD3E,?,00000000,00000000,00409A70,000000FF), ref: 0040AD81
                • TerminateProcess.KERNEL32(00000000,?,?,?,0040AD3E,?,00000000,00000000,00409A70,000000FF), ref: 0040AD88
                • ExitProcess.KERNEL32 ref: 0040AE09
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: Process$CurrentExitTerminate
                • String ID:
                • API String ID: 1703294689-0
                • Opcode ID: ac6d2a0288e75e0d524355392d0d92dcc1e6e39f1651e2cd1cb89c3e44184fbf
                • Instruction ID: 82fefd74ab16f9c499f3b549766f12899c53074dc45fd232047e1bf61e9d3096
                • Opcode Fuzzy Hash: ac6d2a0288e75e0d524355392d0d92dcc1e6e39f1651e2cd1cb89c3e44184fbf
                • Instruction Fuzzy Hash: C6019231951300EFDA10AF54FD457C73B66AF94346F11403BE504626A0E7B898D4CBAF
                Function 00405E17 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 683 405e17-405e47 DialogBoxParamA 684 405e4c-405e50 683->684
                APIs
                • DialogBoxParamA.USER32(?,DLG_INSTALL,?,00405C60,00000000), ref: 00405E3B
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: DialogParam
                • String ID: DLG_INSTALL
                • API String ID: 665744214-847654678
                • Opcode ID: 813eb854cdf9a7e8cb3158bbb59208605aae17e13c97a0eef6e7443a5bd16773
                • Instruction ID: c843d083da198cdeadd9f5cb6935d17cfb22cbb9a30d4f44eec3808a8b47750c
                • Opcode Fuzzy Hash: 813eb854cdf9a7e8cb3158bbb59208605aae17e13c97a0eef6e7443a5bd16773
                • Instruction Fuzzy Hash: 41E04F75601208FBD700DB98DC49FCF77BCDB40754F204022B505F7180C274AE008B94
                Function 00404116 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 685 404116-40413c DialogBoxParamA
                APIs
                • DialogBoxParamA.USER32(00400000,DLG_NOT_AUTH,?,Function_00003FFB,00000000), ref: 00404132
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: DialogParam
                • String ID: DLG_NOT_AUTH
                • API String ID: 665744214-157816563
                • Opcode ID: 372aec99ca1dd0569ab48627e1e8972865288bfc45e06272f9d849c4741347dd
                • Instruction ID: d0e5221ce7d36dde7fd57f9faeb2560cd22dfbfd1b9f1b505e9fd0d339a40e19
                • Opcode Fuzzy Hash: 372aec99ca1dd0569ab48627e1e8972865288bfc45e06272f9d849c4741347dd
                • Instruction Fuzzy Hash: 53D0C976340204BBD6105A8AEC8AFD77B6CDB85AE6F204022F605D6190D2A4AD4087A8
                Function 00409150 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 686 409150-409162 DeleteFileA 687 409164 GetLastError 686->687 688 40916a-40916c 686->688 687->688 689 40917d-40917f 688->689 690 40916e-40917c call 40ac90 688->690
                APIs
                • DeleteFileA.KERNELBASE(?,0040918A,?,0040332C,?), ref: 00409155
                • GetLastError.KERNEL32 ref: 00409164
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: DeleteErrorFileLast
                • String ID:
                • API String ID: 2018770650-0
                • Opcode ID: e4470ded3228b0f8c465be9b9c57ba766ec7c5e47e70f6df50857f62e7a0e210
                • Instruction ID: 8d522558ccb394645039148d93f6208a045b8b9362c0c1ed3223902ff1e236d0
                • Opcode Fuzzy Hash: e4470ded3228b0f8c465be9b9c57ba766ec7c5e47e70f6df50857f62e7a0e210
                • Instruction Fuzzy Hash: AED0C9B8B006019BEA009F79AC0CB4B32A86F80725F484635B419E62D1EA3CCC40961A
                Function 0040BE00 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 693 40be00-40be14 HeapCreate
                APIs
                • HeapCreate.KERNELBASE(00000001,00001000,00000000,00409A36), ref: 0040BE09
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: CreateHeap
                • String ID:
                • API String ID: 10892065-0
                • Opcode ID: 62a5a0bcb5d34406380dc76731c2023e84535e75953e2e25a6d74dc1d6a6451a
                • Instruction ID: db970c6eab93140bde6e1bea02bcba5b5e832bbd6ad103fc26957ecf92c0528c
                • Opcode Fuzzy Hash: 62a5a0bcb5d34406380dc76731c2023e84535e75953e2e25a6d74dc1d6a6451a
                • Instruction Fuzzy Hash: A0B012702C1300AAE3100B505D06BC036545384B53F20403472005C1D5D6F02080570C

                Non-executed Functions

                Function 004086E4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMON
                Download Yara Rule
                APIs
                • StretchDIBits.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00408763
                • GlobalUnlock.KERNEL32(00000000), ref: 0040876F
                • FreeResource.KERNEL32(00000000), ref: 0040877B
                • ReleaseDC.USER32(?,00000000), ref: 00408789
                • ValidateRect.USER32(?,00000000), ref: 00408795
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: BitsFreeGlobalRectReleaseResourceStretchUnlockValidate
                • String ID: 0p)u
                • API String ID: 2343598975-3786888629
                • Opcode ID: 2a297a6c057b7aee1118c63364cd83db08cd16441d64cba85230994e864cc6b1
                • Instruction ID: c2bd4c87146c0236e3aeaeebb8c11e102946ddb23a7267606f31061a64c62bfc
                • Opcode Fuzzy Hash: 2a297a6c057b7aee1118c63364cd83db08cd16441d64cba85230994e864cc6b1
                • Instruction Fuzzy Hash: AE218BB5A44600AFD700CFACED85FDAB7E9E748301F108425F505D7262D675A9418B18
                Function 00406259 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45shutdownCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00406292
                • OpenProcessToken.ADVAPI32(00000000), ref: 00406299
                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004062AA
                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 004062CE
                • ExitWindowsEx.USER32(00000000,00000000), ref: 004062DA
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueWindows
                • String ID: SeShutdownPrivilege
                • API String ID: 1314775590-3733053543
                • Opcode ID: 98c75df6f3c32253a300485c81cd218314744e3a74c34b75ae499729e3bf6d4e
                • Instruction ID: b9b6fd4e747a5c3d2ee25e616a44dcde159e042dfcca196fa10a81d74fed8777
                • Opcode Fuzzy Hash: 98c75df6f3c32253a300485c81cd218314744e3a74c34b75ae499729e3bf6d4e
                • Instruction Fuzzy Hash: B9015A71940608EBFB20ABE4DC4DFDE7BB8EB44746F204029F616AB1D1C3B95484CB68
                Function 004098C0 Relevance: 4.6, APIs: 3, Instructions: 74timeCOMMON
                Download Yara Rule
                APIs
                • GetLocalTime.KERNEL32(?), ref: 004098CC
                • GetSystemTime.KERNEL32(?), ref: 004098D7
                • GetTimeZoneInformation.KERNEL32(?), ref: 00409930
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: Time$InformationLocalSystemZone
                • String ID:
                • API String ID: 2475273158-0
                • Opcode ID: 6a1ec4e42a3ef9ce4888345a1e6057eba0a435f36c26075e6220aa95fe08ba1f
                • Instruction ID: 249808347673ee99c8fb87ac1726bd7f2d7de3a41c743f1566682b4e52b3e9f5
                • Opcode Fuzzy Hash: 6a1ec4e42a3ef9ce4888345a1e6057eba0a435f36c26075e6220aa95fe08ba1f
                • Instruction Fuzzy Hash: D32138B94086029AC710EF68D941AABB3E5EB89304F50C93DE599D3794F738CD81CB99
                Function 0040AA00 Relevance: .1, Instructions: 144COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5fe6640f6d50eaeccf053c58d8051a3b325dc1b5cf0786584cae736090ab52ca
                • Instruction ID: 4a857fce57f4448a3b874f24d6ecdb87d4e2565195bc8d7bf8cf2cd9d5d55d27
                • Opcode Fuzzy Hash: 5fe6640f6d50eaeccf053c58d8051a3b325dc1b5cf0786584cae736090ab52ca
                • Instruction Fuzzy Hash: CD416D31A083548FE31489999908373B6E3E781310F2845BBCB66672D1D6BDA837D78F
                Function 0040413D Relevance: 154.4, APIs: 28, Strings: 60, Instructions: 432windowstringCOMMON
                Download Yara Rule
                APIs
                • lstrcpyA.KERNEL32(?,Remove), ref: 00404155
                • GetProfileStringA.KERNEL32(WS_FTP,DIR,00410C88,?,00000100), ref: 00404176
                • GetProfileIntA.KERNEL32(WS_FTP,INSTOPTS,00000000), ref: 00404190
                • wsprintfA.USER32 ref: 004041C1
                • wsprintfA.USER32 ref: 004041F1
                • wsprintfA.USER32 ref: 00404221
                • wsprintfA.USER32 ref: 00404251
                • wsprintfA.USER32 ref: 00404281
                • wsprintfA.USER32 ref: 004042B1
                • wsprintfA.USER32 ref: 004042E1
                  • Part of subcall function 00409190: GetFileAttributesA.KERNEL32(00000000,004042F8,?,00000000), ref: 00409195
                  • Part of subcall function 00409190: GetLastError.KERNEL32 ref: 004091A0
                • wsprintfA.USER32 ref: 00404314
                • MessageBoxA.USER32(?,?,WS_FTP95,00000004), ref: 0040432F
