Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report DOC000YUT600.scr

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:648369
Start date:29.08.2018
Start time:09:58:45
Joe Sandbox Product:Cloud
Overall analysis duration:0h 11m 0s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:DOC000YUT600.scr (renamed file extension from scr to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.troj.spyw.evad.winEXE@10/5@0/1
EGA Information:
  • Successful, ratio: 33.3%
HDC Information:
  • Successful, ratio: 99.9% (good quality ratio 90.9%)
  • Quality average: 76.9%
  • Quality standard deviation: 31.3%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Execution Graph export aborted for target DOC000YUT600.exe, PID 3420 because it is empty
  • Execution Graph export aborted for target Regdriver.exe, PID 3484 because it is empty
  • Execution Graph export aborted for target regdrv.exe, PID 3452 because it is empty
  • Execution Graph export aborted for target regdrv.exe, PID 3532 because it is empty
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\Videos\Regdriver.exeAvira: Label: HEUR/AGEN.1032427
Source: C:\Users\user\Music\regdrv.exeAvira: Label: HEUR/AGEN.1032427
Antivirus detection for submitted fileShow sources
Source: DOC000YUT60.exeAvira: Label: HEUR/AGEN.1032427
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\Music\regdrv.exevirustotal: Detection: 60%Perma Link
Source: C:\Users\user\Videos\Regdriver.exevirustotal: Detection: 60%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: DOC000YUT60.exevirustotal: Detection: 60%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 5.2.regdrv.exe.2580000.3.unpackAvira: Label: BDS/DarkKomet.GS
Source: 6.0.regdrv.exe.400000.4.unpackAvira: Label: BDS/DarkKomet.GS
Source: 6.2.regdrv.exe.400000.3.unpackAvira: Label: BDS/DarkKomet.GS
Source: 3.0.regdrv.exe.400000.4.unpackAvira: Label: BDS/DarkKomet.GS
Source: 2.2.regdrv.exe.25d0000.3.unpackAvira: Label: BDS/DarkKomet.GS
Source: 6.1.regdrv.exe.400000.0.unpackAvira: Label: BDS/DarkKomet.GS
Source: 6.0.regdrv.exe.400000.5.unpackAvira: Label: BDS/DarkKomet.GS
Source: 3.2.regdrv.exe.400000.3.unpackAvira: Label: BDS/DarkKomet.GS
Source: 3.0.regdrv.exe.400000.5.unpackAvira: Label: BDS/DarkKomet.GS
Source: 3.1.regdrv.exe.400000.0.unpackAvira: Label: BDS/DarkKomet.GS
Yara signature matchShow sources
Source: 00000006.00000000.479399059.00400000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000006.00000001.481410763.00400000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000006.00000001.481410763.00400000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000006.00000000.479399059.00400000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000002.00000003.450764221.7F370000.00000004.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000005.00000002.491857687.02580000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000005.00000002.491857687.02580000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000002.00000002.462554403.025D0000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000002.00000002.462554403.025D0000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000003.00000001.447610474.00400000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000003.00000001.447610474.00400000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000003.00000002.699224479.00400000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000003.00000002.699224479.00400000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000006.00000000.479959577.00400000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000006.00000000.479959577.00400000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000006.00000002.482534154.00400000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000006.00000002.482534154.00400000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000003.00000000.446776706.00400000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000003.00000000.446776706.00400000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000005.00000003.485657484.7F370000.00000004.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000003.00000000.446217367.00400000.00000040.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000003.00000000.446217367.00400000.00000040.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 6.1.regdrv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 6.1.regdrv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 5.2.regdrv.exe.2580000.3.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 5.2.regdrv.exe.2580000.3.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 6.2.regdrv.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 6.2.regdrv.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 6.0.regdrv.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 6.0.regdrv.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 2.2.regdrv.exe.25d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 2.2.regdrv.exe.25d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 5.2.regdrv.exe.2580000.3.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 5.2.regdrv.exe.2580000.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 2.2.regdrv.exe.25d0000.3.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 2.2.regdrv.exe.25d0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 6.0.regdrv.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 6.0.regdrv.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 6.1.regdrv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 6.1.regdrv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 3.2.regdrv.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 3.2.regdrv.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 6.0.regdrv.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 6.0.regdrv.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 6.2.regdrv.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 6.2.regdrv.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 3.0.regdrv.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 3.0.regdrv.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 3.2.regdrv.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 3.2.regdrv.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 3.0.regdrv.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 3.0.regdrv.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 3.0.regdrv.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 3.0.regdrv.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 3.0.regdrv.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 3.0.regdrv.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 6.0.regdrv.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 6.0.regdrv.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 3.1.regdrv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 3.1.regdrv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 3.1.regdrv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 3.1.regdrv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_00342EA8 FindFirstFileA,GetLastError,1_3_00342EA8
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0040A488 FindFirstFileA,GetLastError,3_2_0040A488
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00406A68 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,3_2_00406A68
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00480FEC FindFirstFileA,3_2_00480FEC
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002A66A8 FindFirstFileA,GetLastError,4_3_002A66A8
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0040A488 FindFirstFileA,GetLastError,6_2_0040A488
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00406A68 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,6_2_00406A68
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00480FEC FindFirstFileA,6_2_00480FEC

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.82:49188 -> 95.140.125.42:1908
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Source: unknownTCP traffic detected without corresponding DNS query: 95.140.125.42
Contains functionality to upload files via FTPShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00473560 FtpPutFileA,3_2_00473560
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00473560 FtpPutFileA,6_2_00473560
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: ORIONTELEKOM-ASRS ORIONTELEKOM-ASRS
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004865E0 Sleep,TranslateMessage,DispatchMessageA,PeekMessageA,socket,ntohs,inet_addr,gethostbyname,connect,recv,shutdown,closesocket,3_2_004865E0
Urls found in memory or binary dataShow sources
Source: regdrv.exe, 00000002.00000002.451751956.013B0000.00000004.sdmpString found in binary or memory: http://SAC.home-page.org

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to capture and log keystrokesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: [ESC]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [F1]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [F2]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [DEL]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [DEL]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [INS]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [SNAPSHOT]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [LEFT]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [RIGHT]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [DOWN]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [UP]3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [ESC]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [F1]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [F2]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [DEL]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [DEL]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [INS]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [SNAPSHOT]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [LEFT]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [RIGHT]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [DOWN]6_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: [UP]6_2_004818F8
Contains functionality to log keystrokesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004818F8 CallNextHookEx,CallNextHookEx,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,CallNextHookEx,3_2_004818F8
Contains functionality to log keystrokesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004818F8 CallNextHookEx,CallNextHookEx,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,CallNextHookEx,3_2_004818F8
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004818F8 CallNextHookEx,CallNextHookEx,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,CallNextHookEx,6_2_004818F8
Contains functionality to register a low level keyboard hookShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00481ED8 SetWindowsHookExA 0000000D,004818F8,00000000,000000003_2_00481ED8
Installs a global keyboard hookShow sources
Source: C:\Users\user\Music\regdrv.exeWindows user hook set: 0 keyboard low level C:\Users\user\Music\regdrv.exeJump to behavior
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0040838E OpenClipboard,3_2_0040838E
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00428418 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,3_2_00428418
Contains functionality to record screenshotsShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00428B08 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,3_2_00428B08
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004818F8 CallNextHookEx,CallNextHookEx,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,CallNextHookEx,3_2_004818F8

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionalty to change the wallpaperShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0048BB34 SystemParametersInfoA,6_2_0048BB34
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00489E9C SystemParametersInfoA,6_2_00489E9C

System Summary:

barindex
PE file contains more sections than normalShow sources
Source: Regdriver.exe.1.drStatic PE information: Number of sections : 11 > 10
Source: DOC000YUT60.exeStatic PE information: Number of sections : 11 > 10
Source: regdrv.exe.1.drStatic PE information: Number of sections : 11 > 10
PE file has a writeable .text sectionShow sources
Source: DOC000YUT60.exeStatic PE information: Section: .text IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Source: regdrv.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Source: Regdriver.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004865E0 Sleep,TranslateMessage,DispatchMessageA,PeekMessageA,socket,ntohs,inet_addr,gethostbyname,connect,recv,shutdown,closesocket,3_2_004865E0
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004801FC socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,recv,send,recv,recv,recv,shutdown,closesocket,3_2_004801FC
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004821A0 socket,ExitThread,inet_addr,ntohs,gethostbyname,ExitThread,sendto,Sleep,closesocket,ExitThread,3_2_004821A0
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048851C socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,mouse_event,shutdown,closesocket,3_2_0048851C
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00460628 inet_addr,ntohs,3_2_00460628
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00482630 socket,ExitThread,inet_addr,ntohs,gethostbyname,ExitThread,connect,ExitThread,recv,Sleep,closesocket,ExitThread,3_2_00482630
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004607A4 getservbyname,ntohs,3_2_004607A4
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00480880 socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,shutdown,closesocket,shutdown,closesocket,3_2_00480880
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00486918 recv,recv,send,send,recv,send,send,send,send,send,recv,recv,recv,gethostbyname,ntohs,socket,connect,getsockname,send,select,recv,send,recv,send,Sleep,closesocket,closesocket,3_2_00486918
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048298C socket,ExitThread,ntohs,inet_addr,gethostbyname,ExitThread,connect,closesocket,ExitThread,closesocket,ExitThread,3_2_0048298C
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00486E2C socket,ntohs,bind,listen,accept,LocalAlloc,CreateThread,CloseHandle,Sleep,ExitThread,3_2_00486E2C
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048317C socket,ExitThread,ntohs,inet_addr,gethostbyname,ExitThread,connect,recv,recv,send,recv,shutdown,closesocket,ExitThread,3_2_0048317C
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00489244 socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,send,recv,shutdown,closesocket,ExitThread,3_2_00489244
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0047F4E0 socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,recv,recv,shutdown,closesocket,3_2_0047F4E0
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004836D8 socket,ExitThread,inet_addr,ntohs,gethostbyname,ExitThread,connect,ExitThread,recv,Sleep,closesocket,ExitThread,3_2_004836D8
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0047FA8C socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,GetDeviceCaps,BitBlt,send,recv,SelectObject,DeleteObject,DeleteObject,ReleaseDC,shutdown,closesocket,3_2_0047FA8C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004801FC socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,recv,send,recv,recv,recv,shutdown,closesocket,6_2_004801FC
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004821A0 socket,ExitThread,inet_addr,ntohs,gethostbyname,ExitThread,sendto,Sleep,closesocket,ExitThread,6_2_004821A0
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0048851C socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,mouse_event,shutdown,closesocket,6_2_0048851C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004865E0 Sleep,TranslateMessage,DispatchMessageA,PeekMessageA,socket,ntohs,inet_addr,gethostbyname,connect,recv,shutdown,closesocket,6_2_004865E0
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00460628 inet_addr,ntohs,6_2_00460628
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00482630 socket,ExitThread,inet_addr,ntohs,gethostbyname,ExitThread,connect,ExitThread,recv,Sleep,closesocket,ExitThread,6_2_00482630
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004607A4 getservbyname,ntohs,6_2_004607A4
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00480880 socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,shutdown,closesocket,shutdown,closesocket,6_2_00480880
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00486918 recv,recv,send,send,recv,send,send,send,send,send,recv,recv,recv,gethostbyname,ntohs,socket,connect,getsockname,send,select,recv,send,recv,send,Sleep,closesocket,closesocket,6_2_00486918
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0048298C socket,ExitThread,ntohs,inet_addr,gethostbyname,ExitThread,connect,closesocket,ExitThread,closesocket,ExitThread,6_2_0048298C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00486E2C socket,ntohs,bind,listen,accept,LocalAlloc,CreateThread,CloseHandle,Sleep,ExitThread,6_2_00486E2C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0048317C socket,ExitThread,ntohs,inet_addr,gethostbyname,ExitThread,connect,recv,recv,send,recv,shutdown,closesocket,ExitThread,6_2_0048317C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00489244 socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,send,recv,shutdown,closesocket,ExitThread,6_2_00489244
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0047F4E0 socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,recv,recv,shutdown,closesocket,6_2_0047F4E0
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004836D8 socket,ExitThread,inet_addr,ntohs,gethostbyname,ExitThread,connect,ExitThread,recv,Sleep,closesocket,ExitThread,6_2_004836D8
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0047FA8C socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,GetDeviceCaps,BitBlt,send,recv,SelectObject,DeleteObject,DeleteObject,ReleaseDC,shutdown,closesocket,6_2_0047FA8C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00487B54 CoInitialize,socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,send,recv,shutdown,closesocket,6_2_00487B54
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0047FE20 socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,send,shutdown,closesocket,6_2_0047FE20
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00485F40 socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,6_2_00485F40
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00487F2C socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,Sleep,send,recv,shutdown,closesocket,6_2_00487F2C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00473F34 CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,TerminateProcess,6_2_00473F34
Contains functionality to delete servicesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004715B0 OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,3_2_004715B0
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048A070 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,3_2_0048A070
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0048A070 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,6_2_0048A070
Creates mutexesShow sources
Source: C:\Users\user\Music\regdrv.exeMutant created: \Sessions\1\BaseNamedObjects\DCMIN_MUTEX-JY7PNMH
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034D07E1_3_0034D07E
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034D9FC1_3_0034D9FC
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_003472001_3_00347200
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034D29E1_3_0034D29E
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_003513311_3_00351331
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034DBD81_3_0034DBD8
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034D4BC1_3_0034D4BC
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034CCD11_3_0034CCD1
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034D5661_3_0034D566
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034D5681_3_0034D568
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034CDD61_3_0034CDD6
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_00347DCA1_3_00347DCA
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034AFC91_3_0034AFC9
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_004021D81_2_004021D8
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034AFD41_3_0034AFD4
Source: C:\Users\user\Music\regdrv.exeCode function: 2_2_004021D82_2_004021D8
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004023703_2_00402370
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004064C03_2_004064C0
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0043E6443_2_0043E644
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004389B43_2_004389B4
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0045EC783_2_0045EC78
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0046ADBC3_2_0046ADBC
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0046797C3_2_0046797C
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B087E4_3_002B087E
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B11FC4_3_002B11FC
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002AAA004_3_002AAA00
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B0A9E4_3_002B0A9E
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B4B314_3_002B4B31
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B13D84_3_002B13D8
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B0CBC4_3_002B0CBC
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B04D14_3_002B04D1
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B0D684_3_002B0D68
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B0D664_3_002B0D66
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002AB5CA4_3_002AB5CA
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002B05D64_3_002B05D6
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002AE7C94_3_002AE7C9
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_2_004021D84_2_004021D8
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002AE7D44_3_002AE7D4
Source: C:\Users\user\Music\regdrv.exeCode function: 5_2_004021D85_2_004021D8
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004023706_2_00402370
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004064C06_2_004064C0
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0043E6446_2_0043E644
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004389B46_2_004389B4
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0045EC786_2_0045EC78
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0046ADBC6_2_0046ADBC
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0046797C6_2_0046797C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00469B906_2_00469B90
Enables driver privilegesShow sources
Source: C:\Users\user\Music\regdrv.exeProcess token adjusted: Load DriverJump to behavior
Enables security privilegesShow sources
Source: C:\Users\user\Music\regdrv.exeProcess token adjusted: SecurityJump to behavior
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00407B10 appears 276 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 004735E8 appears 75 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00407688 appears 36 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00407B08 appears 65 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 004100C4 appears 40 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00405584 appears 117 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00406F68 appears 32 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00474D58 appears 46 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 0040EF4C appears 42 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 004055C8 appears 72 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 004043B0 appears 46 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 0041163C appears 38 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00405974 appears 32 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00404F34 appears 36 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00405818 appears 40 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00404F10 appears 162 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 004218E4 appears 149 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00404A1C appears 32 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00405554 appears 31 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00405530 appears 130 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 004104C4 appears 42 times
Source: C:\Users\user\Music\regdrv.exeCode function: String function: 00405864 appears 57 times
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: String function: 00404F10 appears 81 times
Source: C:\Users\user\Videos\Regdriver.exeCode function: String function: 00404F10 appears 81 times
PE file contains strange resourcesShow sources
Source: DOC000YUT60.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: DOC000YUT60.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DOC000YUT60.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DOC000YUT60.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DOC000YUT60.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: regdrv.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: regdrv.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: regdrv.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: regdrv.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: regdrv.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Regdriver.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Regdriver.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Regdriver.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Regdriver.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Regdriver.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: DOC000YUT60.exeBinary or memory string: OriginalFilenamePeaZip. vs DOC000YUT60.exe
PE file has a writable .reloc sectionShow sources
Source: DOC000YUT60.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Source: regdrv.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Source: Regdriver.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
PE file contains an invalid data directoryShow sources
Source: DOC000YUT60.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: regdrv.exe.1.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: Regdriver.exe.1.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@10/5@0/1
Contains functionality for error loggingShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00425A70 GetLastError,FormatMessageA,3_2_00425A70
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048AEA8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,3_2_0048AEA8
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048A070 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,3_2_0048A070
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0048AEA8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,6_2_0048AEA8
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0048A070 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,6_2_0048A070
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0040A746 GetDiskFreeSpaceA,3_2_0040A746
Contains functionality to create servicesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,3_2_00471850
Source: C:\Users\user\Music\regdrv.exeCode function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,6_2_00471850
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_00407D92 CoCreateInstance,1_2_00407D92
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048DDE0 FindResourceA,LoadResource,SizeofResource,LockResource,FreeResource,3_2_0048DDE0
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004714B8 OpenSCManagerA,OpenServiceA,StartServiceA,ControlService,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,3_2_004714B8
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeFile created: C:\Users\user\Music\regdrv.exeJump to behavior
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeKey opened: HKEY_USERS\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Music\regdrv.exeKey opened: HKEY_USERS\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Music\regdrv.exeKey opened: HKEY_USERS\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Videos\Regdriver.exeKey opened: HKEY_USERS\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Music\regdrv.exeKey opened: HKEY_USERS\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Music\regdrv.exeKey opened: HKEY_USERS\Software\Borland\Delphi\LocalesJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: DOC000YUT60.exevirustotal: Detection: 60%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\DOC000YUT600.exe 'C:\Users\user\Desktop\DOC000YUT600.exe'
Source: unknownProcess created: C:\Users\user\Music\regdrv.exe 'C:\Users\user\Music\regdrv.exe'
Source: unknownProcess created: C:\Users\user\Music\regdrv.exe C:\Users\user\Music\regdrv.exe
Source: unknownProcess created: C:\Users\user\Videos\Regdriver.exe 'C:\Users\user\Videos\Regdriver.exe'
Source: unknownProcess created: C:\Users\user\Music\regdrv.exe 'C:\Users\user\Music\regdrv.exe'
Source: unknownProcess created: C:\Users\user\Music\regdrv.exe C:\Users\user\Music\regdrv.exe
Source: C:\Users\user\Desktop\DOC000YUT600.exeProcess created: C:\Users\user\Music\regdrv.exe 'C:\Users\user\Music\regdrv.exe' Jump to behavior
Source: C:\Users\user\Music\regdrv.exeProcess created: C:\Users\user\Music\regdrv.exe C:\Users\user\Music\regdrv.exeJump to behavior
Source: C:\Users\user\Videos\Regdriver.exeProcess created: C:\Users\user\Music\regdrv.exe 'C:\Users\user\Music\regdrv.exe' Jump to behavior
Source: C:\Users\user\Music\regdrv.exeProcess created: C:\Users\user\Music\regdrv.exe C:\Users\user\Music\regdrv.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Submission file is bigger than most known malware samplesShow sources
Source: DOC000YUT60.exeStatic file information: File size 1816064 > 1048576
PE file has a big raw sectionShow sources
Source: DOC000YUT60.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x16f800

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034FD78 LoadLibraryA,GetProcAddress,GetModuleHandleA,1_3_0034FD78
Entry point lies outside standard sectionsShow sources
Source: initial sampleStatic PE information: section where entry point is pointing to: .data
PE file contains an invalid checksumShow sources
Source: Regdriver.exe.1.drStatic PE information: real checksum: 0xf110a should be: 0x1bf325
Source: DOC000YUT60.exeStatic PE information: real checksum: 0xf110a should be: 0x1bf325
Source: regdrv.exe.1.drStatic PE information: real checksum: 0xf110a should be: 0x1bf325
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_00344D14 push 00344D51h; ret 1_3_00344D49
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_003421DD push eax; ret 1_3_00342219
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034C1D9 push esp; retn 0034h1_3_0034C1E9
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034E24C push ecx; mov dword ptr [esp], edx1_3_0034E251
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_003422AD push 003424B9h; ret 1_3_003424B1
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034FB3C push ebx; ret 1_3_0034FB5D
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034FB3C push eax; ret 1_3_0034FB81
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034232E push 003424B9h; ret 1_3_003424B1
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_003423AB push 003424B9h; ret 1_3_003424B1
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_00342410 push 003424B9h; ret 1_3_003424B1
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0035049E push eax; ret 1_3_003504CB
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034CCD1 push ecx; mov dword ptr [esp], edx1_3_0034CCF1
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034CDD6 push ecx; mov dword ptr [esp], edx1_3_0034CDDD
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_00347DCA push ecx; mov dword ptr [esp], eax1_3_00347DE1
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_0040E17C push ecx; mov dword ptr [esp], edx1_2_0040E181
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_0041F100 push ecx; mov dword ptr [esp], edx1_2_0041F105
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_0041B238 push ecx; mov dword ptr [esp], edx1_2_0041B23A
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_004172A8 push ecx; mov dword ptr [esp], edx1_2_004172AD
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_004194A4 push ecx; mov dword ptr [esp], edx1_2_004194A5
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_00417504 push ecx; mov dword ptr [esp], edx1_2_00417509
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_00417668 push ecx; mov dword ptr [esp], edx1_2_0041766D
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_00417624 push ecx; mov dword ptr [esp], edx1_2_00417629
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_0041E6B0 push ecx; mov dword ptr [esp], edx1_2_0041E6B2
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_0041577C push 004157C9h; ret 1_2_004157C1
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_0040E816 push 0040EAC2h; ret 1_2_0040EABA
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_00403B70 push eax; ret 1_2_00403BAC
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_00414D6E push 00414DE6h; ret 1_2_00414DDE
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_0041FE36 push 0041FEE3h; ret 1_2_0041FEDB
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_2_00406E8E push 00406EEBh; ret 1_2_00406EE3
Source: C:\Users\user\Music\regdrv.exeCode function: 2_2_0040E17C push ecx; mov dword ptr [esp], edx2_2_0040E181
Source: C:\Users\user\Music\regdrv.exeCode function: 2_2_0041F100 push ecx; mov dword ptr [esp], edx2_2_0041F105

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeFile created: C:\Users\user\Music\regdrv.exeJump to dropped file
Source: C:\Users\user\Desktop\DOC000YUT600.exeFile created: C:\Users\user\Videos\Regdriver.exeJump to dropped file

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004714B8 OpenSCManagerA,OpenServiceA,StartServiceA,ControlService,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,3_2_004714B8
Creates an autostart registry keyShow sources
Source: C:\Users\user\Music\regdrv.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Registry DriverJump to behavior
Source: C:\Users\user\Music\regdrv.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Registry DriverJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0042E370 IsIconic,GetWindowPlacement,GetWindowRect,3_2_0042E370
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00458910 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,3_2_00458910
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_004576CC IsIconic,GetCapture,3_2_004576CC
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0043B75C IsIconic,3_2_0043B75C
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0043B7D8 GetWindowLongA,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongA,SetWindowLongA,ShowWindow,ShowWindow,3_2_0043B7D8
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0042E370 IsIconic,GetWindowPlacement,GetWindowRect,6_2_0042E370
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00458910 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,6_2_00458910
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_004576CC IsIconic,GetCapture,6_2_004576CC
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0043B75C IsIconic,6_2_0043B75C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0043B7D8 GetWindowLongA,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongA,SetWindowLongA,ShowWindow,ShowWindow,6_2_0043B7D8
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00457FD4 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,6_2_00457FD4
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00460AC0 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_00460AC0
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DOC000YUT600.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DOC000YUT600.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DOC000YUT600.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Videos\Regdriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Users\user\Music\regdrv.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_3-39469
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: OpenSCManagerA,EnumServicesStatusA,CloseServiceHandle,3_2_00471640
Source: C:\Users\user\Music\regdrv.exeCode function: OpenSCManagerA,EnumServicesStatusA,CloseServiceHandle,6_2_00471640
Found evasive API chain (date check)Show sources
Source: C:\Users\user\Music\regdrv.exeEvasive API call chain: GetLocalTime,DecisionNodes
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Music\regdrv.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-38102
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Music\regdrv.exeAPI coverage: 6.5 %
Source: C:\Users\user\Music\regdrv.exeAPI coverage: 4.0 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Music\regdrv.exe TID: 3516Thread sleep count: 92 > 30Jump to behavior
Source: C:\Users\user\Music\regdrv.exe TID: 3516Thread sleep time: -92000s >= -60000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Music\regdrv.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_00342EA8 FindFirstFileA,GetLastError,1_3_00342EA8
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0040A488 FindFirstFileA,GetLastError,3_2_0040A488
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00406A68 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,3_2_00406A68
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00480FEC FindFirstFileA,3_2_00480FEC
Source: C:\Users\user\Videos\Regdriver.exeCode function: 4_3_002A66A8 FindFirstFileA,GetLastError,4_3_002A66A8
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_0040A488 FindFirstFileA,GetLastError,6_2_0040A488
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00406A68 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,6_2_00406A68
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00480FEC FindFirstFileA,6_2_00480FEC
Program exit pointsShow sources
Source: C:\Users\user\Music\regdrv.exeAPI call chain: ExitProcess graph end nodegraph_3-39280
Source: C:\Users\user\Music\regdrv.exeAPI call chain: ExitProcess graph end nodegraph_3-39338
Source: C:\Users\user\Music\regdrv.exeAPI call chain: ExitProcess graph end node