                • wsprintfA.USER32 ref: 00404390
                • wsprintfA.USER32 ref: 004043F0
                • wsprintfA.USER32 ref: 00404420
                • GetProfileStringA.KERNEL32(WS_FTP,GROUP,00413A50,?,00000100), ref: 00404465
                • wsprintfA.USER32 ref: 004044AE
                • wsprintfA.USER32 ref: 004044F1
                • wsprintfA.USER32 ref: 0040452D
                • wsprintfA.USER32 ref: 00404572
                • wsprintfA.USER32 ref: 004045AE
                • lstrcpyA.KERNEL32(?,Uninstall WS_FTP LE), ref: 00404641
                  • Part of subcall function 00407399: wsprintfA.USER32 ref: 004074F3
                • wsprintfA.USER32 ref: 004046BB
                  • Part of subcall function 00407736: wsprintfA.USER32 ref: 00407778
                  • Part of subcall function 00407736: DdeUninitialize.USER32(00000000), ref: 0040779C
                  • Part of subcall function 0040EBF0: RemoveDirectoryA.KERNEL32(?,00404719,?), ref: 0040EBF5
                  • Part of subcall function 0040EBF0: GetLastError.KERNEL32 ref: 0040EC04
                • WriteProfileStringA.KERNEL32(WS_FTP,00000000,00000000), ref: 0040473A
                • MessageBoxA.USER32(?,?,?,00000040), ref: 0040477A
                • wsprintfA.USER32 ref: 004047B3
                • MessageBoxA.USER32(?,?,?,00000040), ref: 004047D0
                • MessageBoxA.USER32(?,?,?,00000040), ref: 00404808
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: wsprintf$MessageProfile$String$ErrorLastlstrcpy$AttributesDirectoryFileRemoveUninitializeWrite
                • String ID: %s (32)$%s (95)$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s$%s\remove.exe$DIR$GROUP$INSTOPTS$Remove$Uninstall WS_FTP LE$WSFTP16.dll$WSFTP32.dll$WSFTP32.dll$WS_DIAG$WS_Diag.exe$WS_FTP$WS_FTP$WS_FTP$WS_FTP$WS_FTP$WS_FTP$WS_FTP Documentation$WS_FTP LE$WS_FTP LE Help$WS_FTP LE Manual$WS_FTP LE Release Notes$WS_FTP Pro Explorer$WS_FTP Pro Explorer Help$WS_FTP Pro Explorer.{49707377-6974-6368-2E4a-756e6f644a01}$WS_FTP.exe$WS_FTP.exe$WS_FTP.hlp$WS_FTP.ini$WS_FTP.pdf$WS_FTP.pdf$WS_FTP.pdf$WS_FTP32 LE$WS_FTP32 LE$WS_FTP32.exe$WS_FTP32.exe$WS_FTP95$WS_FTP95 LE$WS_FTP95 LE$WS_FTP95.exe$WS_FTP95.exe$You have an INI file in the %s directory.Do you want to delete it?WARNING: Deleting the INI will eliminate old stored profiles!$nsftp.hlp$remove.exe$whatsnew.txt
                • API String ID: 2637603324-1425071345
                • Opcode ID: a0ec13a249e0656dccb4c11133ca058a406507b5b8e7636401f2e30d5c72b70e
                • Instruction ID: 0857025733ea1214f40c946ebcb0bc383f7f27ff5b443566ac3d62c763d63313
                • Opcode Fuzzy Hash: a0ec13a249e0656dccb4c11133ca058a406507b5b8e7636401f2e30d5c72b70e
                • Instruction Fuzzy Hash: ABF120F5D40218AAEB10D790DC46FDA737CAB44705F5404A7F718F2082E6B8ABD58E6D
                Function 00402840 Relevance: 66.8, APIs: 29, Strings: 9, Instructions: 282stringmemoryCOMMON
                Download Yara Rule
                APIs
                • GetClientRect.USER32(?,?), ref: 00402854
                • BeginPaint.USER32(?,?), ref: 00402865
                • SelectObject.GDI32(00000000,00000001), ref: 00402AB3
                • DeleteObject.GDI32(?), ref: 00402ABD
                • GetSystemDefaultLangID.KERNEL32 ref: 00402AD3
                • lstrcpyA.KERNEL32(?,Arial), ref: 00402AF1
                • CreateFontIndirectA.GDI32(?), ref: 00402B1F
                • SelectObject.GDI32(00000000,?), ref: 00402B30
                • SelectObject.GDI32(00000000,00000001), ref: 00402B5A
                • DeleteObject.GDI32(?), ref: 00402B64
                • LocalFree.KERNEL32(?), ref: 00402B6E
                • SetBkMode.GDI32(00000000,?), ref: 00402B7F
                • EndPaint.USER32(?,?), ref: 00402B90
                • GetDlgItem.USER32(?,00000064), ref: 0040288D
                  • Part of subcall function 004025C0: InvalidateRect.USER32(?,00000000,00000001), ref: 004025DB
                  • Part of subcall function 004025C0: GetClientRect.USER32(?,?), ref: 004025E9
                  • Part of subcall function 004025C0: GetDC.USER32(?), ref: 004025F3
                  • Part of subcall function 004025C0: SelectPalette.GDI32(?,00000000,00000000), ref: 00402608
                  • Part of subcall function 004025C0: RealizePalette.GDI32(?), ref: 00402612
                  • Part of subcall function 004025C0: LockResource.KERNEL32(00000000), ref: 0040261E
                  • Part of subcall function 00401000: LoadStringA.USER32(00400000,?,0000273B,00000000), ref: 0040102F
                  • Part of subcall function 00401000: wsprintfA.USER32 ref: 0040104D
                  • Part of subcall function 004027D7: GetTextExtentPoint32A.GDI32(?,?,00000000), ref: 004027F9
                  • Part of subcall function 004027D7: TextOutA.GDI32(?,?,?,00000000,00000000), ref: 00402827
                • SetBkMode.GDI32(00000000,00000001), ref: 004028A2
                • GetTextMetricsA.GDI32(00000000,?), ref: 004028C9
                • LocalAlloc.KERNEL32(00000040,0000003C), ref: 004028D3
                • GetSystemDefaultLangID.KERNEL32 ref: 004028DC
                • lstrcpyA.KERNEL32(?,Arial), ref: 004028FA
                • CreateFontIndirectA.GDI32(?), ref: 0040292B
                • SelectObject.GDI32(00000000,?), ref: 0040293C
                • SelectObject.GDI32(00000000,00000001), ref: 00402969
                • DeleteObject.GDI32(?), ref: 00402973
                • GetSystemDefaultLangID.KERNEL32 ref: 00402989
                • lstrcpyA.KERNEL32(?,Arial), ref: 004029A7
                • CreateFontIndirectA.GDI32(?), ref: 00402A1C
                • SelectObject.GDI32(00000000,?), ref: 00402A2D
                • GetDlgItem.USER32(?,00000064), ref: 00402BA3
                • ValidateRect.USER32(?,00000000), ref: 00402BB8
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: Object$Select$Rect$CreateDefaultDeleteFontIndirectLangSystemTextlstrcpy$ClientItemLocalModePaintPalette$AllocBeginExtentFreeInvalidateLoadLockMetricsPoint32RealizeResourceStringValidatewsprintf
                • String ID: Arial$Arial$Arial$File Transfer Client$H$Redistribution Not Permitted$WS_FTP$by John A. Junod$for Windows 95 and Windows NT
                • API String ID: 3244805615-2750852661
                • Opcode ID: f7e0b65c63411d13e41a150b1a8ad75316ebaea120cf2a491ed0ff57a0b43807
                • Instruction ID: a63c96d08175b440fc66b48f95dfee8792f23bd6b1a2e38f989b8e4338bb7585
                • Opcode Fuzzy Hash: f7e0b65c63411d13e41a150b1a8ad75316ebaea120cf2a491ed0ff57a0b43807
                • Instruction Fuzzy Hash: 64B1E9B1E00218EFDB00DFE8DD49FDEB7B9BB08305F044425F619EB295D6B8A9448B58
                Function 00407D10 Relevance: 58.1, APIs: 30, Strings: 3, Instructions: 311windowCOMMON
                Download Yara Rule
                APIs
                • PrintDlgA.COMDLG32(00000042), ref: 00407D7A
                • SendMessageA.USER32(?,000000BA,00000000,00000000), ref: 00407D9E
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: MessagePrintSend
                • String ID: Arial$B$PRINTDLGBOX
                • API String ID: 1282429637-778315728
                • Opcode ID: 866afc0d25d58d0436a5d1de29721ece1743e9dadf4320d3f417201a3ef8ac0d
                • Instruction ID: ddc83824f29d7f70be75272ee3a59284ce05284ade8471d6726e8f81a2fa368e
                • Opcode Fuzzy Hash: 866afc0d25d58d0436a5d1de29721ece1743e9dadf4320d3f417201a3ef8ac0d
                • Instruction Fuzzy Hash: 78D1E575A04319DFDB10DF98C948BEDBBB9BF44305F1080AAE549EB290C7789985CF1A
                Function 00402219 Relevance: 52.7, APIs: 29, Strings: 1, Instructions: 224COMMON
                Download Yara Rule
                APIs
                • CheckDlgButton.USER32(?,00000973,0000011F), ref: 00402258
                • CheckDlgButton.USER32(?,00000974,0000011F), ref: 00402270
                • CheckDlgButton.USER32(?,00000975,0000011F), ref: 00402288
                • CheckDlgButton.USER32(?,00000976,0000011F), ref: 004022A0
                • CheckDlgButton.USER32(?,00000977,0000011F), ref: 004022B8
                • CheckRadioButton.USER32(?,0000073B,0000073C,0000073C), ref: 004022DE
                • GetDlgItem.USER32(?,00000973), ref: 00402314
                • EnableWindow.USER32(00000000), ref: 0040231B
                • GetDlgItem.USER32(?,00000974), ref: 00402336
                • EnableWindow.USER32(00000000), ref: 0040233D
                • GetDlgItem.USER32(?,00000975), ref: 00402358
                • EnableWindow.USER32(00000000), ref: 0040235F
                • GetDlgItem.USER32(?,00000976), ref: 0040237A
                • EnableWindow.USER32(00000000), ref: 00402381
                • GetDlgItem.USER32(?,00000977), ref: 0040239C
                • EnableWindow.USER32(00000000), ref: 004023A3
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: ButtonCheck$EnableItemWindow$Radio
                • String ID: Q#
                • API String ID: 2378590362-1075711896
                • Opcode ID: fe065abb6118fea1bf2be08154b423de4edb50c07082dbc97c509a0cf21cdbf9
                • Instruction ID: 2180ee9352df77f6be1d752d401f1166791f77e9a47027673d830c97620d17e7
                • Opcode Fuzzy Hash: fe065abb6118fea1bf2be08154b423de4edb50c07082dbc97c509a0cf21cdbf9
                • Instruction Fuzzy Hash: F8810D76A54604FBEB009FA4DD4DEDE3BA9EB44341F008425F909DB2E1C6B8D981DB5C
                Function 00407888 Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 139stringwindowCOMMON
                Download Yara Rule
                APIs
                • DdeInitializeA.USER32(00000000,00407385,00000010,00000000), ref: 004078AB
                • DdeCreateStringHandleA.USER32(00000000,PROGMAN,000003EC), ref: 004078E1
                • DdeCreateStringHandleA.USER32(00000000,Groups,000003EC), ref: 004078F7
                • DdeConnect.USER32(00000000,00000000,00000000,00000000), ref: 0040790D
                • DdeClientTransaction.USER32(00000000,00000000,00000000,?,00000001,000020B0,000003E8,00000000), ref: 00407939
                • DdeAccessData.USER32(W[@,?), ref: 00407949
                • DdeUnaccessData.USER32(W[@), ref: 00407986
                • DdeDisconnect.USER32(00000000), ref: 0040798F
                • DdeFreeStringHandle.USER32(00000000,00000000), ref: 0040799C
                • DdeFreeStringHandle.USER32(00000000,?), ref: 004079A9
                • lstrcmpiA.KERNEL32(00000000,Startup), ref: 004079ED
                • SendMessageA.USER32(W[@,00000143,00000000,00000000), ref: 00407A0A
                • DdeUninitialize.USER32(00000000), ref: 00407A19
                • DdeUninitialize.USER32(00000000), ref: 00407A40
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: HandleString$CreateDataFreeUninitialize$AccessClientConnectDisconnectInitializeMessageSendTransactionUnaccesslstrcmpi
                • String ID: Groups$P$A$PROGMAN$Startup$W[@$W[@
                • API String ID: 3748507528-3360646485
                • Opcode ID: 6a379e55f3096f7bc5b20fb82128b23cff5e8038d355476a5628091bd52abf61
                • Instruction ID: 078f7c425d5d99baca7a3dcc44c5554cb12f356e8e0193e388e3d1c929574300
                • Opcode Fuzzy Hash: 6a379e55f3096f7bc5b20fb82128b23cff5e8038d355476a5628091bd52abf61
                • Instruction Fuzzy Hash: 3051FFB1E04209ABDB00DBE4C945FEF77B8AB08705F14442AF651F72C1D778AA41CB69
                Function 0040821E Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 170windowCOMMON
                Download Yara Rule
                APIs
                • GetDlgItem.USER32(?,00000002), ref: 0040824C
                • SetFocus.USER32(00000000), ref: 00408253
                • GetStockObject.GDI32(0000000C), ref: 0040825D
                • SendDlgItemMessageA.USER32(?,000003BA,00000030,00000000), ref: 0040826F
                • SetDlgItemTextA.USER32(?,0000096C,?), ref: 004082AB
                • LoadStringA.USER32(00400000,00000050,?,000003E8), ref: 004082EC
                • wsprintfA.USER32 ref: 00408328
                • GetDlgItem.USER32(?,000003BA), ref: 00408341
                • PostMessageA.USER32(?,00000111,00000002,00000000), ref: 00408369
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: Item$Message$FocusLoadObjectPostSendStockStringTextwsprintf
                • String ID: P$WS_FTP LE License Agreement$license.wri$print$y
                • API String ID: 4016294380-3738667631
                • Opcode ID: e8a9c79fa8777d8e2b81eab887009c3bde93069e01435e2c1b7404ba72cc828c
                • Instruction ID: 3fd924e1412164d4e03bfeb7b935ba18a425afccdefbdb2d6d96d6e19ab10196
                • Opcode Fuzzy Hash: e8a9c79fa8777d8e2b81eab887009c3bde93069e01435e2c1b7404ba72cc828c
                • Instruction Fuzzy Hash: AF5194B1A40209FBDB208B94CD49FEE336DAB44705F00447AFB49EA1C1DBB999818F5D
                Function 00402EA4 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 132windowregistryCOMMON
                Download Yara Rule
                APIs
                • LoadIconA.USER32(00000000,00007F00), ref: 00402F0C
                • LoadCursorA.USER32(00000000,00007F00), ref: 00402F1F
                • GetStockObject.GDI32(00000001), ref: 00402F2D
                • RegisterClassA.USER32(00000003), ref: 00402F50
                • GetDesktopWindow.USER32 ref: 00402F5A
                • GetWindowRect.USER32(00000000), ref: 00402F61
                • CreateWindowExA.USER32(00000008,?,0041058C,02800000,?,?,0000015E,000000FA,00000000,00000000,?,00000000), ref: 00402FA7
                • ShowWindow.USER32(00000000,00000005), ref: 00402FC0
                • UpdateWindow.USER32(00000000), ref: 00402FCA
                • GetTickCount.KERNEL32 ref: 00402FD0
                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00402FED
                • GetTickCount.KERNEL32 ref: 00402FFB
                • TranslateMessage.USER32(?), ref: 00403011
                • DispatchMessageA.USER32(?), ref: 0040301E
                • GetLastError.KERNEL32 ref: 0040302E
                • wsprintfA.USER32 ref: 00403065
                • MessageBoxA.USER32(00000000,?,00000000,00000000), ref: 00403078
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: Window$Message$CountLoadTick$ClassCreateCursorDesktopDispatchErrorIconLastObjectPeekRectRegisterShowStockTranslateUpdatewsprintf
                • String ID: WSFTPSPLASH
                • API String ID: 2755763739-3423754451
                • Opcode ID: 94f79783320c63f55b2eefc70433c4de44a8279a8d26fd83cc5442d4482c13c2
                • Instruction ID: c21e5df79018b54be8e2297f7ae679dee0db694e1b14534944ca634262e2accd
                • Opcode Fuzzy Hash: 94f79783320c63f55b2eefc70433c4de44a8279a8d26fd83cc5442d4482c13c2
                • Instruction Fuzzy Hash: 53513B75A40608EFEB20DFA0DC49FDE7B79EB44705F1040A6F609EA1C4DBB49A448F59
                Function 00405E60 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 142COMMON
                Download Yara Rule
                APIs
                • CheckDlgButton.USER32(?,00000758,00000000), ref: 00405E94
                • CheckDlgButton.USER32(?,00000971,00000000), ref: 00405EAC
                • CheckDlgButton.USER32(?,00000972,00000000), ref: 00405EC4
                • GetDlgItem.USER32(?,00000758), ref: 00405EDC
                • EnableWindow.USER32(00000000), ref: 00405EE3
                • GetDlgItem.USER32(?,00000971), ref: 00405EFB
                • EnableWindow.USER32(00000000), ref: 00405F02
                • GetDlgItem.USER32(?,00000972), ref: 00405F28
                • ShowWindow.USER32(00000000), ref: 00405F2F
                • GetDlgItem.USER32(?,00000972), ref: 00405F47
                • EnableWindow.USER32(00000000), ref: 00405F4E
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: ItemWindow$ButtonCheckEnable$Show
                • String ID: Q#
                • API String ID: 4075633574-1075711896
                • Opcode ID: 9379d584a9512b38fa9b5f70b86665a59f3de6095f31edde7ead70bcee20a105
                • Instruction ID: f3744db183ec3d2dc4877af2762711d9bbf5df44940c83a5b9f3e901bd318b26
                • Opcode Fuzzy Hash: 9379d584a9512b38fa9b5f70b86665a59f3de6095f31edde7ead70bcee20a105
                • Instruction Fuzzy Hash: 80513376654604FFEB10DFA8DD4DEDA3B69EB44341F108431FA0AEB2A0C67CD9908B59
                Function 004084DB Relevance: 29.8, APIs: 6, Strings: 11, Instructions: 56COMMON
                Download Yara Rule
                APIs
                • DialogBoxParamA.USER32(00400000,DLG_LICENSE,?,0040821E,00000000), ref: 004084FA
                • WriteProfileStringA.KERNEL32(WS_FTP,VERSION,2000.02.23), ref: 0040851C
                • WriteProfileStringA.KERNEL32(WS_FTP,EVAL,00000000), ref: 0040852E
                • wsprintfA.USER32 ref: 00408564
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: ProfileStringWrite$DialogParamwsprintf
                • String ID: %lu$2000.02.23$DLG_LICENSE$EVAL$EVAL$VERSION$VERSION$WS_FTP$WS_FTP$WS_FTP$WS_FTP
                • API String ID: 2056882488-3109447568
                • Opcode ID: 416aa44f968f99969dcd259455fe42bcca34970ff70eb48c848406d3ad44ad15
                • Instruction ID: b1cb1d0a511645ab20e30283d0e520cb10f3ee3a7e55beccc468b0f6ab5d047c
                • Opcode Fuzzy Hash: 416aa44f968f99969dcd259455fe42bcca34970ff70eb48c848406d3ad44ad15
                • Instruction Fuzzy Hash: AC111F75A80304FBCB10AB94ED0AFDE7BA4D754B46F20C076F641B21E1C6B85684C65E
                Function 004060C0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 124registrystringCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?), ref: 0040610D
                • RegOpenKeyExA.ADVAPI32(?,-00000001,00000000,000F003F,?), ref: 00406148