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Users\user\Music\regdrv.exeFile opened: SIWDEBUG
Source: C:\Users\user\Music\regdrv.exeFile opened: NTICE
Source: C:\Users\user\Music\regdrv.exeFile opened: SICE
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034FD78 LoadLibraryA,GetProcAddress,GetModuleHandleA,1_3_0034FD78
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00466038 FreeLibrary,VirtualFree,GetProcessHeap,HeapFree,3_2_00466038
Enables debug privilegesShow sources
Source: C:\Users\user\Music\regdrv.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Music\regdrv.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject code into remote processesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00473F34 CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,TerminateProcess,6_2_00473F34
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Music\regdrv.exeMemory written: C:\Users\user\Music\regdrv.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Music\regdrv.exeMemory written: C:\Users\user\Music\regdrv.exe base: 400000 value starts with: 4D5AJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\Music\regdrv.exeThread register set: target process: 3468Jump to behavior
Source: C:\Users\user\Music\regdrv.exeThread register set: target process: 3540Jump to behavior
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048A218 ShellExecuteExA,3_2_0048A218
Contains functionality to simulate keystroke pressesShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048B42C keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,3_2_0048B42C
Contains functionality to simulate mouse eventsShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048851C socket,ntohs,inet_addr,gethostbyname,connect,recv,recv,recv,mouse_event,shutdown,closesocket,3_2_0048851C
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh<
Source: regdrv.exeBinary or memory string: Shell_TrayWnd
Source: regdrv.exeBinary or memory string: Progman
Source: 2018-08-29-4.dc.3.drBinary or memory string: :: Program Manager (10:00:23 AM)
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: Shell_TrayWndjjh
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: Progmanjhh
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: Shell_traywndTrayNotifyWndjh
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: ProgmanU
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: ButtonShell_TrayWndj
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: Shell_traywndReBarWindow32jh
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: Shell_traywndReBarWindow32jhD
Source: regdrv.exeBinary or memory string: Shell_traywnd
Source: regdrv.exe, 00000002.00000003.450764221.7F370000.00000004.sdmpBinary or memory string: Shell_TrayWndPjjh

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: GetLocaleInfoA,1_3_00343A28
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: GetLocaleInfoA,1_3_00343A74
Source: C:\Users\user\Music\regdrv.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,3_2_00406C2C
Source: C:\Users\user\Music\regdrv.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,3_2_00406D38
Source: C:\Users\user\Music\regdrv.exeCode function: GetLocaleInfoA,3_2_0048CEEC
Source: C:\Users\user\Music\regdrv.exeCode function: GetLocaleInfoA,3_2_0040D334
Source: C:\Users\user\Music\regdrv.exeCode function: GetLocaleInfoA,3_2_0040D380
Source: C:\Users\user\Videos\Regdriver.exeCode function: GetLocaleInfoA,4_3_002A7228
Source: C:\Users\user\Videos\Regdriver.exeCode function: GetLocaleInfoA,4_3_002A7274
Source: C:\Users\user\Music\regdrv.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,6_2_00406C2C
Source: C:\Users\user\Music\regdrv.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,6_2_00406D38
Source: C:\Users\user\Music\regdrv.exeCode function: GetLocaleInfoA,6_2_0048CEEC
Source: C:\Users\user\Music\regdrv.exeCode function: GetLocaleInfoA,6_2_0040D334
Source: C:\Users\user\Music\regdrv.exeCode function: GetLocaleInfoA,6_2_0040D380
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_0034C02C cpuid 1_3_0034C02C
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Music\regdrv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Music\regdrv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_003439A4 GetLocalTime,1_3_003439A4
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_0048CE74 GetUserNameA,3_2_0048CE74
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\DOC000YUT600.exeCode function: 1_3_00344440 GetVersionExA,1_3_00344440

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Music\regdrv.exeCode function: 3_2_00486E2C socket,ntohs,bind,listen,accept,LocalAlloc,CreateThread,CloseHandle,Sleep,ExitThread,3_2_00486E2C
Source: C:\Users\user\Music\regdrv.exeCode function: 6_2_00486E2C socket,ntohs,bind,listen,accept,LocalAlloc,CreateThread,CloseHandle,Sleep,ExitThread,6_2_00486E2C

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 648369 Sample: DOC000YUT600.scr Startdate: 29/08/2018 Architecture: WINDOWS Score: 100 34 Antivirus detection for submitted file 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 PE file contains more sections than normal 2->38 40 3 other signatures 2->40 7 DOC000YUT600.exe 5 2->7         started        10 Regdriver.exe 1 2->10         started        process3 file4 24 C:\Users\user\Videos\Regdriver.exe, PE32 7->24 dropped 26 C:\Users\user\Music\regdrv.exe, PE32 7->26 dropped 28 C:\Users\...\Regdriver.exe:Zone.Identifier, ASCII 7->28 dropped 30 C:\Users\user\...\regdrv.exe:Zone.Identifier, ASCII 7->30 dropped 13 regdrv.exe 1 7->13         started        46 Antivirus detection for dropped file 10->46 48 Multi AV Scanner detection for dropped file 10->48 16 regdrv.exe 10->16         started        signatures5 process6 signatures7 50 Antivirus detection for dropped file 13->50 52 Multi AV Scanner detection for dropped file 13->52 54 Contains functionality to log keystrokes 13->54 60 6 other signatures 13->60 18 regdrv.exe 3 13->18         started        56 Modifies the context of a thread in another process (thread injection) 16->56 58 Injects a PE file into a foreign processes 16->58 22 regdrv.exe 1 16->22         started        process8 dnsIp9 32 95.140.125.42, 1908, 49188 ORIONTELEKOM-ASRS Serbia 18->32 42 Installs a global keyboard hook 18->42 signatures10 44 Detected TCP or UDP traffic on non-standard ports 32->44

Simulations

Behavior and APIs

TimeTypeDescription
09:59:41API Interceptor2x Sleep call for process: DOC000YUT600.exe modified
09:59:48API Interceptor6x Sleep call for process: regdrv.exe modified
09:59:54AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Registry Driver C:\Users\user\Videos\Regdriver.exe
09:59:56API Interceptor2x Sleep call for process: Regdriver.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
DOC000YUT60.exe61%virustotalBrowse
DOC000YUT60.exe9%metadefenderBrowse
DOC000YUT60.exe100%AviraHEUR/AGEN.1032427

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Videos\Regdriver.exe100%AviraHEUR/AGEN.1032427
C:\Users\user\Music\regdrv.exe100%AviraHEUR/AGEN.1032427
C:\Users\user\Music\regdrv.exe61%virustotalBrowse
C:\Users\user\Music\regdrv.exe9%metadefenderBrowse
C:\Users\user\Videos\Regdriver.exe61%virustotalBrowse
C:\Users\user\Videos\Regdriver.exe9%metadefenderBrowse

Unpacked PE Files

SourceDetectionScannerLabelLink
5.2.regdrv.exe.2580000.3.unpack100%AviraBDS/DarkKomet.GS
6.0.regdrv.exe.400000.4.unpack100%AviraBDS/DarkKomet.GS
6.2.regdrv.exe.400000.3.unpack100%AviraBDS/DarkKomet.GS
3.0.regdrv.exe.400000.4.unpack100%AviraBDS/DarkKomet.GS
2.2.regdrv.exe.25d0000.3.unpack100%AviraBDS/DarkKomet.GS
6.1.regdrv.exe.400000.0.unpack100%AviraBDS/DarkKomet.GS
6.0.regdrv.exe.400000.5.unpack100%AviraBDS/DarkKomet.GS
3.2.regdrv.exe.400000.3.unpack100%AviraBDS/DarkKomet.GS
3.0.regdrv.exe.400000.5.unpack100%AviraBDS/DarkKomet.GS
3.1.regdrv.exe.400000.0.unpack100%AviraBDS/DarkKomet.GS

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://SAC.home-page.org0%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthor
00000006.00000000.479399059.00400000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000006.00000001.481410763.00400000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000006.00000001.481410763.00400000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000006.00000000.479399059.00400000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000002.00000003.450764221.7F370000.00000004.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000005.00000002.491857687.02580000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000005.00000002.491857687.02580000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000002.00000002.462554403.025D0000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000002.00000002.462554403.025D0000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000003.00000001.447610474.00400000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000003.00000001.447610474.00400000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000003.00000002.699224479.00400000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000003.00000002.699224479.00400000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000006.00000000.479959577.00400000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000006.00000000.479959577.00400000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000006.00000002.482534154.00400000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000006.00000002.482534154.00400000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000003.00000000.446776706.00400000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000003.00000000.446776706.00400000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000005.00000003.485657484.7F370000.00000004.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
00000003.00000000.446217367.00400000.00000040.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
00000003.00000000.446217367.00400000.00000040.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>

Unpacked PEs

SourceRuleDescriptionAuthor
6.1.regdrv.exe.400000.0.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
6.1.regdrv.exe.400000.0.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
5.2.regdrv.exe.2580000.3.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
5.2.regdrv.exe.2580000.3.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
6.2.regdrv.exe.400000.3.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
6.2.regdrv.exe.400000.3.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
6.0.regdrv.exe.400000.5.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
6.0.regdrv.exe.400000.5.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
2.2.regdrv.exe.25d0000.3.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
2.2.regdrv.exe.25d0000.3.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
5.2.regdrv.exe.2580000.3.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
5.2.regdrv.exe.2580000.3.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
2.2.regdrv.exe.25d0000.3.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
2.2.regdrv.exe.25d0000.3.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
6.0.regdrv.exe.400000.4.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
6.0.regdrv.exe.400000.4.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
6.1.regdrv.exe.400000.0.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
6.1.regdrv.exe.400000.0.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
3.2.regdrv.exe.400000.3.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
3.2.regdrv.exe.400000.3.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
6.0.regdrv.exe.400000.5.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
6.0.regdrv.exe.400000.5.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
6.2.regdrv.exe.400000.3.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
6.2.regdrv.exe.400000.3.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
3.0.regdrv.exe.400000.4.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
3.0.regdrv.exe.400000.4.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
3.2.regdrv.exe.400000.3.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
3.2.regdrv.exe.400000.3.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
3.0.regdrv.exe.400000.5.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
3.0.regdrv.exe.400000.5.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
3.0.regdrv.exe.400000.4.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
3.0.regdrv.exe.400000.4.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
3.0.regdrv.exe.400000.5.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
3.0.regdrv.exe.400000.5.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
6.0.regdrv.exe.400000.4.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
6.0.regdrv.exe.400000.4.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
3.1.regdrv.exe.400000.0.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
3.1.regdrv.exe.400000.0.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
3.1.regdrv.exe.400000.0.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
3.1.regdrv.exe.400000.0.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
ORIONTELEKOM-ASRS79SWIFT COPY,pdf-INV I086#.exef1df846ab638f0356f84a9fe14eaeb1cf98c17fb410ac1308c144c0683c89ed8maliciousBrowse
  • 95.140.125.9
23RFQ-15-0798101-1296.jaraca07b5c2399523b768b7cafd3d33975900d50d05073974a93c0b74683aabc32maliciousBrowse
  • 95.140.125.118
payment advice 20_03 2018.docc95780a21ae219e68bc2431a6e98aa1ead481129a293b9aee739a82d80ffc668maliciousBrowse
  • 77.105.36.181
SWIFT COPY 02.js23b46da625d2d17af9daf2640f05769eb9e2166b27d82b3f09f09e13d2bfd067maliciousBrowse
  • 95.140.125.117
Contract Cop.exeaf88f00b02c7fafa486e46001e29f1aae1205fd83ff962b9ff857293640c7332maliciousBrowse
  • 95.140.125.81
536ffa992-491508d-ca0354e-52f32a3-7a679a53a.docd5f72d16015ba479d1200f68515efb1602622b3b1bcab6dbda633e63caca82eemaliciousBrowse
  • 93.93.196.254
Inv 54869 - PO #4F634410.doce39be590fb6dfa04ae6d6720588694aea026cb4d6d68f60b56d3bcea85f13455maliciousBrowse
  • 77.105.36.132
SCAN_9097765.js13b5960a44dabd990e8326bf9d675a4c335d9be6b06db81875cc2e4a2c7b9a2cmaliciousBrowse
  • 95.140.125.119
SCAN_9097765.js13b5960a44dabd990e8326bf9d675a4c335d9be6b06db81875cc2e4a2c7b9a2cmaliciousBrowse
  • 95.140.125.119
atmos_weber.exef95938b4343d5a2c7250472f71850aacb6ef3575cdc52de5c9b86e2106a3b3ebmaliciousBrowse
  • 95.140.125.108
04172018HSBCJSZZH_app.doc496930937ee43a2c13fd371cdadf77dc0a4c9c6b366c0c89b95acb9b8edf63famaliciousBrowse
  • 79.175.102.12
66DHL SHIPMENT INF.exe3e81efc218937fca3b8ca1beb162bf08b12bf19f508140510c771e9e325fc567maliciousBrowse
  • 95.140.125.82
66DHL SHIPMENT INF.exe3e81efc218937fca3b8ca1beb162bf08b12bf19f508140510c771e9e325fc567maliciousBrowse
  • 95.140.125.82
Inv 54869 - PO #4F634410.doce39be590fb6dfa04ae6d6720588694aea026cb4d6d68f60b56d3bcea85f13455maliciousBrowse
  • 77.105.36.132
35PO#ORDER$9880.exe70c4a701c97b89afa03e1e092cc7e3b11fb4c364ce8f66103228287d24cb3d74maliciousBrowse
  • 95.140.125.50
SWIFT COPY 02.js23b46da625d2d17af9daf2640f05769eb9e2166b27d82b3f09f09e13d2bfd067maliciousBrowse
  • 95.140.125.117