                • RegCreateKeyA.ADVAPI32(?,-00000001,?), ref: 00406181
                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00000000), ref: 004061C1
                • wsprintfA.USER32 ref: 004061E4
                • lstrlenA.KERNEL32(?), ref: 004061F6
                • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,00000000), ref: 0040620D
                • RegCloseKey.ADVAPI32(00000000), ref: 00406230
                • RegCloseKey.ADVAPI32(?), ref: 0040623A
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: CloseOpenValue$CreateQuerylstrlenwsprintf
                • String ID: Ipswitch0$RunOnce$RunOnce$RunServicesOnce$RunServicesOnce$Software\Microsoft\Windows\CurrentVersion
                • API String ID: 3928020351-2171350881
                • Opcode ID: 51c995427a2b93bc12ddf6474d8d89fa0ae811931d03f18b8307f96b3de2512e
                • Instruction ID: 5f339136f7361609a216e0391a3da6880ca4becc8382d6e9ecf0d2de57513354
                • Opcode Fuzzy Hash: 51c995427a2b93bc12ddf6474d8d89fa0ae811931d03f18b8307f96b3de2512e
                • Instruction Fuzzy Hash: 2E410075A00209EFDB00DB94D949BEEB7F9EB88305F108029E606E7290D7789A85CB65
                Function 004087DC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 134windowCOMMON
                Download Yara Rule
                APIs
                • LoadStringA.USER32(00400000,0000005D,?,000003E8), ref: 0040883F
                • wsprintfA.USER32 ref: 0040887B
                • GetDlgItem.USER32(?,000003BA), ref: 00408894
                • PostMessageA.USER32(?,00000111,00000002,00000000), ref: 004088BC
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: ItemLoadMessagePostStringwsprintf
                • String ID: WS_FTP Pro Order Form$]$m$print$prorder.wri
                • API String ID: 1702345966-3373616159
                • Opcode ID: 892a5219318905f007639180ba37c4c0a668eda0dba1e619834e1e4a1fd6c150
                • Instruction ID: 6fbe5ddb2a6f17bc06b28cb10e0855ae1ae1f9454c0716fa69eae66d56c42ea2
                • Opcode Fuzzy Hash: 892a5219318905f007639180ba37c4c0a668eda0dba1e619834e1e4a1fd6c150
                • Instruction Fuzzy Hash: 2641B3B1A40209EBDB20AB54CD49FEA736CAB44345F10847BF649F61C1DA7C99818F5E
                Function 00403706 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 157stringwindowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0040108E: FormatMessageA.KERNEL32(00000400,?,00000000,00000000,?,00000400,?), ref: 004010B7
                • SetWindowTextA.USER32(?,?), ref: 0040375C
                • lstrlenA.KERNEL32(?), ref: 00403766
                • lstrlenA.KERNEL32(?), ref: 00403781
                • wsprintfA.USER32 ref: 004037AC
                • wsprintfA.USER32 ref: 004037CE
                • wsprintfA.USER32 ref: 004037EC
                • GetLastError.KERNEL32 ref: 00403899
                • MessageBoxA.USER32(?,?,?,00000015), ref: 004038EB
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: wsprintf$Messagelstrlen$ErrorFormatLastTextWindow
                • String ID: %s%s$%s%s$%s\%s$WFT5DD2.tmp
                • API String ID: 1180295798-2077468126
                • Opcode ID: 859293c7e7d0ba2b93b11f6883ceefbfd0e919f29f322e43f9158c334b6e7deb
                • Instruction ID: b45ecd761a5aaf75a9d57af48d7ad519512da7791cdd2c057f0337c22ae1bc81
                • Opcode Fuzzy Hash: 859293c7e7d0ba2b93b11f6883ceefbfd0e919f29f322e43f9158c334b6e7deb
                • Instruction Fuzzy Hash: 9A5120F6900608ABDB10DF98DC49FDF77ACAB08305F0444A6FB19E7182D678DA948F65
                Function 00406EB9 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 125stringCOMMON
                Download Yara Rule
                APIs
                • lstrcpyA.KERNEL32(?,?), ref: 00406ED9
                • wsprintfA.USER32 ref: 00406F0B
                • GetOpenFileNameA.COMDLG32(0000004C), ref: 0040701B
                • lstrcmpA.KERNEL32(?,004116D8,?,0000004C), ref: 00407066
                • lstrcpyA.KERNEL32(?,?,?,0000004C), ref: 0040707F
                • lstrcatA.KERNEL32(?,\WS_FTP,?,?,?,?,0000004C), ref: 004070B3
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: lstrcpy$FileNameOpenlstrcatlstrcmpwsprintf
                • String ID: %s (*.*)|*.*|$L$WS_FTP95.exe$\WS_FTP$d$ws_ftp
                • API String ID: 629914147-2021373278
                • Opcode ID: 283c3c2ed1219be7e2d80d555786c045d7e9edda7c2e6d31011691eaf4d19deb
                • Instruction ID: c146b2207e1c20b376ff7c1f1a688a972c3acc0b96f6e309ad85206894136b9a
                • Opcode Fuzzy Hash: 283c3c2ed1219be7e2d80d555786c045d7e9edda7c2e6d31011691eaf4d19deb
                • Instruction Fuzzy Hash: C65154B5D00219DBDB20EF54DD49BD977B8AB04309F0440A6FA08E7291D379AED4CF59
                Function 00403101 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94stringfileCOMMON
                Download Yara Rule
                APIs
                • FindResourceA.KERNEL32(00000000,?,EXE), ref: 0040312A
                • SizeofResource.KERNEL32(00000000,00000000), ref: 00403145
                • LoadResource.KERNEL32(00000000,00000000), ref: 00403156
                • lstrcpyA.KERNEL32(?,00000000), ref: 00403174
                • lstrlenA.KERNEL32(?), ref: 00403181
                • lstrcatA.KERNEL32(?,004108DC), ref: 004031A4
                • lstrcatA.KERNEL32(?,?), ref: 004031B5
                • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 004031D4
                • WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 004031F9
                • CloseHandle.KERNEL32(000000FF), ref: 0040321E
                • FreeResource.KERNEL32(00000000), ref: 00403228
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: Resource$Filelstrcat$CloseCreateFindFreeHandleLoadSizeofWritelstrcpylstrlen
                • String ID: EXE
                • API String ID: 407728055-4257543290
                • Opcode ID: 35f85b1499d5de6aa193f5d17235ef093c99cc5f1c4611c153ec7361be0a1282
                • Instruction ID: 4115bec72df3df7dfe7583e8d77ce5bec2c6fc25b012868bd60fb2ab3583a101
                • Opcode Fuzzy Hash: 35f85b1499d5de6aa193f5d17235ef093c99cc5f1c4611c153ec7361be0a1282
                • Instruction Fuzzy Hash: 0031D871900219EFDB10DFE8DC49BDE7BBCAB48302F108565F605E7290D774AA85CBA4
                Function 004062F0 Relevance: 19.6, APIs: 13, Instructions: 130windowCOMMON
                Download Yara Rule
                APIs
                • BeginPaint.USER32(?,?), ref: 00406304
                • GetClientRect.USER32(?,?), ref: 0040631F
                • CreateCompatibleDC.GDI32(00000000), ref: 00406329
                • GetObjectA.GDI32(80050DCC,00000018,?), ref: 0040634E
                • SelectObject.GDI32(?,80050DCC), ref: 0040635E
                • BitBlt.GDI32(00000000,0000000A,0000000A,?,?,?,00000000,00000000,00CC0020), ref: 004063C9
                • SelectObject.GDI32(?,?), ref: 004063D7
                • GetObjectA.GDI32(2F050DE9,00000018,?), ref: 004063F9
                • SelectObject.GDI32(?,2F050DE9), ref: 00406409
                • BitBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00CC0020), ref: 0040643F
                • SelectObject.GDI32(?,?), ref: 0040644D
                • DeleteDC.GDI32(?), ref: 00406457
                • EndPaint.USER32(?,?), ref: 00406465
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: Object$Select$Paint$BeginClientCompatibleCreateDeleteRect
                • String ID:
                • API String ID: 509778671-0
                • Opcode ID: 17deadf7d14756f97e31e996b5cb585e9af17faf34bd9cec9538f2a19a2ed903
                • Instruction ID: c82690f7b791b9e454be83a0a63bc5119b9c3ce1e5b74c7fa83b8852168c6db5
                • Opcode Fuzzy Hash: 17deadf7d14756f97e31e996b5cb585e9af17faf34bd9cec9538f2a19a2ed903
                • Instruction Fuzzy Hash: 635170B5A00219EFCB40DFE8DD89FDEBBF9BB48341F148065F605E7290D674A9408B64
                Function 0040CE40 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 222COMMON
                Download Yara Rule
                APIs
                • LCMapStringA.KERNEL32(00000000,00000100,0040F34C,00000001,00000000,00000000,?,?,?,?,0040EDE0,00000000,00000200,?,00000002,?), ref: 0040CE65
                • LCMapStringW.KERNEL32(00000000,00000100,0040F350,00000001,00000000,00000000,?,?,?,?,0040EDE0,00000000,00000200,?,00000002,?), ref: 0040CE84
                • LCMapStringA.KERNEL32(00000200,00000200,00000200,00000000,@,?,?,?,?,?,0040EDE0,00000000,00000200,?,00000002,?), ref: 0040CEE8
                • MultiByteToWideChar.KERNEL32(?,00000009,00000200,00000000,00000000,00000000,?,?,?,?,0040EDE0,00000000,00000200,?,00000002,?), ref: 0040CF1F
                • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0040CF5E
                • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 0040CF78
                • LCMapStringW.KERNEL32(?,?,00000000,00000000,?,?), ref: 0040CFAD
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: String$ByteCharMultiWide
                • String ID: @
                • API String ID: 352835431-216407459
                • Opcode ID: f7b8106d6216cf57f19ea86a57bf0fa18d394eb7a1711d933e24a5f2fcc60ddf
                • Instruction ID: cc6315bee66e203b45f1aeba0a1dce30130340aeae1be87f02f30c8e456c162e
                • Opcode Fuzzy Hash: f7b8106d6216cf57f19ea86a57bf0fa18d394eb7a1711d933e24a5f2fcc60ddf
                • Instruction Fuzzy Hash: BF51B1B2704301ABE220DB65EC81FAB77ADDBC4755F00063AFA04E72C1D675EC0187AA
                Function 004025C0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 167windowCOMMON
                Download Yara Rule
                APIs
                • InvalidateRect.USER32(?,00000000,00000001), ref: 004025DB
                • GetClientRect.USER32(?,?), ref: 004025E9
                • GetDC.USER32(?), ref: 004025F3
                • SelectPalette.GDI32(?,00000000,00000000), ref: 00402608
                • RealizePalette.GDI32(?), ref: 00402612
                • LockResource.KERNEL32(00000000), ref: 0040261E
                • StretchDIBits.GDI32(?,00000000,00000000,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0040279B
                • GlobalUnlock.KERNEL32(00000000), ref: 004027AA
                • ReleaseDC.USER32(?,?), ref: 004027B8
                • UpdateWindow.USER32(?), ref: 004027CC
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: PaletteRect$BitsClientGlobalInvalidateLockRealizeReleaseResourceSelectStretchUnlockUpdateWindow
                • String ID: 0p)u
                • API String ID: 1386623887-3786888629
                • Opcode ID: 6b62533e02111d51aee9e5ec11aa997a9f46aaa1ef7082a2c2fec13cb47aca2f
                • Instruction ID: e9e2df6d65f761187e35ef4f7a0b2306bac240b842b76d8c6c17b99f644fe0f7
                • Opcode Fuzzy Hash: 6b62533e02111d51aee9e5ec11aa997a9f46aaa1ef7082a2c2fec13cb47aca2f
                • Instruction Fuzzy Hash: 5A61B8B5A04605EFCB04DFACD959BEABBF5FB4C301F148029F505EB291E674A940CB58
                Function 004070C9 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98COMMON
                Download Yara Rule
                APIs
                • SetDlgItemTextA.USER32(?,00000BC2,00413060), ref: 004070F9
                • SetDlgItemTextA.USER32(?,000003BA,00412E60), ref: 0040710D
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: ItemText
                • String ID: `.A$`.A$p
                • API String ID: 3367045223-2593219778
                • Opcode ID: 0a3573d44fc6e22bb0034da1b4137d3784db28912a0f37d55add9e8cd97ffd30
                • Instruction ID: f54fafff1c0c32fd9546bbc70bd305f40cf13439d4e6c10fc6f3abed4454d11b
                • Opcode Fuzzy Hash: 0a3573d44fc6e22bb0034da1b4137d3784db28912a0f37d55add9e8cd97ffd30
                • Instruction Fuzzy Hash: 80316775B44304F7DB009A94DC4AFDA3A69E704745F108477B605EA2C1D2BCE680879B
                Function 0040B7B0 Relevance: 15.2, APIs: 10, Instructions: 172COMMON
                Download Yara Rule
                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 0040B7C6
                • GetEnvironmentStrings.KERNEL32 ref: 0040B7DA
                • GetEnvironmentStringsW.KERNEL32 ref: 0040B815
                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040B855
                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040B87C
                • FreeEnvironmentStringsW.KERNEL32(?), ref: 0040B892
                • FreeEnvironmentStringsW.KERNEL32(?), ref: 0040B8A3
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                • String ID:
                • API String ID: 1823725401-0
                • Opcode ID: 1a265853d79eddf1c2f8f79f256335c02c0be8f753914f7799dc8e5f983baf9b
                • Instruction ID: ba88a1fc0620916ebb774b9f79f587fecf471607ef8c1d4cfcb5cab06d176aa0
                • Opcode Fuzzy Hash: 1a265853d79eddf1c2f8f79f256335c02c0be8f753914f7799dc8e5f983baf9b
                • Instruction Fuzzy Hash: 25412B7B7042095BE7206B65BC457A77798E780372F544037EE05A23D0E77EA80D82ED
                Function 00401FE9 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 103stringCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: wsprintf$lstrcat
                • String ID: %02X$%02X$%1!u!3$%s%s
                • API String ID: 2661776893-2746595266
                • Opcode ID: aacc063e5e71bbb0fea73ecb5e4beb648a12c22b1d43c383a3d42e9e9594e767
                • Instruction ID: 6c0a9e77cfc7ec90f8eac97dd57c798400b308d86829784d3076b93308c2160e
                • Opcode Fuzzy Hash: aacc063e5e71bbb0fea73ecb5e4beb648a12c22b1d43c383a3d42e9e9594e767
                • Instruction Fuzzy Hash: 4741AEB1900218DBCB11CF68CC45BEBB7B8BB09304F1444E6F949E7281D679AA85CF65
                Function 0040DE90 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 55libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(user32.dll,?,?,?,0040C0D9,?,Microsoft Visual C++ Runtime Library,00012010,?,?,00000000), ref: 0040DEA2
                • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040DEBA
                • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0040DECB
                • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040DED8
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: AddressProc$LibraryLoad
                • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                • API String ID: 2238633743-4044615076
                • Opcode ID: ec459311cc5425d001b5661a2daa9caa8202c0d414afc3676858181ef147c74e
                • Instruction ID: 1ffb3c090d3c3c8265642682e4bd0becb8f368d9400bd7e2bec04d4356f2c443
                • Opcode Fuzzy Hash: ec459311cc5425d001b5661a2daa9caa8202c0d414afc3676858181ef147c74e
                • Instruction Fuzzy Hash: E10192756016229BC3219BA5EE44A9B779CEBC87617059037F902E2291D7B8CC188BAC
                Function 00407F58 Relevance: 13.6, APIs: 9, Instructions: 91COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: DeleteFreeLocalObjectWindow$DestroyEnablePageSelectStart
                • String ID:
                • API String ID: 540746422-0
                • Opcode ID: f89d5f9d3788af57bfbcaa858b6322e87946ff99afa9b5723bd6dc4550beb03d
                • Instruction ID: 704e9fd5f85e17169a1be954737f388d53100f369f302e615e2d2985aeea7e6a
                • Opcode Fuzzy Hash: f89d5f9d3788af57bfbcaa858b6322e87946ff99afa9b5723bd6dc4550beb03d
                • Instruction Fuzzy Hash: 85414931904249DBDF20DB98DA48BEDB7B5AF40305F1040BBE485BA2D0CB7C99C6CB1A
                Function 00407FA9 Relevance: 13.6, APIs: 9, Instructions: 79COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: DeleteFreeLocalObjectWindow$DestroyEnablePageSelectStart
                • String ID:
                • API String ID: 540746422-0
                • Opcode ID: c3863e46351aa1db74494cc9a15a3da0b37852a28a8ae4e0839acb9831204b36
                • Instruction ID: b4ffed9f668128aa2374dcf495ac49e43ca418230d6ec9dab3a9604bdbc224ef
                • Opcode Fuzzy Hash: c3863e46351aa1db74494cc9a15a3da0b37852a28a8ae4e0839acb9831204b36
                • Instruction Fuzzy Hash: D1313A30904249DBDF109BD8DA4CBDDB7B5AF40306F1040BAE581BA2E0CBBC99C5CB1A
                Function 00407FC6 Relevance: 13.6, APIs: 9, Instructions: 74COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: DeleteFreeLocalObjectWindow$DestroyEnablePageSelectStart
                • String ID:
                • API String ID: 540746422-0
                • Opcode ID: 609f3b300f42a410c9af02e3505d817ab539ae93496430203d3a24b7fabe833d
                • Instruction ID: 0a04f878d458537b958068fd6ac0ef19e030bc57596209ae73e9d0b4df852f42
                • Opcode Fuzzy Hash: 609f3b300f42a410c9af02e3505d817ab539ae93496430203d3a24b7fabe833d
                • Instruction Fuzzy Hash: 8B313C71904248DBDF109BD8DA4CBD9B7B4AF40306F1044BAE581AA2E0CBBC89C5CB1A
                Function 0040BF40 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 159fileCOMMON
                Download Yara Rule
                APIs
                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000), ref: 0040BFBF
                • GetStdHandle.KERNEL32(000000F4,?,?,00000000), ref: 0040C0F6
                • WriteFile.KERNEL32(?,?,FFFFFFFE,00000000,00000000,?,?,00000000), ref: 0040C11C
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: File$HandleModuleNameWrite
                • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                • API String ID: 3784150691-4022980321
                • Opcode ID: b7eda74a6f51b2a49ab78f6ae9d5de2887a8fab8377aa50123bb878e17144c40
                • Instruction ID: a99d1896640747baf5d8c68730bac6acc0053635eac09f64abcb7e58387f7ec8
                • Opcode Fuzzy Hash: b7eda74a6f51b2a49ab78f6ae9d5de2887a8fab8377aa50123bb878e17144c40