Dropped Files

No context

Screenshots

windows-stand

Startup

  • System is w7_1
  • DOC000YUT600.exe (PID: 3420 cmdline: 'C:\Users\user\Desktop\DOC000YUT600.exe' MD5: CD1974C09F7171E19634DE0E00D7EFB7)
    • regdrv.exe (PID: 3452 cmdline: 'C:\Users\user\Music\regdrv.exe' MD5: CD1974C09F7171E19634DE0E00D7EFB7)
      • regdrv.exe (PID: 3468 cmdline: C:\Users\user\Music\regdrv.exe MD5: CD1974C09F7171E19634DE0E00D7EFB7)
  • Regdriver.exe (PID: 3484 cmdline: 'C:\Users\user\Videos\Regdriver.exe' MD5: CD1974C09F7171E19634DE0E00D7EFB7)
    • regdrv.exe (PID: 3532 cmdline: 'C:\Users\user\Music\regdrv.exe' MD5: CD1974C09F7171E19634DE0E00D7EFB7)
      • regdrv.exe (PID: 3540 cmdline: C:\Users\user\Music\regdrv.exe MD5: CD1974C09F7171E19634DE0E00D7EFB7)
  • cleanup

Created / dropped Files

C:\Users\user\AppData\Roaming\dclogs\2018-08-29-4.dc
Process:C:\Users\user\Music\regdrv.exe
File Type:ASCII text, with CRLF line terminators
Size (bytes):71
Entropy (8bit):4.396993993112084
Encrypted:false
MD5:1BF13C6F0627F41E42511316B964E49A
SHA1:2054EAC296FE8621F815BCD07A482946B87B5B4A
SHA-256:5E19DEDE267E426E80B174CF8D6001189F88949CC375515F74FE454CAB39532E
SHA-512:69C8487A23B5AE88AC2B472A007505E0FDA59161D69621604A8B1D06D3A8D35CC07F4CA1B6DCE87755C157C01798659752B25C501D99EB33AD73369BC24FC814
Malicious:false
Reputation:low
C:\Users\user\Music\regdrv.exe
Process:C:\Users\user\Desktop\DOC000YUT600.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):1816064
Entropy (8bit):6.7932256230048225
Encrypted:false
MD5:CD1974C09F7171E19634DE0E00D7EFB7
SHA1:41F02346C16FB2585EDB2585EF67766E42E69528
SHA-256:CCF07ED87CE33179BA77B74372818958A04236860738CE96993976493488E7B4
SHA-512:485C46E035CA077065645DBA67D1F40E0787ED04175A6A11E5FBE9E5D1289B98376F3B845B97871DD0CB6629061A3A12ED537FB11FE1DB7001849288FAA5E717
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%, Browse
  • Antivirus: virustotal, Detection: 61%, Browse
  • Antivirus: metadefender, Detection: 9%, Browse
Reputation:low
C:\Users\user\Music\regdrv.exe:Zone.Identifier
Process:C:\Users\user\Desktop\DOC000YUT600.exe
File Type:ASCII text, with CRLF line terminators
Size (bytes):26
Entropy (8bit):3.9500637564362093
Encrypted:false
MD5:187F488E27DB4AF347237FE461A079AD
SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:true
Reputation:high, very likely benign file
C:\Users\user\Videos\Regdriver.exe
Process:C:\Users\user\Desktop\DOC000YUT600.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):1816064
Entropy (8bit):6.7932256230048225
Encrypted:false
MD5:CD1974C09F7171E19634DE0E00D7EFB7
SHA1:41F02346C16FB2585EDB2585EF67766E42E69528
SHA-256:CCF07ED87CE33179BA77B74372818958A04236860738CE96993976493488E7B4
SHA-512:485C46E035CA077065645DBA67D1F40E0787ED04175A6A11E5FBE9E5D1289B98376F3B845B97871DD0CB6629061A3A12ED537FB11FE1DB7001849288FAA5E717
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%, Browse
  • Antivirus: virustotal, Detection: 61%, Browse
  • Antivirus: metadefender, Detection: 9%, Browse
Reputation:low
C:\Users\user\Videos\Regdriver.exe:Zone.Identifier
Process:C:\Users\user\Desktop\DOC000YUT600.exe
File Type:ASCII text, with CRLF line terminators
Size (bytes):26
Entropy (8bit):3.9500637564362093
Encrypted:false
MD5:187F488E27DB4AF347237FE461A079AD
SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:true
Reputation:high, very likely benign file

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://SAC.home-page.orgregdrv.exe, 00000002.00000002.451751956.013B0000.00000004.sdmpfalseunknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPCountryFlagASNASN NameMalicious
95.140.125.42Serbia
9125ORIONTELEKOM-ASRStrue

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.7932256230048225
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.94%
  • Win16/32 Executable Delphi generic (2074/23) 0.02%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:DOC000YUT60.exe
File size:1816064
MD5:cd1974c09f7171e19634de0e00d7efb7
SHA1:41f02346c16fb2585edb2585ef67766e42e69528
SHA256:ccf07ed87ce33179ba77b74372818958a04236860738ce96993976493488e7b4
SHA512:485c46e035ca077065645dba67d1f40e0787ed04175a6a11e5fbe9e5d1289b98376f3b845b97871dd0cb6629061a3a12ed537fb11fe1db7001849288faa5e717
File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon

Static PE Info

General

Entrypoint:0x614001
Entrypoint Section:.data
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:6d53ec3a4000e578abfe26f2247d34a4

Entrypoint Preview

Instruction
pushad
call 00007F7474FB1A76h
nop
pop ebp
sub ebp, 0045AFBFh
mov ebx, 0045AFB8h
add ebx, ebp
sub ebx, dword ptr [ebp+0045C391h]
cmp dword ptr [ebp+0045C28Ch], 00000000h
mov dword ptr [ebp+0045BFF5h], ebx
jne 00007F7474FB2B44h
lea eax, dword ptr [ebp+0045C294h]
push eax
call dword ptr [ebp+0045C3D0h]
mov dword ptr [ebp+0045C290h], eax
mov edi, eax
lea ebx, dword ptr [ebp+0045C2A1h]
push ebx
push eax
call dword ptr [ebp+0045C3CCh]
mov dword ptr [ebp+0045C399h], eax
lea ebx, dword ptr [ebp+0045C2ACh]
push ebx
push edi
call dword ptr [ebp+0045C3CCh]
mov dword ptr [ebp+0045C39Dh], eax
mov eax, dword ptr [ebp+0045BFF5h]
mov dword ptr [ebp+0045C28Ch], eax
jmp 00007F7474FB1ABDh
push 00000004h
push 00001000h
push 000010CEh
push 00000000h
call dword ptr [ebp+0045C399h]
mov dword ptr [ebp+0045C395h], eax
lea ebx, dword ptr [ebp+0045B07Dh]
push eax
push ebx
call 00007F7474FB2B67h
mov ecx, eax
lea edi, dword ptr [ebp+0045B07Dh]
mov esi, dword ptr [ebp+0045C395h]
rep movsb
mov eax, dword ptr [ebp+0045C395h]
push 00008000h
push 00000000h
push eax

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x2154640x400.data
IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x16f750.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x2152cc0x8.data
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x2153fc0x18.data
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x100000

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x8c0000x36200False0.99912943851data7.99893055838IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.itext0x8d0000x10000x600False0.901692708333data7.33978754225IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data0x8e0000x30000xe00False0.897600446429data7.48715231717IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss0x910000x40000x0False0empty 0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata0x950000x30000x400False0.8056640625data6.6138767395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls0x980000x10000x0False0empty 0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata0x990000x10000x200False0.05078125dBase IV DBT of \254\347H.DBF, blocks size 4816960, next free block index 48168960.210826267787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc0x9a0000xa0000x0False0empty 0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0xa40000x1700000x16f800False0.65108551233data6.2232248145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data0x2140000x140000x13e00False0.930117433176data7.71081914706IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data0x2280000x10000x0False0empty 0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_CURSOR0xa53f80x134dataEnglishUnited States
RT_CURSOR0xa552c0x134dataEnglishUnited States
RT_CURSOR0xa56600x134dataEnglishUnited States
RT_CURSOR0xa57940x134dataEnglishUnited States
RT_CURSOR0xa58c80x134dataEnglishUnited States
RT_CURSOR0xa59fc0x134dataEnglishUnited States
RT_CURSOR0xa5b300x134dataEnglishUnited States
RT_BITMAP0xa5c640x1d0dataEnglishUnited States
RT_BITMAP0xa5e340x1e4dataEnglishUnited States
RT_BITMAP0xa60180x1d0dataEnglishUnited States
RT_BITMAP0xa61e80x1d0dataEnglishUnited States
RT_BITMAP0xa63b80x1d0dataEnglishUnited States
RT_BITMAP0xa65880x1d0dataEnglishUnited States
RT_BITMAP0xa67580x1d0dataEnglishUnited States
RT_BITMAP0xa69280x1d0dataEnglishUnited States
RT_BITMAP0xa6af80x1d0dataEnglishUnited States
RT_BITMAP0xa6cc80x1d0dataEnglishUnited States
RT_BITMAP0xa6e980xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0xa6f800x128GLS_BINARY_LSB_FIRSTRussianRussia
RT_ICON0xa70a80x568GLS_BINARY_LSB_FIRSTRussianRussia
RT_ICON0xa76100x2e8dataRussianRussia
RT_ICON0xa78f80x8a8dataRussianRussia
RT_ICON0xa81a00x468GLS_BINARY_LSB_FIRSTRussianRussia
RT_ICON0xa86080x988dataRussianRussia
RT_ICON0xa8f900x10a8dataRussianRussia
RT_ICON0xaa0380x25a8dataRussianRussia
RT_ICON0xac5e00x68d3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON0xb2eb40x10828data
RT_ICON0xc36dc0x94a8data
RT_ICON0xccb840x5488data
RT_ICON0xd200c0x4228FoxPro FPT, blocks size 0, next free block index 671088640
RT_ICON0xd62340x25a8dBase IV DBT of `.DBF, blocks size 48, block length 9216, next free block index 40, 1st item "\007\013"
RT_ICON0xd87dc0x10a8data
RT_ICON0xd98840x988data
RT_ICON0xda20c0x468GLS_BINARY_LSB_FIRST
RT_DIALOG0xda6740x52data
RT_DIALOG0xda6c80x52data
RT_STRING0xda71c0x1ccdata
RT_STRING0xda8e80x46cdata
RT_STRING0xdad540x33cdata
RT_STRING0xdb0900xb4data
RT_STRING0xdb1440xf0data
RT_STRING0xdb2340x254data
RT_STRING0xdb4880x3a4data
RT_STRING0xdb82c0x3f4data
RT_STRING0xdbc200x378data
RT_STRING0xdbf980x3a0data
RT_STRING0xdc3380x214data
RT_STRING0xdc54c0xccdata
RT_STRING0xdc6180x194data
RT_STRING0xdc7ac0x3c4data
RT_STRING0xdcb700x338data
RT_STRING0xdcea80x294data
RT_RCDATA0xdd13c0x1266faASCII text, with very long lines, with no line terminators
RT_RCDATA0x2038380x3c6PC bitmap, Windows 3.x format, 20 x 20 x 8RussianRussia
RT_RCDATA0x203c000x786PC bitmap, Windows 3.x format, 18 x 26 x 32RussianRussia
RT_RCDATA0x2043880x546PC bitmap, Windows 3.x format, 23 x 18 x 24RussianRussia
RT_RCDATA0x2048d00x4aaPC bitmap, Windows 3.x format, 19 x 19 x 24RussianRussia
RT_RCDATA0x204d7c0x4e6PC bitmap, Windows 3.x format, 20 x 20 x 24RussianRussia
RT_RCDATA0x2052640xe4ePC bitmap, Windows 3.x format, 29 x 41 x 24RussianRussia
RT_RCDATA0x2060b40x83aPC bitmap, Windows 3.x format, 25 x 27 x 24RussianRussia
RT_RCDATA0x2068f00xc4ePC bitmap, Windows 3.x format, 57 x 18 x 24RussianRussia
RT_RCDATA0x2075400x426PC bitmap, Windows 3.x format, 18 x 18 x 24RussianRussia
RT_RCDATA0x2079680x75ePC bitmap, Windows 3.x format, 98 x 34 x 4RussianRussia
RT_RCDATA0x2080c80xe6PC bitmap, Windows 3.x format, 56 x 21 x 1RussianRussia
RT_RCDATA0x2081b00x7f6PC bitmap, Windows 3.x format, 30 x 30 x 8RussianRussia
RT_RCDATA0x2089a80x2af6PC bitmap, Windows 3.x format, 75 x 48 x 24RussianRussia
RT_RCDATA0x20b4a00x376PC bitmap, Windows 3.x format, 17 x 16 x 24RussianRussia
RT_RCDATA0x20b8180xf6PC bitmap, Windows 3.x format, 16 x 16 x 4RussianRussia
RT_RCDATA0x20b9100x87aPC bitmap, Windows 3.x format, 30 x 23 x 24RussianRussia
RT_RCDATA0x20c18c0x546PC bitmap, Windows 3.x format, 18 x 18 x 32RussianRussia
RT_RCDATA0x20c6d40x546PC bitmap, Windows 3.x format, 18 x 18 x 32RussianRussia
RT_RCDATA0x20cc1c0x4e6PC bitmap, Windows 3.x format, 20 x 20 x 24RussianRussia
RT_RCDATA0x20d1040x7eaPC bitmap, Windows 3.x format, 22 x 29 x 24RussianRussia
RT_RCDATA0x20d8f00x4aaPC bitmap, Windows 3.x format, 19 x 19 x 24RussianRussia
RT_RCDATA0x20dd9c0x3aaPC bitmap, Windows 3.x format, 17 x 17 x 24RussianRussia
RT_RCDATA0x20e1480x4c39data
RT_GROUP_CURSOR0x212d840x14Lotus 1-2-3EnglishUnited States
RT_GROUP_CURSOR0x212d980x14Lotus 1-2-3EnglishUnited States
RT_GROUP_CURSOR0x212dac0x14Lotus 1-2-3EnglishUnited States
RT_GROUP_CURSOR0x212dc00x14Lotus 1-2-3EnglishUnited States
RT_GROUP_CURSOR0x212dd40x14Lotus 1-2-3EnglishUnited States
RT_GROUP_CURSOR0x212de80x14Lotus 1-2-3EnglishUnited States
RT_GROUP_CURSOR0x212dfc0x14Lotus 1-2-3EnglishUnited States
RT_GROUP_ICON0x212e100x84MS Windows icon resource - 9 icons, 256-colors
RT_GROUP_ICON0x212e940x76MS Windows icon resource - 8 icons, 16x16, 16-colorsRussianRussia
RT_VERSION0x212f0c0x5fcdataEnglishUnited States
RT_MANIFEST0x2135080x245XML document textEnglishUnited States