                • Instruction Fuzzy Hash: 5E41E6366006044BD728CA78AD047AA73C2E7C4330F54473AFE26A76D1DB759D098659
                Function 004072C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65stringCOMMON
                Download Yara Rule
                APIs
                • DdeCreateStringHandleA.USER32(00000000,PROGMAN,000003EC), ref: 004072EB
                • DdeConnect.USER32(00000000,00000000,00000000,00000000), ref: 0040730B
                • lstrlenA.KERNEL32(0040750E), ref: 00407321
                • DdeClientTransaction.USER32(0040750E,?,00000000,00000000,00000001,00004050,000003E8,?), ref: 00407349
                • DdeDisconnect.USER32(00000000), ref: 00407366
                • DdeFreeStringHandle.USER32(00000000,00000000), ref: 00407373
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: HandleString$ClientConnectCreateDisconnectFreeTransactionlstrlen
                • String ID: PROGMAN
                • API String ID: 3433085550-601570409
                • Opcode ID: c8ce2082f238c815a7deb5e66c9e500d3d27ab9e23e01869fd0a6d1705773e96
                • Instruction ID: 47fa4f532401b3c35bb8d3d871359993a7bfc977d84bad4f2a52a234123a663f
                • Opcode Fuzzy Hash: c8ce2082f238c815a7deb5e66c9e500d3d27ab9e23e01869fd0a6d1705773e96
                • Instruction Fuzzy Hash: EA21EFB5D00208FBDB00DBE8C889FDE77BCAB04305F10446ABA14F72C0C6B8AA84CB54
                Function 0040BC20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 146COMMON
                Download Yara Rule
                APIs
                • GetStartupInfoA.KERNEL32(?), ref: 0040BC88
                • GetFileType.KERNEL32(00000000), ref: 0040BD36
                • GetStdHandle.KERNEL32(FFFFFFF6), ref: 0040BD9E
                • GetFileType.KERNEL32(00000000), ref: 0040BDA8
                • SetHandleCount.KERNEL32(?), ref: 0040BDE5
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: FileHandleType$CountInfoStartup
                • String ID: @
                • API String ID: 1710529072-2766056989
                • Opcode ID: 34138e7e39ea4abaa7f02efc31d9fe5d573e29c4c5c8348e54cb574515094cd5
                • Instruction ID: 8539f5cee9c8c624cad55316d2a729a9339489d1d5949f857a473979aaab81b4
                • Opcode Fuzzy Hash: 34138e7e39ea4abaa7f02efc31d9fe5d573e29c4c5c8348e54cb574515094cd5
                • Instruction Fuzzy Hash: 7E5107B19046498BD7219F28DC8479ABBA0EF41324F18827AD469AB3E1D77CD844C7DD
                Function 00406D10 Relevance: 10.6, APIs: 7, Instructions: 102windowCOMMON
                Download Yara Rule
                APIs
                • SetDlgItemTextA.USER32(?,000005E7,00413060), ref: 00406D37
                • PostMessageA.USER32(?,00000111,00000500,00000000), ref: 00406D4D
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: ItemMessagePostText
                • String ID:
                • API String ID: 4059469734-0
                • Opcode ID: 3784e8ded44de77c1bf672bd6dae6eb72893b2aa928b677d78d08176d25a7a54
                • Instruction ID: f3a8a08e536eff6df53d080976601ca41a4f99d7ff369ae4563570ccac5d5c2b
                • Opcode Fuzzy Hash: 3784e8ded44de77c1bf672bd6dae6eb72893b2aa928b677d78d08176d25a7a54
                • Instruction Fuzzy Hash: 0B311375644309FADB249F58CC49BEA77B4AB04741F214432B70BFE1D0C2BC96A1DB99
                Function 00403240 Relevance: 10.6, APIs: 7, Instructions: 61stringCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: lstrlen$lstrcat$PathTemplstrcpy
                • String ID:
                • API String ID: 3104176457-0
                • Opcode ID: 605619c77e57e99bda073deeebef4d2a7e116fc2624203727c78bcc0e96e0887
                • Instruction ID: 1f683ee9a572019a285dfd59d2cb963964ee1f52b244138bdda21adcc0bd627b
                • Opcode Fuzzy Hash: 605619c77e57e99bda073deeebef4d2a7e116fc2624203727c78bcc0e96e0887
                • Instruction Fuzzy Hash: 88215475905528DBCB11DBA4DC48BEEBBBCBB48306F1444F6E949E2141D3789BC98F18
                Function 004086AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMON
                Download Yara Rule
                APIs
                • StretchDIBits.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00408763
                • GlobalUnlock.KERNEL32(00000000), ref: 0040876F
                • FreeResource.KERNEL32(00000000), ref: 0040877B
                • ReleaseDC.USER32(?,00000000), ref: 00408789
                • ValidateRect.USER32(?,00000000), ref: 00408795
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: BitsFreeGlobalRectReleaseResourceStretchUnlockValidate
                • String ID: 0p)u
                • API String ID: 2343598975-3786888629
                • Opcode ID: f100aed82d1eac287a925dca9fdf55fd27f347d7b2da2b22cad72450ee43015d
                • Instruction ID: 219085e46411850decf3ce5cd3dfc44181f5984dc4bd36103363da56664aeb4e
                • Opcode Fuzzy Hash: f100aed82d1eac287a925dca9fdf55fd27f347d7b2da2b22cad72450ee43015d
                • Instruction Fuzzy Hash: 39117AB9A44604EFD700CFACED85FDA77E9E748302F108425F605D72A2D675E9418B18
                Function 00403F2B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56windowCOMMON
                Download Yara Rule
                APIs
                • ShellExecuteA.SHELL32(?,open,00410B7C,00000000,00410B78,00000001), ref: 00403F72
                • LoadStringA.USER32(00400000,00002752,?,00000100), ref: 00403F98
                • wsprintfA.USER32 ref: 00403FD5
                • MessageBoxA.USER32(?,?,WS_FTP,00000000), ref: 00403FF0
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: ExecuteLoadMessageShellStringwsprintf
                • String ID: WS_FTP$open
                • API String ID: 3602480490-1079579106
                • Opcode ID: 839dd6c6a650a4b509de19262e710efc09126d5da1ce479bb626c4ffbd26aae8
                • Instruction ID: 029dc494fc23ce8e6b3b63f28d21fc001adbe4faf5205ec3b5f47f1d305fb758
                • Opcode Fuzzy Hash: 839dd6c6a650a4b509de19262e710efc09126d5da1ce479bb626c4ffbd26aae8
                • Instruction Fuzzy Hash: D7118275900319FBDB10DF94CC89FDA7BBDAB08705F0080A6F618E6181C7B89AC48F58
                Function 0040E510 Relevance: 9.1, APIs: 6, Instructions: 118COMMON
                Download Yara Rule
                APIs
                • GetStringTypeA.KERNEL32(00000000,00000001,0040F34C,00000001,?,?,?,?,00000000,?,00000001,00000000), ref: 0040E536
                • GetStringTypeW.KERNEL32(00000001,0040F350,00000001,?,?,?,?,00000000,?,00000001,00000000), ref: 0040E551
                • GetStringTypeA.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00000001,00000000), ref: 0040E59F
                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,?,?,00000000,?,00000001,00000000), ref: 0040E5D6
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,00000000,?,00000001,00000000), ref: 0040E602
                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0040E618
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: StringType$ByteCharMultiWide
                • String ID:
                • API String ID: 3852931651-0
                • Opcode ID: 4db3a37180dd3eb978ace99377fd721c312bb6f017f6ea05edfae57cda022ddd
                • Instruction ID: 514a62f1c49b2fa1921630a7d9d7674577b58157eb1af09816a2bdc9e7d975fd
                • Opcode Fuzzy Hash: 4db3a37180dd3eb978ace99377fd721c312bb6f017f6ea05edfae57cda022ddd
                • Instruction Fuzzy Hash: C931D371704200AFE2109B95EC41FBB7798EB88718F04093AF905E7290E679FC1487AA
                Function 004033A0 Relevance: 9.1, APIs: 6, Instructions: 83fileCOMMON
                Download Yara Rule
                APIs
                • LZOpenFileA.LZ32(?,?,00000000), ref: 00403411
                • LZOpenFileA.LZ32(?,?,00000000,?,?,00000000), ref: 00403441
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: FileOpen
                • String ID:
                • API String ID: 2669468079-0
                • Opcode ID: ba564e7d4127aea1a9b29503b0580c07dcfe96ff05c67109af250954b5fd8da5
                • Instruction ID: e4a1c085d46a74d26320909c61a811cfb54580113746dbbf2679d0cdced3444f
                • Opcode Fuzzy Hash: ba564e7d4127aea1a9b29503b0580c07dcfe96ff05c67109af250954b5fd8da5
                • Instruction Fuzzy Hash: D831217190021CAFCF11DF69CC45BD977BCAB09315F0041EAF558EB282D638AB818F94
                Function 00406C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(?,?), ref: 00406C59
                • GetDesktopWindow.USER32 ref: 00406C75
                • GetWindowRect.USER32(00000000), ref: 00406C7C
                • MoveWindow.USER32(?,?,8"@,?,?,00000000,?,?,?,?,?,?,?,?,?,00402238), ref: 00406CFE
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: Window$Rect$DesktopMove
                • String ID: 8"@
                • API String ID: 2894293738-72837770
                • Opcode ID: 232b7b7fe6ea4e7423f9ab167c3e36a486582101fc29e071ec1539ced00360e2
                • Instruction ID: 2d3429b9add670098690ae398574976236d0a143ead4f8e11423920c5ad0f6cb
                • Opcode Fuzzy Hash: 232b7b7fe6ea4e7423f9ab167c3e36a486582101fc29e071ec1539ced00360e2
                • Instruction Fuzzy Hash: F3219375A1010AEFDF04CFBCD989AEEBBF9FB48215F048529E905E7254D634EA408B64
                Function 00407736 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON
                Download Yara Rule
                APIs
                • wsprintfA.USER32 ref: 00407778
                  • Part of subcall function 004072C0: DdeCreateStringHandleA.USER32(00000000,PROGMAN,000003EC), ref: 004072EB
                  • Part of subcall function 004072C0: DdeConnect.USER32(00000000,00000000,00000000,00000000), ref: 0040730B
                  • Part of subcall function 004072C0: lstrlenA.KERNEL32(0040750E), ref: 00407321
                  • Part of subcall function 004072C0: DdeClientTransaction.USER32(0040750E,?,00000000,00000000,00000001,00004050,000003E8,?), ref: 00407349
                  • Part of subcall function 004072C0: DdeDisconnect.USER32(00000000), ref: 00407366
                  • Part of subcall function 004072C0: DdeFreeStringHandle.USER32(00000000,00000000), ref: 00407373
                • DdeUninitialize.USER32(00000000), ref: 0040779C
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: HandleString$ClientConnectCreateDisconnectFreeTransactionUninitializelstrlenwsprintf
                • String ID: G@P:A$WS_FTP$[DeleteGroup(%s)]
                • API String ID: 3185502352-3071203189
                • Opcode ID: d7d5b77fdac69f6cc83fe3bad8185aade7a40a92ee69a37ce2b438bb19602624
                • Instruction ID: 4bed21f49ccabbefc97d56dc4c3019854aefef2721394ceb7bda76a9c357b82f
                • Opcode Fuzzy Hash: d7d5b77fdac69f6cc83fe3bad8185aade7a40a92ee69a37ce2b438bb19602624
                • Instruction Fuzzy Hash: F7F0C8B5900214A7DB10BB65EC49FC637AC9700349F004476B614D7291E23CE58487A9
                Function 00407249 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36stringCOMMON
                Download Yara Rule
                APIs
                • lstrcpyA.KERNEL32(00413060,?), ref: 0040725B
                • lstrcpyA.KERNEL32(00412E60,?), ref: 0040726A
                • DialogBoxParamA.USER32(?,DLG_GETDIR,?,004070C9,00000000), ref: 00407284
                • lstrcpyA.KERNEL32(?,00412E60), ref: 004072A0
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: lstrcpy$DialogParam
                • String ID: DLG_GETDIR
                • API String ID: 4002069846-2949970309
                • Opcode ID: a46dc6122e452849c7200da228a7e3872b631631e5a45bb05f219196179eab4f
                • Instruction ID: 5d96f88d498123023cd395a1ad281dfac594a39a56b9ee2d763c49368237e9d0
                • Opcode Fuzzy Hash: a46dc6122e452849c7200da228a7e3872b631631e5a45bb05f219196179eab4f
                • Instruction Fuzzy Hash: BEF0FF75A40218FBD700DFE8ED4AFDE7BB8EB48751F104026F901D7190C274A9848B69
                Function 00408B3E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36stringCOMMON
                Download Yara Rule
                APIs
                • lstrcpyA.KERNEL32(00413060,?), ref: 00408B50
                • lstrcpyA.KERNEL32(00412E60,?), ref: 00408B5F
                • DialogBoxParamA.USER32(?,DLG_INPUT,?,Function_00008A40,00000000), ref: 00408B79
                • lstrcpyA.KERNEL32(?,00412E60), ref: 00408B95
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: lstrcpy$DialogParam
                • String ID: DLG_INPUT
                • API String ID: 4002069846-2389665704
                • Opcode ID: 38762f76040836de7f71b8b3b16a7c978d726e101a33c36d3c63fbf212b3e437
                • Instruction ID: c0b8730eefe2089751aa89c1c3897f898ba12bea925efec53c15f8a9efd64dce
                • Opcode Fuzzy Hash: 38762f76040836de7f71b8b3b16a7c978d726e101a33c36d3c63fbf212b3e437
                • Instruction Fuzzy Hash: 49F0AF75640218FBD700DFA8ED49FDA7BB8EB48751F108426FA01E6290C674AA948B69
                Function 0040CA20 Relevance: 7.8, APIs: 5, Instructions: 301COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e60d4b283fa8b140685c8660a6af27a08a98393582f449c09eca73d4dbfba18f
                • Instruction ID: 5aeb7386d3eab7372f1901a563787a04074faaaac21352f8589fb3bc50923ba3
                • Opcode Fuzzy Hash: e60d4b283fa8b140685c8660a6af27a08a98393582f449c09eca73d4dbfba18f
                • Instruction Fuzzy Hash: D4A1FA72604200CAE310DB2CFC853AB77A0AB81335F54073BE964A63E2D77D9949D79B
                Function 0040E820 Relevance: 7.7, APIs: 5, Instructions: 240COMMON
                Download Yara Rule
                APIs
                • WideCharToMultiByte.KERNEL32(00000000,00000220,?,?,?,?,00000000,?,00000000,?,00412C90,00000000,00412DB4,00000040,?,004099AD), ref: 0040E894
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: ByteCharMultiWide
                • String ID:
                • API String ID: 626452242-0
                • Opcode ID: 4d77e46f870ad4eee7b0565bb2c77ec47607e7c557560d7a2aa2bfaf1ee34e69
                • Instruction ID: 48f2a47090996d89513b2ba53179a9d152c788e63fab1358e44fb6ccadf9245c
                • Opcode Fuzzy Hash: 4d77e46f870ad4eee7b0565bb2c77ec47607e7c557560d7a2aa2bfaf1ee34e69
                • Instruction Fuzzy Hash: E0613B733402045BDB109B5ABC40BABB794F7C1776F540A3BEA40A23D0D63E995DC76A
                Function 004035E0 Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON
                Download Yara Rule
                APIs
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 004035F2
                • GetLastError.KERNEL32 ref: 00403605
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 0040366F
                • GetLastError.KERNEL32 ref: 004036A7
                • MessageBoxA.USER32(00000000,?,?,00000010), ref: 004036F3
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: CreateDirectoryErrorLast$Message
                • String ID:
                • API String ID: 2381442119-0
                • Opcode ID: c595cbfd49e5a0b239e951a90e2571065bb08722d9624cb56fd4ce531381106a
                • Instruction ID: f147e1a9ab869e49975179a39bccfb3642d8466fa9d0d3e68045d93a259e78dc
                • Opcode Fuzzy Hash: c595cbfd49e5a0b239e951a90e2571065bb08722d9624cb56fd4ce531381106a
                • Instruction Fuzzy Hash: D5314FB5900208FFDB10DFA4DC49BDE7BBCAB18306F0044A6F549A7281D6B55BC4CB65
                Function 00405B20 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                Download Yara Rule
                APIs
                • GetDlgItem.USER32(?,00000965), ref: 00405B4B
                • SetDlgItemTextA.USER32(?,00000965,00413A50), ref: 00405B68
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: Item$Text
                • String ID:
                • API String ID: 1601838975-0
                • Opcode ID: 08229dc55a8aca7b7506af132988b54e7e4d19ec34c3ab115f52498c33258781
                • Instruction ID: baefc51d0e55afea1a78395299e9a545032da751ba918cc8e2436edb575296df
                • Opcode Fuzzy Hash: 08229dc55a8aca7b7506af132988b54e7e4d19ec34c3ab115f52498c33258781
                • Instruction Fuzzy Hash: 0D115175644604FBEB109F98C849BDB7768DB45745F108433BA02BB2C0D1B9E9819F5E
                Function 00408A40 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                Download Yara Rule
                APIs
                • SetDlgItemTextA.USER32(?,00000BC2,00413060), ref: 00408A70
                • SetDlgItemTextA.USER32(?,000003BA,00412E60), ref: 00408A84
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: ItemText
                • String ID:
                • API String ID: 3367045223-0
                • Opcode ID: a601418571e23d01f6546a3de851ae7406a0ea893738c6bb3f322377004b557a
                • Instruction ID: a8494b8ce8d67d0390c56db9e1f9416f084e7faca3aa8a619dca744cdb4ef2f8
                • Opcode Fuzzy Hash: a601418571e23d01f6546a3de851ae7406a0ea893738c6bb3f322377004b557a
                • Instruction Fuzzy Hash: 8F1145B5744208FBDB109B98CE4AFDE7674EB04345F108437B641EA2C0CAB8E5859B5E
                Function 00407BD8 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                Download Yara Rule
                APIs
                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00407BF9
                • EnableMenuItem.USER32(00000000), ref: 00407C00
                • GetParent.USER32(?), ref: 00407C20
                • EnableWindow.USER32(00000000), ref: 00407C27
                • DestroyWindow.USER32(?), ref: 00407C31
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: EnableMenuWindow$DestroyItemParentSystem
                • String ID:
                • API String ID: 1413011598-0
                • Opcode ID: 6ea07f3a698f66855fd6fdea9e0a43d7ab759e22c5c8cad49d5ffa30fc496c5d