Imports

DLLImport
kernel32.dllGetProcAddress, GetModuleHandleA, LoadLibraryA
oleaut32.dllSysFreeString
advapi32.dllRegQueryValueExA
user32.dllGetKeyboardType
user32.dllCreateWindowExA
msimg32.dllGradientFill
gdi32.dllUnrealizeObject
version.dllVerQueryValueA
advapi32.dllRegSetValueExA
oleaut32.dllCreateErrorInfo
ole32.dllCoCreateInstance
oleaut32.dllSafeArrayPtrOfIndex
comctl32.dll_TrackMouseEvent
urlmon.dllURLDownloadToFileA
shell32.dllShellExecuteA
winspool.drvOpenPrinterA
comdlg32.dllPrintDlgA
shfolder.dllSHGetFolderPathA

Version Infos

DescriptionData
LegalCopyrightGiorgio Tani, LGPLv3
InternalNamePeaZip
FileVersion5.6.0
CompanyNameGiorgio Tani
LegalTrademarksnone
ProductNamePeaZip
ProductVersion5.6.0
FileDescriptionPeaZip, file and archive manager
OriginalFilenamePeaZip
Translation0x0409 0x04e4

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States
RussianRussia

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Aug 29, 2018 10:00:29.419099092 CEST491881908192.168.1.8295.140.125.42
Aug 29, 2018 10:00:29.644283056 CEST19084918895.140.125.42192.168.1.82
Aug 29, 2018 10:00:29.644598007 CEST491881908192.168.1.8295.140.125.42
Aug 29, 2018 10:00:29.857481003 CEST19084918895.140.125.42192.168.1.82
Aug 29, 2018 10:00:29.857990026 CEST491881908192.168.1.8295.140.125.42
Aug 29, 2018 10:00:30.098074913 CEST19084918895.140.125.42192.168.1.82
Aug 29, 2018 10:00:30.126121998 CEST491881908192.168.1.8295.140.125.42
Aug 29, 2018 10:00:30.623514891 CEST19084918895.140.125.42192.168.1.82
Aug 29, 2018 10:00:39.304467916 CEST19084918895.140.125.42192.168.1.82
Aug 29, 2018 10:00:39.314781904 CEST491881908192.168.1.8295.140.125.42
Aug 29, 2018 10:00:39.833359957 CEST19084918895.140.125.42192.168.1.82
Aug 29, 2018 10:00:49.707680941 CEST491881908192.168.1.8295.140.125.42
Aug 29, 2018 10:00:50.206440926 CEST19084918895.140.125.42192.168.1.82
Aug 29, 2018 10:01:09.707457066 CEST491881908192.168.1.8295.140.125.42
Aug 29, 2018 10:01:10.220314980 CEST19084918895.140.125.42192.168.1.82
Aug 29, 2018 10:01:26.459423065 CEST19084918895.140.125.42192.168.1.82
Aug 29, 2018 10:01:26.462915897 CEST491881908192.168.1.8295.140.125.42
Aug 29, 2018 10:01:26.818218946 CEST19084918895.140.125.42192.168.1.82
Aug 29, 2018 10:01:29.725163937 CEST491881908192.168.1.8295.140.125.42
Aug 29, 2018 10:01:30.211399078 CEST19084918895.140.125.42192.168.1.82
Aug 29, 2018 10:01:49.738543987 CEST491881908192.168.1.8295.140.125.42
Aug 29, 2018 10:01:50.209827900 CEST19084918895.140.125.42192.168.1.82
Aug 29, 2018 10:02:09.776155949 CEST491881908192.168.1.8295.140.125.42
Aug 29, 2018 10:02:10.209705114 CEST19084918895.140.125.42192.168.1.82
Aug 29, 2018 10:02:13.582567930 CEST19084918895.140.125.42192.168.1.82
Aug 29, 2018 10:02:13.586133957 CEST491881908192.168.1.8295.140.125.42
Aug 29, 2018 10:02:14.115024090 CEST19084918895.140.125.42192.168.1.82

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: DOC000YUT600.exe PID: 3420 Parent PID: 3076

General

Start time:09:59:40
Start date:29/08/2018
Path:C:\Users\user\Desktop\DOC000YUT600.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\DOC000YUT600.exe'
Imagebase:0x400000
File size:1816064 bytes
MD5 hash:CD1974C09F7171E19634DE0E00D7EFB7
Has administrator privileges:true
Programmed in:Borland Delphi
Reputation:low

Chronological Activities

Analysis Process: regdrv.exe PID: 3452 Parent PID: 3420

General

Start time:09:59:46
Start date:29/08/2018
Path:C:\Users\user\Music\regdrv.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Music\regdrv.exe'
Imagebase:0x400000
File size:1816064 bytes
MD5 hash:CD1974C09F7171E19634DE0E00D7EFB7
Has administrator privileges:true
Programmed in:Borland Delphi
Yara matches:
  • Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000002.00000003.450764221.7F370000.00000004.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
  • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: 00000002.00000002.462554403.025D0000.00000040.sdmp, Author: Florian Roth
  • Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000002.00000002.462554403.025D0000.00000040.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:
  • Detection: 100%, Avira, Browse
  • Detection: 61%, virustotal, Browse
  • Detection: 9%, metadefender, Browse
Reputation:low

Chronological Activities

Analysis Process: regdrv.exe PID: 3468 Parent PID: 3452

General

Start time:09:59:53
Start date:29/08/2018
Path:C:\Users\user\Music\regdrv.exe
Wow64 process (32bit):false
Commandline:C:\Users\user\Music\regdrv.exe
Imagebase:0x400000
File size:1816064 bytes
MD5 hash:CD1974C09F7171E19634DE0E00D7EFB7
Has administrator privileges:true
Programmed in:Borland Delphi
Yara matches:
  • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: 00000003.00000001.447610474.00400000.00000040.sdmp, Author: Florian Roth
  • Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000003.00000001.447610474.00400000.00000040.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
  • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: 00000003.00000002.699224479.00400000.00000040.sdmp, Author: Florian Roth
  • Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000003.00000002.699224479.00400000.00000040.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
  • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: 00000003.00000000.446776706.00400000.00000040.sdmp, Author: Florian Roth
  • Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000003.00000000.446776706.00400000.00000040.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
  • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: 00000003.00000000.446217367.00400000.00000040.sdmp, Author: Florian Roth
  • Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000003.00000000.446217367.00400000.00000040.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:low

Chronological Activities

Analysis Process: Regdriver.exe PID: 3484 Parent PID: 1464

General

Start time:09:59:54
Start date:29/08/2018
Path:C:\Users\user\Videos\Regdriver.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Videos\Regdriver.exe'
Imagebase:0x400000
File size:1816064 bytes
MD5 hash:CD1974C09F7171E19634DE0E00D7EFB7
Has administrator privileges:true
Programmed in:Borland Delphi
Antivirus matches:
  • Detection: 100%, Avira, Browse
  • Detection: 61%, virustotal, Browse
  • Detection: 9%, metadefender, Browse
Reputation:low

Chronological Activities

Analysis Process: regdrv.exe PID: 3532 Parent PID: 3484

General

Start time:10:00:01
Start date:29/08/2018
Path:C:\Users\user\Music\regdrv.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Music\regdrv.exe'
Imagebase:0x400000
File size:1816064 bytes
MD5 hash:CD1974C09F7171E19634DE0E00D7EFB7
Has administrator privileges:true
Programmed in:Borland Delphi
Yara matches:
  • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: 00000005.00000002.491857687.02580000.00000040.sdmp, Author: Florian Roth
  • Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000005.00000002.491857687.02580000.00000040.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
  • Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000005.00000003.485657484.7F370000.00000004.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:low

Chronological Activities

Analysis Process: regdrv.exe PID: 3540 Parent PID: 3532

General

Start time:10:00:09
Start date:29/08/2018
Path:C:\Users\user\Music\regdrv.exe
Wow64 process (32bit):false
Commandline:C:\Users\user\Music\regdrv.exe
Imagebase:0x400000
File size:1816064 bytes
MD5 hash:CD1974C09F7171E19634DE0E00D7EFB7
Has administrator privileges:true
Programmed in:Borland Delphi
Yara matches:
  • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: 00000006.00000000.479399059.00400000.00000040.sdmp, Author: Florian Roth
  • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: 00000006.00000001.481410763.00400000.00000040.sdmp, Author: Florian Roth
  • Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000006.00000001.481410763.00400000.00000040.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
  • Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000006.00000000.479399059.00400000.00000040.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
  • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: 00000006.00000000.479959577.00400000.00000040.sdmp, Author: Florian Roth
  • Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000006.00000000.479959577.00400000.00000040.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
  • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: 00000006.00000002.482534154.00400000.00000040.sdmp, Author: Florian Roth
  • Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000006.00000002.482534154.00400000.00000040.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:low

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: DOC000YUT600.exe PID: 3420 Parent PID: 3076

    Executed Functions

    Function 00343A28, Relevance: 1.5, APIs: 1, Instructions: 29
    APIs
    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00350520, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 190
    APIs
    • GetModuleFileNameA.KERNEL32(?,?,000000FF,00000000,0035082F), ref: 00350733
      • Part of subcall function 003504FC: CreateFileA.KERNEL32(003504EC,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00350512
    • GetLastError.KERNEL32(00000000,00350664,?,00000000,0035082F), ref: 0035060D
    • GetLastError.KERNEL32(00000000,00350664,?,00000000,0035082F), ref: 00350625
    • GetLastError.KERNEL32(00000000,00350664,?,00000000,0035082F), ref: 0035063D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0040D9E0, Relevance: 7.7, Strings: 6, Instructions: 201
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 00346D80, Relevance: 3.1, APIs: 2, Instructions: 93registry
    APIs
    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,000F003F,?,00000000,00346E88), ref: 00346DFC
    • RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,00346E88), ref: 00346E31
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00406554, Relevance: 2.7, Strings: 2, Instructions: 184
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0035094C, Relevance: 2.6, Strings: 2, Instructions: 99
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0034F764, Relevance: 2.5, Strings: 2, Instructions: 42
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00343A9C, Relevance: 1.6, APIs: 1, Instructions: 99
    APIs
    • GetSystemDefaultLCID.KERNEL32(00000000,00343BD2), ref: 00343ABB
      • Part of subcall function 00342D3C: LoadStringA.USER32(0033DF78,0000FF86,?,00000400), ref: 00342D59
      • Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00346D7E, Relevance: 1.6, APIs: 1, Instructions: 75registry
    APIs
    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,000F003F,?,00000000,00346E88), ref: 00346DFC
    • RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,00346E88), ref: 00346E31
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00346FC2, Relevance: 1.5, APIs: 1, Instructions: 43registry
    APIs
    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00346FF5
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00346FC4, Relevance: 1.5, APIs: 1, Instructions: 42registry
    APIs
    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00346FF5
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00346EA4, Relevance: 1.5, APIs: 1, Instructions: 37registry
    APIs
    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,00346F0C,?,?,?,?,?,00346F0C), ref: 00346EDA
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00346EA8, Relevance: 1.5, APIs: 1, Instructions: 36registry
    APIs
    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,00346F0C,?,?,?,?,?,00346F0C), ref: 00346EDA
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00342D74, Relevance: 1.5, APIs: 1, Instructions: 23file
    APIs
    • CreateFileA.KERNEL32(00000000,00000001,00000001,00000000,00000003,00000080,00000000), ref: 00342DAA
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00342DD8, Relevance: 1.5, APIs: 1, Instructions: 23file
    APIs
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00342DEC
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 003504FC, Relevance: 1.5, APIs: 1, Instructions: 14file
    APIs
    • CreateFileA.KERNEL32(003504EC,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00350512
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00350ADC, Relevance: 1.4, Strings: 1, Instructions: 163
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0034E778, Relevance: 1.3, Strings: 1, Instructions: 61
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00418184, Relevance: 1.3, Strings: 1, Instructions: 52
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0040706A, Relevance: 1.1, Instructions: 1111
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0041D6FC, Relevance: .2, Instructions: 190
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0041C7F0, Relevance: .2, Instructions: 176
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0035037C, Relevance: .1, Instructions: 89
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0040D1EE, Relevance: .1, Instructions: 78
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0041CAA0, Relevance: .1, Instructions: 69
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0040D91C, Relevance: .1, Instructions: 56
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0041801C, Relevance: .1, Instructions: 53
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0041FCA0, Relevance: .1, Instructions: 52
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0041822C, Relevance: .0, Instructions: 46
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 00407B64, Relevance: .0, Instructions: 44
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 00407BBC, Relevance: .0, Instructions: 43
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 00404BCC, Relevance: .0, Instructions: 41
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0041CA30, Relevance: .0, Instructions: 40
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 00415110, Relevance: .0, Instructions: 39
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 004016E0, Relevance: .0, Instructions: 38
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 00406E30, Relevance: .0, Instructions: 32
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0041AE48, Relevance: .0, Instructions: 29
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0034EA24, Relevance: .0, Instructions: 27
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 004062F0, Relevance: .0, Instructions: 26
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 00419CD4, Relevance: .0, Instructions: 25
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 00344D14, Relevance: .0, Instructions: 21
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00346F20, Relevance: .0, Instructions: 20
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00404C35, Relevance: .0, Instructions: 19
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0041FC76, Relevance: .0, Instructions: 15
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 00404C34, Relevance: .0, Instructions: 12
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0041F058, Relevance: .0, Instructions: 3
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd

    Non-executed Functions

    Function 0034FD78, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112libraryloader
    APIs
    • LoadLibraryA.KERNEL32(?), ref: 0034FD9B
    • GetProcAddress.KERNEL32(?,?,00000000,0034FEDD), ref: 0034FDAB
    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,00000000,0034FEDD), ref: 0034FDCF
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00342EA8, Relevance: 3.0, APIs: 2, Instructions: 33file
    APIs
    • FindFirstFileA.KERNEL32(00000000,?,?,?,?,0034F347,00000000,0034F389), ref: 00342EC3
    • GetLastError.KERNEL32(00000000,?,?,?,?,0034F347,00000000,0034F389), ref: 00342EE6
      • Part of subcall function 00342E44: FindNextFileA.KERNEL32(?,?), ref: 00342E54
      • Part of subcall function 00342E44: GetLastError.KERNEL32(?,?), ref: 00342E5D
      • Part of subcall function 00342E44: FileTimeToLocalFileTime.KERNEL32(?), ref: 00342E71
      • Part of subcall function 00342E44: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00342E80
      • Part of subcall function 00342EF4: FindClose.KERNEL32(?,00342EE4,00000000,?,?,?,?,0034F347,00000000,0034F389), ref: 00342EFD
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00343A74, Relevance: 1.5, APIs: 1, Instructions: 23
    APIs
    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 003439A4, Relevance: 1.5, APIs: 1, Instructions: 13time
    APIs
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00344440, Relevance: 1.5, APIs: 1, Instructions: 10
    APIs
    • GetVersionExA.KERNEL32(?,00344D3C,00000000,00344D4A), ref: 0034444E
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0034AFC9, Relevance: 1.0, Instructions: 984
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00347DCA, Relevance: .7, Instructions: 706
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00347200, Relevance: .3, Instructions: 253
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0034DBD8, Relevance: .2, Instructions: 219
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00351331, Relevance: .2, Instructions: 209
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0034D07E, Relevance: .2, Instructions: 162
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0034D29E, Relevance: .2, Instructions: 161
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0034D9FC, Relevance: .1, Instructions: 143
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0034D566, Relevance: .1, Instructions: 125
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0034D568, Relevance: .1, Instructions: 124
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 004021D8, Relevance: .1, Instructions: 94
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0034CCD1, Relevance: .1, Instructions: 79
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0034CDD6, Relevance: .1, Instructions: 75
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0034D4BC, Relevance: .1, Instructions: 66
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0034C02C, Relevance: .0, Instructions: 40
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00407D92, Relevance: .0, Instructions: 2
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0040EF78, Relevance: 28.9, Strings: 23, Instructions: 141
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0034ED70, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 71window
    APIs
    • GetWindowTextA.USER32(?,?,00000100), ref: 0034ED8C
    • GetClassNameA.USER32(?,?,00000100), ref: 0034EDA6
    • FindWindowExA.USER32(?,00000000,SysListView32,00000000), ref: 0034EDF3
    • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0034EE08
    • SendMessageA.USER32(?,0000000F,00000000,00000000), ref: 0034EE17
    • SendMessageA.USER32(?,00000002,00000000,00000000), ref: 0034EE23
    • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 0034EE2F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122file
    APIs
    • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
    • GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
    • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
    • ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
    • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
    • GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
    • GetFileType.KERNEL32 ref: 00341D11
    • CloseHandle.KERNEL32 ref: 00341D2C
    • GetLastError.KERNEL32(000000F5), ref: 00341D46
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
    • VariantCopy.OLEAUT32(?), ref: 00410325
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0033F94C, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59
    APIs
    • RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
    • LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
    • VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
    • LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
    • RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
    • RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00402644, Relevance: 11.5, Strings: 9, Instructions: 254
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 00403020, Relevance: 11.4, Strings: 9, Instructions: 110
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167
    APIs
    • GetSystemDefaultLCID.KERNEL32(00000000,00343E28,?,?,?,?,00000000,00000000,00000000), ref: 00343BFA
      • Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46
      • Part of subcall function 00343A74: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0034112C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66memory
    APIs
    • TlsAlloc.KERNEL32(0000001B,?,003515BF), ref: 003410D0
    • TlsFree.KERNEL32(0000001B,?,003515BF), ref: 00341124
      • Part of subcall function 003410F0: TlsGetValue.KERNEL32(0000001B,00341115,?,003515BF), ref: 003410FF
      • Part of subcall function 003410F0: LocalFree.KERNEL32(00000000,0000001B,00341115,?,003515BF), ref: 00341109
      • Part of subcall function 00341044: LocalAlloc.KERNEL32(00000040,00000008,?,003410AC,0000001B,0034244B,00000000,003424B2), ref: 0034105F
      • Part of subcall function 00341044: TlsSetValue.KERNEL32(0000001B,00000000,00000040,00000008,?,003410AC,0000001B,0034244B,00000000,003424B2), ref: 0034107D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0033F888, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memory
    APIs
    • RtlInitializeCriticalSection.NTDLL(`0), ref: 0033F89E
    • RtlEnterCriticalSection.NTDLL(`0), ref: 0033F8B1
    • LocalAlloc.KERNEL32(00000000,00000FF8,00000000,0033F93E), ref: 0033F8DB
    • RtlLeaveCriticalSection.NTDLL(`0), ref: 0033F938
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0033FF44, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
    APIs
    • RtlEnterCriticalSection.NTDLL(`0), ref: 0033FF87
    • RtlLeaveCriticalSection.NTDLL(`0), ref: 003400B2
      • Part of subcall function 0033F888: RtlInitializeCriticalSection.NTDLL(`0), ref: 0033F89E
      • Part of subcall function 0033F888: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F8B1
      • Part of subcall function 0033F888: LocalAlloc.KERNEL32(00000000,00000FF8,00000000,0033F93E), ref: 0033F8DB
      • Part of subcall function 0033F888: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033F938
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72window
    APIs
    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00341EC5
      • Part of subcall function 0033F94C: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
      • Part of subcall function 0033F94C: LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
      • Part of subcall function 0033F94C: VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
      • Part of subcall function 0033F94C: LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
      • Part of subcall function 0033F94C: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
      • Part of subcall function 0033F94C: RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E
    • ExitProcess.KERNEL32 ref: 00341F0D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 004146C0, Relevance: 6.3, Strings: 5, Instructions: 85
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 00407C1D, Relevance: 6.3, Strings: 5, Instructions: 54
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115
    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
    • VariantClear.OLEAUT32(?), ref: 00410037
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39timefile
    APIs
    • FindNextFileA.KERNEL32(?,?), ref: 00342E54
    • GetLastError.KERNEL32(?,?), ref: 00342E5D
    • FileTimeToLocalFileTime.KERNEL32(?), ref: 00342E71
    • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00342E80
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 003400CC, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118
    APIs
    • RtlEnterCriticalSection.NTDLL(`0), ref: 00340120
    • RtlLeaveCriticalSection.NTDLL(`0), ref: 00340258
      • Part of subcall function 0033F888: RtlInitializeCriticalSection.NTDLL(`0), ref: 0033F89E
      • Part of subcall function 0033F888: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F8B1
      • Part of subcall function 0033F888: LocalAlloc.KERNEL32(00000000,00000FF8,00000000,0033F93E), ref: 0033F8DB
      • Part of subcall function 0033F888: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033F938
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0034F39C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79
    APIs
    • GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,0034F4B1), ref: 0034F3DF
      • Part of subcall function 003439A4: GetLocalTime.KERNEL32(?), ref: 003439AC
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00340440, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
    APIs
    • RtlEnterCriticalSection.NTDLL(`0), ref: 00340483
      • Part of subcall function 0033FF44: RtlEnterCriticalSection.NTDLL(`0), ref: 0033FF87
      • Part of subcall function 0033FF44: RtlLeaveCriticalSection.NTDLL(`0), ref: 003400B2
    • RtlLeaveCriticalSection.NTDLL(`0), ref: 003404EC
      • Part of subcall function 003400CC: RtlEnterCriticalSection.NTDLL(`0), ref: 00340120
      • Part of subcall function 003400CC: RtlLeaveCriticalSection.NTDLL(`0), ref: 00340258
      • Part of subcall function 0033F888: RtlInitializeCriticalSection.NTDLL(`0), ref: 0033F89E
      • Part of subcall function 0033F888: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F8B1
      • Part of subcall function 0033F888: LocalAlloc.KERNEL32(00000000,00000FF8,00000000,0033F93E), ref: 0033F8DB
      • Part of subcall function 0033F888: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033F938
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 00346AF0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25thread
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00346B3E
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0033FA29, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 8
    APIs
    • RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
    • RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd
    Function 0041AFB0, Relevance: 5.1, Strings: 4, Instructions: 105
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0041B788, Relevance: 5.1, Strings: 4, Instructions: 71
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0041CCC4, Relevance: 5.0, Strings: 4, Instructions: 48
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
    • Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
    • Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
    • Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
    • Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
    • Associated: 00000001.00000002.426904799.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_DOC000YUT600.jbxd
    Function 0034E31C, Relevance: 5.0, Strings: 4, Instructions: 22
    Strings
    Memory Dump Source
    • Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_3_33d000_DOC000YUT600.jbxd

    Analysis Process: regdrv.exe PID: 3452 Parent PID: 3420

    Executed Functions

    Function 0040D9E0, Relevance: 7.7, Strings: 6, Instructions: 201
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 00406554, Relevance: 2.7, Strings: 2, Instructions: 184
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 00418184, Relevance: 1.3, Strings: 1, Instructions: 52
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0040706A, Relevance: 1.1, Instructions: 1111
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0041D6FC, Relevance: .2, Instructions: 190
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0041C7F0, Relevance: .2, Instructions: 176
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 00401BA0, Relevance: .2, Instructions: 174
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0040D1EE, Relevance: .1, Instructions: 78
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0041CAA0, Relevance: .1, Instructions: 69
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0040D91C, Relevance: .1, Instructions: 56
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0041801C, Relevance: .1, Instructions: 53
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0041FCA0, Relevance: .1, Instructions: 52
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0041822C, Relevance: .0, Instructions: 46
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 00407B64, Relevance: .0, Instructions: 44
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 00407BBC, Relevance: .0, Instructions: 43
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 00404BCC, Relevance: .0, Instructions: 41
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0041CA30, Relevance: .0, Instructions: 40
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 00415110, Relevance: .0, Instructions: 39
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 004016E0, Relevance: .0, Instructions: 38
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 00406E30, Relevance: .0, Instructions: 32
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0041AE48, Relevance: .0, Instructions: 29
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 004062F0, Relevance: .0, Instructions: 26
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 004017FA, Relevance: .0, Instructions: 26
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 00419CD4, Relevance: .0, Instructions: 25
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 00404C35, Relevance: .0, Instructions: 19
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0041FC76, Relevance: .0, Instructions: 15
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 00404C34, Relevance: .0, Instructions: 12
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0041F058, Relevance: .0, Instructions: 3
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd

    Non-executed Functions

    Function 004021D8, Relevance: .1, Instructions: 94
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0040EF78, Relevance: 28.9, Strings: 23, Instructions: 141
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
    • VariantCopy.OLEAUT32(?), ref: 00410325
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 00402644, Relevance: 11.5, Strings: 9, Instructions: 254
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 00403020, Relevance: 11.4, Strings: 9, Instructions: 110
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 004146C0, Relevance: 6.3, Strings: 5, Instructions: 85
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 00407C1D, Relevance: 6.3, Strings: 5, Instructions: 54
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115
    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
    • VariantClear.OLEAUT32(?), ref: 00410037
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0041AFB0, Relevance: 5.1, Strings: 4, Instructions: 105
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0041B788, Relevance: 5.1, Strings: 4, Instructions: 71
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd
    Function 0041CCC4, Relevance: 5.0, Strings: 4, Instructions: 48
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
    • Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
    • Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
    • Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
    • Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
    • Associated: 00000002.00000002.451621919.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_regdrv.jbxd

    Analysis Process: regdrv.exe PID: 3468 Parent PID: 3452

    Execution Graph

    Execution Coverage:4.4%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:10.8%
    Total number of Nodes:1663
    Total number of Limit Nodes:42

    Graph

    execution_graph 38101 48b908 GetCurrentProcess OpenProcessToken 38102 48b951 GetTokenInformation 38101->38102 38103 48ba37 38101->38103 38105 48b978 38102->38105 38106 48b9c2 38102->38106 38104 405584 11 API calls 38103->38104 38120 48ba44 38104->38120 38107 48b97e 38105->38107 38108 48b986 38105->38108 38140 405584 38106->38140 38110 48b981 38107->38110 38111 48b995 38107->38111 38136 4055c8 38108->38136 38114 48b9a4 38110->38114 38115 48b984 38110->38115 38119 4055c8 11 API calls 38111->38119 38112 48b9cf GetTokenInformation 38116 48b9e8 38112->38116 38117 48ba0c 38112->38117 38123 4055c8 11 API calls 38114->38123 38129 4055c8 11 API calls 38115->38129 38121 48b9fd 38116->38121 38122 48b9ee 38116->38122 38124 405584 11 API calls 38117->38124 38118 48b993 38118->38112 38119->38118 38125 48ba95 38120->38125 38146 4058e0 38120->38146 38127 405584 11 API calls 38121->38127 38126 405584 11 API calls 38122->38126 38123->38118 38128 48ba19 CloseHandle 38124->38128 38152 405530 38125->38152 38132 48b9fb 38126->38132 38127->38132 38129->38118 38132->38128 38134 405530 11 API calls 38135 48bab2 38134->38135 38138 4055cc 38136->38138 38137 4055f0 38137->38118 38138->38137 38156 402f1c 38138->38156 38141 405588 38140->38141 38144 405598 38140->38144 38141->38144 38165 4055f4 38141->38165 38142 4055c6 38142->38112 38144->38142 38145 402f1c 11 API calls 38144->38145 38145->38142 38147 4058f1 38146->38147 38148 4055f4 11 API calls 38147->38148 38149 405961 38147->38149 38150 405919 38147->38150 38148->38150 38150->38149 38151 405584 11 API calls 38150->38151 38151->38149 38153 405551 38152->38153 38154 405536 38152->38154 38153->38134 38154->38153 38155 402f1c 11 API calls 38154->38155 38155->38153 38157 402f2a 38156->38157 38158 402f20 38156->38158 38157->38137 38158->38157 38160 403029 38158->38160 38163 407688 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 38158->38163 38164 402ff8 7 API calls 38160->38164 38162 40304a 38162->38137 38163->38160 38164->38162 38166 4055f8 38165->38166 38167 40561c 38165->38167 38170 402f00 38166->38170 38167->38144 38169 405605 38169->38144 38171 402f17 38170->38171 38174 402f04 38170->38174 38171->38169 38172 402f0e 38172->38169 38173 403029 38179 402ff8 7 API calls 38173->38179 38174->38172 38174->38173 38178 407688 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 38174->38178 38177 40304a 38177->38169 38178->38173 38179->38177 38180 48f888 38181 48f890 38180->38181 38181->38181 38218 4076d4 GetModuleHandleA 38181->38218 38185 48f8c7 38244 48df60 38185->38244 38188 405584 11 API calls 38189 48f905 38188->38189 38254 40f234 GetModuleFileNameA 38189->38254 38195 48f92a 38196 4058e0 11 API calls 38195->38196 38197 48f93f 38196->38197 38269 40a26c 38197->38269 38200 48f9f1 38201 405584 11 API calls 38202 48f961 38201->38202 38203 40f234 12 API calls 38202->38203 38204 48f96b 38203->38204 38205 40a5a0 11 API calls 38204->38205 38206 48f976 38205->38206 38207 4735e8 11 API calls 38206->38207 38208 48f986 38207->38208 38209 4058e0 11 API calls 38208->38209 38210 48f99b 38209->38210 38273 47377c 14 API calls 38210->38273 38212 48f9a6 38213 405584 11 API calls 38212->38213 38214 48f9b3 38213->38214 38215 4735e8 11 API calls 38214->38215 38216 48f9c0 38215->38216 38216->38200 38217 405584 11 API calls 38216->38217 38217->38200 38219 407707 38218->38219 38274 4051dc 38219->38274 38222 48afe8 38223 402f00 11 API calls 38222->38223 38224 48b00e GetCurrentProcess OpenProcessToken 38223->38224 38225 48b02c GetTokenInformation 38224->38225 38226 48b025 Sleep 38224->38226 38227 48b04c 38225->38227 38228 48b045 Sleep 38225->38228 38226->38225 38229 402f00 11 API calls 38227->38229 38228->38227 38230 48b056 38229->38230 38231 402f00 11 API calls 38230->38231 38232 48b062 38231->38232 38233 48b0c7 38232->38233 38234 48b074 LookupPrivilegeNameA LookupPrivilegeDisplayNameA 38232->38234 38614 48aea8 38232->38614 38235 402f1c 11 API calls 38233->38235 38234->38232 38236 48b0ce 38235->38236 38237 402f1c 11 API calls 38236->38237 38238 48b0d6 38237->38238 38240 402f1c 11 API calls 38238->38240 38241 48b0dd 38240->38241 38242 405530 11 API calls 38241->38242 38243 48b0f2 38242->38243 38243->38185 38245 48df7c 38244->38245 38626 48dde0 38245->38626 38247 48dfc6 38250 405554 11 API calls 38247->38250 38248 48df95 38248->38247 38635 405864 38248->38635 38252 48dfe0 38250->38252 38251 48dfb9 38651 4616b4 38251->38651 38252->38188 38255 405620 11 API calls 38254->38255 38256 40f25b 38255->38256 38257 40a5a0 38256->38257 38258 40a5b3 38257->38258 38710 405a44 38258->38710 38261 4735e8 38262 473605 38261->38262 38263 4736f4 38262->38263 38264 405a44 11 API calls 38262->38264 38265 4736b7 38262->38265 38263->38195 38264->38262 38717 405a84 38265->38717 38267 4736d4 38268 405a44 11 API calls 38267->38268 38268->38263 38270 4059dc 38269->38270 38271 40a276 GetFileAttributesA 38270->38271 38272 40a281 38271->38272 38272->38200 38272->38201 38273->38212 38275 40520f 38274->38275 38278 405174 38275->38278 38279 405184 38278->38279 38280 4051b7 CoInitialize 38278->38280 38279->38280 38285 48f0ac 38279->38285 38299 48f6d4 38279->38299 38313 4069c8 38279->38313 38317 4016f8 38279->38317 38280->38222 38286 48f110 38285->38286 38287 48f0c6 38285->38287 38286->38279 38321 40521c 38287->38321 38289 48f0d0 38290 405584 11 API calls 38289->38290 38291 48f0f2 38289->38291 38290->38291 38325 406eac 38291->38325 38295 48f106 38330 40f4ac GetModuleHandleA 38295->38330 38300 48f74c 38299->38300 38301 48f6ee GetVersion 38299->38301 38300->38279 38452 45dae0 GetCurrentProcessId 38301->38452 38305 48f712 38481 419174 44 API calls 38305->38481 38307 48f71c 38482 419120 44 API calls 38307->38482 38309 48f72c 38483 419120 44 API calls 38309->38483 38311 48f73c 38484 419120 44 API calls 38311->38484 38314 4069f4 38313->38314 38315 4069d8 GetModuleFileNameA 38313->38315 38314->38279 38593 406c2c GetModuleFileNameA RegOpenKeyExA 38315->38593 38612 40168c 38317->38612 38319 401700 VirtualAlloc 38320 401717 38319->38320 38320->38279 38322 405228 38321->38322 38324 40523d 38322->38324 38407 407550 38322->38407 38324->38289 38326 402f00 11 API calls 38325->38326 38327 406eb9 38326->38327 38328 40e314 GetVersionExA 38327->38328 38329 40e32b 38328->38329 38329->38295 38331 40f4cd 38330->38331 38332 40f4bd GetProcAddress 38330->38332 38333 40ebcc 38331->38333 38332->38331 38334 40ebd4 38333->38334 38334->38334 38419 40eb08 GetThreadLocale 38334->38419 38338 40ebf4 38339 40ec02 GetThreadLocale 38338->38339 38428 40d5c0 17 API calls 38338->38428 38429 40d334 12 API calls 38339->38429 38342 40ec1b 38343 405584 11 API calls 38342->38343 38344 40ec28 38343->38344 38430 40d334 12 API calls 38344->38430 38346 40ec3d 38431 40d334 12 API calls 38346->38431 38348 40ec61 38432 40d380 GetLocaleInfoA 38348->38432 38350 40ec7e 38433 40d380 GetLocaleInfoA 38350->38433 38352 40ec91 38434 40d334 12 API calls 38352->38434 38354 40ecab 38435 40d380 GetLocaleInfoA 38354->38435 38356 40ecc8 38436 40d334 12 API calls 38356->38436 38358 40ece2 38437 40d670 14 API calls 38358->38437 38360 40eced 38361 405584 11 API calls 38360->38361 38362 40ecfa 38361->38362 38438 40d334 12 API calls 38362->38438 38364 40ed0f 38439 40d670 14 API calls 38364->38439 38366 40ed1a 38367 405584 11 API calls 38366->38367 38368 40ed27 38367->38368 38440 40d380 GetLocaleInfoA 38368->38440 38370 40ed35 38441 40d334 12 API calls 38370->38441 38372 40ed4f 38373 405584 11 API calls 38372->38373 38374 40ed5c 38373->38374 38442 40d334 12 API calls 38374->38442 38376 40ed71 38377 405584 11 API calls 38376->38377 38378 40ed7e 38377->38378 38379 405530 11 API calls 38378->38379 38380 40ed86 38379->38380 38381 405530 11 API calls 38380->38381 38382 40ed8e 38381->38382 38443 40d334 12 API calls 38382->38443 38384 40eda3 38385 40edc0 38384->38385 38386 40edb1 38384->38386 38388 4055c8 11 API calls 38385->38388 38387 4055c8 11 API calls 38386->38387 38389 40edbe 38387->38389 38388->38389 38444 40d334 12 API calls 38389->38444 38391 40ede2 38392 40ee20 38391->38392 38445 40d334 12 API calls 38391->38445 38393 4058e0 11 API calls 38392->38393 38395 40ee4c 38393->38395 38397 4058e0 11 API calls 38395->38397 38396 40ee05 38400 40ee22 38396->38400 38401 40ee13 38396->38401 38398 40ee69 38397->38398 38446 40d380 GetLocaleInfoA 38398->38446 38402 4055c8 11 API calls 38400->38402 38404 4055c8 11 API calls 38401->38404 38402->38392 38403 40ee77 38447 405554 38403->38447 38404->38392 38408 407561 38407->38408 38410 407592 38407->38410 38408->38410 38413 406a10 30 API calls 38408->38413 38410->38322 38411 407581 LoadStringA 38414 405620 38411->38414 38413->38411 38415 4055f4 11 API calls 38414->38415 38416 405630 38415->38416 38417 405530 11 API calls 38416->38417 38418 405648 38417->38418 38418->38410 38420 40eb33 38419->38420 38421 40eb7b GetSystemMetrics 38420->38421 38422 40eb75 38420->38422 38423 40eb8a GetSystemMetrics 38421->38423 38422->38423 38424 40eba3 38423->38424 38425 40eb9d 38423->38425 38427 40d3e8 44 API calls 38424->38427 38451 40eaac GetCPInfo 38425->38451 38427->38338 38428->38339 38429->38342 38430->38346 38431->38348 38432->38350 38433->38352 38434->38354 38435->38356 38436->38358 38437->38360 38438->38364 38439->38366 38440->38370 38441->38372 38442->38376 38443->38384 38444->38391 38445->38396 38446->38403 38449 40555a 38447->38449 38448 405580 