                • Instruction ID: 28e43c82da88eb0d77e1a04a80c36df64266bafe3d2003a8da91512f4485498c
                • Opcode Fuzzy Hash: 6ea07f3a698f66855fd6fdea9e0a43d7ab759e22c5c8cad49d5ffa30fc496c5d
                • Instruction Fuzzy Hash: D3016775A0C204FBEB109FA8DD4DFDA7B68AB44345F108432F602EB2D0C6B9E580D75A
                Function 00409660 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
                Download Yara Rule
                APIs
                • GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?,?,?), ref: 004096CB
                • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004096DD
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: CurrentDirectoryFullNamePath
                • String ID: .$:
                • API String ID: 2420862269-4202072812
                • Opcode ID: 0957c085dc6d846c3977b3dad98b3c065f136ac92ff8d13bdd4e31eeca82f3b6
                • Instruction ID: e9c145d67ecf57654f3f6f1097c7083a87760825626b6e7079ce8eab8ff63a24
                • Opcode Fuzzy Hash: 0957c085dc6d846c3977b3dad98b3c065f136ac92ff8d13bdd4e31eeca82f3b6
                • Instruction Fuzzy Hash: 3031F1B63442018BE324CB28E841BEB77D5EBC0354F44493EED80D32D2E6BD994DC6A6
                Function 0040E2A0 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                Download Yara Rule
                APIs
                • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040E333
                • GetLastError.KERNEL32 ref: 0040E33D
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: ErrorFileLastRead
                • String ID:
                • API String ID: 1948546556-0
                • Opcode ID: 7a0f7c288ef8232c95e871063bc716807f070020ab83a52b4ea19bdfcaf201e0
                • Instruction ID: 5f0fa87c05154c4a0ad7d1c3b52c4cbc7f137325f1c1272b765a8b34ac25fcc5
                • Opcode Fuzzy Hash: 7a0f7c288ef8232c95e871063bc716807f070020ab83a52b4ea19bdfcaf201e0
                • Instruction Fuzzy Hash: BE7112706083818FD720CF29D8447AABBD0AF81324F58496BE894973E2D37CD859CB5B
                Function 00407520 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 132COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: wsprintf
                • String ID: [AddItem("%s","%s",,,,,%s)]$[DeleteItem("%s")]
                • API String ID: 2111968516-1022342587
                • Opcode ID: c2a574ce4cd0ed9ca31cb88fb9c8601ec8ea4500154d0e8f8e94d78954fa737d
                • Instruction ID: 0a378a6d5ba89b566c62370b102a4ab9f6d8293d9e11d580a742a697c3edc40a
                • Opcode Fuzzy Hash: c2a574ce4cd0ed9ca31cb88fb9c8601ec8ea4500154d0e8f8e94d78954fa737d
                • Instruction Fuzzy Hash: 704185B6D00218ABCB10DF64DC85EDA33AC9B14345F0444B7FA49E7281E639EB84CB65
                Function 00407B56 Relevance: 6.0, APIs: 4, Instructions: 46windowCOMMON
                Download Yara Rule
                APIs
                • IsWindow.USER32(00000000), ref: 00407B70
                • SendMessageA.USER32(00000000,0000000E,00000000,00000000), ref: 00407B9B
                • SendMessageA.USER32(00000000,000000B1,?,?), ref: 00407BB5
                • SendMessageA.USER32(00000000,000000C2,00000000,?), ref: 00407BCD
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: MessageSend$Window
                • String ID:
                • API String ID: 2326795674-0
                • Opcode ID: 168b189ad32b49376ed876055be928609ccca7b8a4bf6fcf7fbc78f3f2c9934e
                • Instruction ID: adc191d792fbb935d880431208752fa1ce8fdfc19e35e2f95068d89bcd2dd8eb
                • Opcode Fuzzy Hash: 168b189ad32b49376ed876055be928609ccca7b8a4bf6fcf7fbc78f3f2c9934e
                • Instruction Fuzzy Hash: 6301F4B5A00208FBEB10DF94DC49FDE77BCEB44745F108461BB09EB181D674EA448BA5
                Function 00407C7D Relevance: 6.0, APIs: 4, Instructions: 44windowCOMMON
                Download Yara Rule
                APIs
                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00407C9F
                • IsDialogMessageA.USER32(00000000,?), ref: 00407CC4
                • TranslateMessage.USER32(?), ref: 00407CD6
                • DispatchMessageA.USER32(?), ref: 00407CE0
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: Message$DialogDispatchPeekTranslate
                • String ID:
                • API String ID: 1266772231-0
                • Opcode ID: 828a95049949d1e81e90df1b984d936887855c5d6d12cfbe4ba3716805861f1f
                • Instruction ID: 89da36b6c07d2bfef1e012b455bc53dc6e945cb9608e9ca69301cd7857373b29
                • Opcode Fuzzy Hash: 828a95049949d1e81e90df1b984d936887855c5d6d12cfbe4ba3716805861f1f
                • Instruction Fuzzy Hash: 3601FFB1E0C209EAEB10ABA4EC49FE7776DBB40745F108432A601E11D0D77CA545D76A
                Function 004034D5 Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
                Download Yara Rule
                APIs
                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004034EA
                • IsDialogMessageA.USER32(00000000,?), ref: 0040350F
                • TranslateMessage.USER32(?), ref: 00403521
                • DispatchMessageA.USER32(?), ref: 0040352B
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: Message$DialogDispatchPeekTranslate
                • String ID:
                • API String ID: 1266772231-0
                • Opcode ID: 55a25bff51ada454a4a6c33e2680b6f506e9ffaabfa4f002dd955a5c1c9c78b4
                • Instruction ID: 6b1a62db69ded8486f455de7b28f768663142c3d2bc36f820e632d5b0a417cda
                • Opcode Fuzzy Hash: 55a25bff51ada454a4a6c33e2680b6f506e9ffaabfa4f002dd955a5c1c9c78b4
                • Instruction Fuzzy Hash: 06F01D72A00209FBDB109BA5AC49FEB7BAE9780746F508036F201E60E4E678D5458B2D
                Function 00401000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                Download Yara Rule
                APIs
                • LoadStringA.USER32(00400000,?,0000273B,00000000), ref: 0040102F
                • wsprintfA.USER32 ref: 0040104D
                Strings
                • %u DEBUG - Unable to load string, xrefs: 00401041
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: LoadStringwsprintf
                • String ID: %u DEBUG - Unable to load string
                • API String ID: 104907563-2889721916
                • Opcode ID: f6ef7403e169275a9386566625940d9c2bfa81a19b92dc43be4b0c2e92cbd491
                • Instruction ID: 36e22fd1533719a5dd052d596b9bacd3a86f0f77aa0c6a2930f2b08d4bce87d5
                • Opcode Fuzzy Hash: f6ef7403e169275a9386566625940d9c2bfa81a19b92dc43be4b0c2e92cbd491
                • Instruction Fuzzy Hash: 1D015E75604148EFCB00EE98EC44FEB37ECBB48344F008436F999D7250D638D9948BA5
                Function 004077BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                Download Yara Rule
                APIs
                • DdeInitializeA.USER32(0041329C,00000000,00000010,00000000), ref: 004077E9
                • wsprintfA.USER32 ref: 00407817
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: Initializewsprintf
                • String ID: [CreateGroup(%s)]
                • API String ID: 1732171167-1026996935
                • Opcode ID: cbd129e154290ecd0829113dfd2a4013204256ba18d2220915a0e691fe11e447
                • Instruction ID: bafd85f7f6af00c3b4dc71afe8dc4a11df51c4194ce1148af8674bb07da65984
                • Opcode Fuzzy Hash: cbd129e154290ecd0829113dfd2a4013204256ba18d2220915a0e691fe11e447
                • Instruction Fuzzy Hash: D2F0AFB5A04224ABD710BB58FC4EFD63BAC9704349F008076BA04E71D1D2B9E584CBAA
                Function 00409790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                Download Yara Rule
                APIs
                • GetDriveTypeA.KERNEL32(?), ref: 004097BE
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.1903864814.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.1903849291.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903880866.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903895489.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903957792.0000000000416000.00000008.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000417000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000002.00000002.1903974295.0000000000426000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_SFS5D75.jbxd
                Similarity
                • API ID: DriveType
                • String ID: :$\
                • API String ID: 338552980-1166558509
                • Opcode ID: 29fe5de7842d006cf34979e8decc33015f719c8fb271513b456ab2d2861ceef1
                • Instruction ID: 4b99833ff3da754e2bfaf8fe1eadcca4019a0bac2f963a5af54d9eca75909fd0
                • Opcode Fuzzy Hash: 29fe5de7842d006cf34979e8decc33015f719c8fb271513b456ab2d2861ceef1
                • Instruction Fuzzy Hash: E6E065A55083809BF7018A38950574B7AD46B91744F8C847AE489C6352F27ED80CC357