38448->38286 38449->38448 38450 402f1c 11 API calls 38449->38450 38450->38449 38451->38424 38485 40af98 38452->38485 38455 405584 11 API calls 38456 45db29 38455->38456 38457 45db33 GlobalAddAtomA GetCurrentThreadId 38456->38457 38458 40af98 11 API calls 38457->38458 38459 45db6d 38458->38459 38460 405584 11 API calls 38459->38460 38461 45db7a 38460->38461 38462 45db84 GlobalAddAtomA 38461->38462 38488 4059dc 38462->38488 38466 45dbb1 38494 45d6e8 38466->38494 38468 45dbbb 38502 45d494 38468->38502 38470 45dbc7 38506 444d60 38470->38506 38472 45dbf0 38473 45dc1a GetModuleHandleA 38472->38473 38474 45dc3a 38473->38474 38475 45dc2a GetProcAddress 38473->38475 38476 405530 11 API calls 38474->38476 38475->38474 38477 45dc4f 38476->38477 38478 405530 11 API calls 38477->38478 38479 45dc57 38478->38479 38480 4190d4 44 API calls 38479->38480 38480->38305 38481->38307 38482->38309 38483->38311 38484->38300 38520 40afac 38485->38520 38487 40afa7 38487->38455 38489 4059e0 RegisterWindowMessageA 38488->38489 38490 419ab0 38489->38490 38491 419ab6 38490->38491 38492 419acb InitializeCriticalSection 38491->38492 38493 419ae0 38492->38493 38493->38466 38495 45d855 38494->38495 38496 45d6fc SetErrorMode 38494->38496 38495->38468 38497 45d720 GetModuleHandleA GetProcAddress 38496->38497 38498 45d73c 38496->38498 38497->38498 38499 45d837 SetErrorMode 38498->38499 38500 45d749 LoadLibraryA 38498->38500 38499->38468 38500->38499 38501 45d765 10 API calls 38500->38501 38501->38499 38503 45d49a 38502->38503 38532 45d684 38503->38532 38505 45d508 38505->38470 38507 444d6f 38506->38507 38508 444e42 LoadIconA 38507->38508 38545 42b29c 38508->38545 38510 444e65 GetModuleFileNameA OemToCharA 38511 444eae 38510->38511 38512 444ed4 CharNextA CharLowerA 38511->38512 38513 444efc 38512->38513 38552 421140 GetClassInfoA 38513->38552 38516 444f25 38583 44724c 11 API calls 38516->38583 38519 444f47 38519->38472 38521 40afd2 38520->38521 38523 40b005 38521->38523 38530 40aba0 11 API calls 38521->38530 38524 40b06f 38523->38524 38528 40b022 38523->38528 38525 405620 11 API calls 38524->38525 38526 40b063 38525->38526 38526->38487 38527 405530 11 API calls 38527->38528 38528->38526 38528->38527 38531 40aba0 11 API calls 38528->38531 38530->38523 38531->38528 38533 45d693 38532->38533 38534 45d68c 38532->38534 38537 45d6a0 38533->38537 38538 45d6a9 38533->38538 38535 45d6cf SendMessageA 38534->38535 38536 45d6be SystemParametersInfoA 38534->38536 38542 45d691 38534->38542 38535->38542 38536->38542 38543 45d614 6 API calls 38537->38543 38544 45d5e4 SystemParametersInfoA 38538->38544 38541 45d6b0 38541->38505 38542->38505 38543->38542 38544->38541 38546 42b2b4 38545->38546 38547 42b2b8 GetIconInfo 38546->38547 38549 42b320 38546->38549 38548 42b2c6 GetObjectA 38547->38548 38547->38549 38550 42b2e7 38548->38550 38551 42b2f9 DeleteObject DeleteObject 38548->38551 38549->38510 38550->38551 38551->38510 38553 421170 38552->38553 38554 421199 38553->38554 38555 42117e UnregisterClassA 38553->38555 38556 42118f RegisterClassA 38553->38556 38584 40857c 38554->38584 38555->38556 38556->38554 38558 4211c7 38559 4211e4 38558->38559 38588 421084 38558->38588 38559->38516 38562 4450b4 38559->38562 38561 4211db SetWindowLongA 38561->38559 38563 44523a 38562->38563 38565 4450dd 38562->38565 38564 405530 11 API calls 38563->38564 38566 44524f 38564->38566 38565->38563 38567 421084 VirtualAlloc 38565->38567 38566->38516 38568 4450f6 GetClassInfoA 38567->38568 38569 44511c RegisterClassA 38568->38569 38574 445151 38568->38574 38570 445135 38569->38570 38569->38574 38571 407550 42 API calls 38570->38571 38572 445142 38571->38572 38592 40dafc 11 API calls 38572->38592 38575 40857c CreateWindowExA 38574->38575 38576 4451ae SetWindowLongA 38575->38576 38577 4451d1 38576->38577 38578 4451fc GetSystemMenu DeleteMenu DeleteMenu 38576->38578 38580 4451d8 SendMessageA 38577->38580 38578->38563 38579 44522d DeleteMenu 38578->38579 38579->38563 38581 445f74 38580->38581 38582 4451f0 SetClassLongA 38581->38582 38582->38578 38583->38519 38591 403418 38584->38591 38586 40858f CreateWindowExA 38587 4085c9 38586->38587 38587->38558 38589 421094 VirtualAlloc 38588->38589 38590 4210c2 38588->38590 38589->38590 38590->38561 38591->38586 38592->38574 38594 406caf 38593->38594 38595 406c6f RegOpenKeyExA 38593->38595 38611 406a68 12 API calls 38594->38611 38595->38594 38597 406c8d RegOpenKeyExA 38595->38597 38597->38594 38599 406d38 lstrcpynA GetThreadLocale GetLocaleInfoA 38597->38599 38598 406cd4 RegQueryValueExA 38600 406cf4 RegQueryValueExA 38598->38600 38601 406d12 RegCloseKey 38598->38601 38602 406e52 38599->38602 38603 406d6f 38599->38603 38600->38601 38601->38314 38602->38314 38603->38602 38605 406d7f lstrlenA 38603->38605 38606 406d97 38605->38606 38606->38602 38607 406de4 38606->38607 38608 406dbc lstrcpynA LoadLibraryExA 38606->38608 38607->38602 38609 406dee lstrcpynA LoadLibraryExA 38607->38609 38608->38607 38609->38602 38610 406e20 lstrcpynA LoadLibraryExA 38609->38610 38610->38602 38611->38598 38613 40162c 38612->38613 38613->38319 38615 48aebe 38614->38615 38616 48aee8 38615->38616 38617 48aef5 GetCurrentProcess OpenProcessToken 38615->38617 38620 405530 11 API calls 38616->38620 38618 48af9a GetLastError 38617->38618 38619 48af12 38617->38619 38618->38616 38622 48af2c LookupPrivilegeValueA 38619->38622 38621 48afd5 38620->38621 38621->38232 38623 48af38 AdjustTokenPrivileges 38622->38623 38624 48af7c CloseHandle 38622->38624 38623->38624 38624->38232 38627 48ddfb 38626->38627 38628 48de17 FindResourceA LoadResource SizeofResource LockResource 38627->38628 38629 405620 11 API calls 38628->38629 38630 48de46 38629->38630 38631 405584 11 API calls 38630->38631 38632 48de50 FreeResource 38631->38632 38633 405554 11 API calls 38632->38633 38634 48de70 38633->38634 38634->38248 38636 405868 38635->38636 38644 405584 38635->38644 38638 405886 38636->38638 38639 405878 38636->38639 38636->38644 38637 4055c6 38637->38251 38642 4058d9 38638->38642 38645 4055f4 11 API calls 38638->38645 38641 405584 11 API calls 38639->38641 38640 4055f4 11 API calls 38643 405598 38640->38643 38641->38644 38642->38642 38643->38637 38646 402f1c 11 API calls 38643->38646 38644->38640 38644->38643 38649 405826 38644->38649 38647 40589b 38645->38647 38646->38637 38648 405584 11 API calls 38647->38648 38650 4058c7 38648->38650 38649->38251 38650->38251 38652 4616df 38651->38652 38677 46193d 38652->38677 38697 46124c 11 API calls 38652->38697 38653 405530 11 API calls 38654 46195f 38653->38654 38678 4060f8 38654->38678 38657 461972 38660 405554 11 API calls 38657->38660 38658 46172b 38659 4055c8 11 API calls 38658->38659 38661 461739 38659->38661 38662 46197f 38660->38662 38663 461782 38661->38663 38664 46174e 38661->38664 38662->38247 38705 406928 11 API calls 38663->38705 38698 406928 11 API calls 38664->38698 38666 461766 38699 405a3c 38666->38699 38669 4617a1 38670 405a3c 11 API calls 38669->38670 38671 461771 38670->38671 38706 406928 11 API calls 38671->38706 38673 46185a 38674 405a3c 11 API calls 38673->38674 38675 461871 38674->38675 38676 405a3c 11 API calls 38675->38676 38676->38677 38677->38653 38679 406101 38678->38679 38683 406136 38678->38683 38680 40613b 38679->38680 38684 406116 38679->38684 38681 406142 38680->38681 38682 40614c 38680->38682 38685 405530 11 API calls 38681->38685 38686 405554 11 API calls 38682->38686 38683->38657 38684->38683 38687 40611e 38684->38687 38688 40616f 38684->38688 38685->38683 38686->38683 38690 406122 38687->38690 38691 40617e 38687->38691 38688->38683 38707 4060e0 11 API calls 38688->38707 38692 40619c 38690->38692 38696 406126 38690->38696 38691->38683 38693 4060f8 11 API calls 38691->38693 38692->38683 38708 4060ac 11 API calls 38692->38708 38693->38691 38696->38683 38709 406934 11 API calls 38696->38709 38697->38658 38698->38666 38700 4059f0 38699->38700 38701 4055f4 11 API calls 38700->38701 38702 405a2b 38700->38702 38703 405a07 38701->38703 38702->38671 38703->38702 38704 402f1c 11 API calls 38703->38704 38704->38702 38705->38669 38706->38673 38707->38688 38708->38692 38709->38696 38711 405a76 38710->38711 38712 405a49 38710->38712 38713 405530 11 API calls 38711->38713 38712->38711 38715 405a5d 38712->38715 38714 405a6c 38713->38714 38714->38261 38716 405620 11 API calls 38715->38716 38716->38714 38720 405a34 38717->38720 38719 405a92 38719->38267 38721 4059f0 38720->38721 38722 405a2b 38721->38722 38723 4055f4 11 API calls 38721->38723 38722->38719 38724 405a07 38723->38724 38724->38722 38725 402f1c 11 API calls 38724->38725 38725->38722 38726 404544 38727 404573 38726->38727 38728 4045a2 CompareStringA 38727->38728 38729 4045c2 38728->38729 38730 405530 11 API calls 38729->38730 38731 4045ca 38730->38731 38732 48dd0c GlobalMemoryStatus 38733 40af98 11 API calls 38732->38733 38734 48dd66 38733->38734 38735 405864 11 API calls 38734->38735 38736 48dd76 38735->38736 38737 405530 11 API calls 38736->38737 38738 48ddac 38737->38738 38739 4035c4 38740 4035da 38739->38740 38741 40363c CreateFileA 38740->38741 38742 4036ee GetStdHandle 38740->38742 38743 4035e0 38740->38743 38744 403762 GetLastError 38741->38744 38745 40365a 38741->38745 38742->38744 38748 403729 38742->38748 38744->38743 38747 403668 GetFileSize 38745->38747 38745->38748 38747->38744 38749 40367c SetFilePointer 38747->38749 38748->38743 38750 403733 GetFileType 38748->38750 38749->38744 38753 403698 ReadFile 38749->38753 38750->38743 38752 40374e CloseHandle 38750->38752 38752->38743 38753->38744 38754 4036ba 38753->38754 38754->38748 38755 4036cd SetFilePointer 38754->38755 38755->38744 38756 4036e2 SetEndOfFile 38755->38756 38756->38744 38757 4036ec 38756->38757 38757->38748 38758 421f68 38759 421f81 38758->38759 38760 421f95 RegQueryValueExA 38759->38760 38761 421fac 38760->38761 38762 475e2c 38763 475e44 38762->38763 38774 4613d8 38763->38774 38766 4055c8 11 API calls 38767 475e70 38766->38767 38768 4055c8 11 API calls 38767->38768 38769 475e7b 38768->38769 38770 405a3c 11 API calls 38769->38770 38771 475e94 send 38770->38771 38772 405554 11 API calls 38771->38772 38773 475ebc 38772->38773 38778 461403 38774->38778 38775 46166c 38776 405530 11 API calls 38775->38776 38777 461684 38776->38777 38779 4060f8 11 API calls 38777->38779 38778->38775 38780 461455 38778->38780 38781 461489 38778->38781 38782 461697 38779->38782 38801 406928 11 API calls 38780->38801 38802 406928 11 API calls 38781->38802 38784 405554 11 API calls 38782->38784 38787 4616a4 38784->38787 38786 46146d 38789 405a3c 11 API calls 38786->38789 38787->38766 38788 4614a8 38790 405a3c 11 API calls 38788->38790 38791 461478 38789->38791 38790->38791 38803 406928 11 API calls 38791->38803 38793 461561 38794 405a3c 11 API calls 38793->38794 38795 461578 38794->38795 38796 405a3c 11 API calls 38795->38796 38797 461644 38796->38797 38804 4611cc 11 API calls 38797->38804 38799 46165e 38800 405584 11 API calls 38799->38800 38800->38775 38801->38786 38802->38788 38803->38793 38804->38799 38805 48d6a4 GetUserDefaultLangID VerLanguageNameA 38806 48d6cd 38805->38806 38807 460828 38814 4607e0 38807->38814 38809 46084b 38818 4606cc 13 API calls 38809->38818 38811 460857 38812 405530 11 API calls 38811->38812 38813 46086c 38812->38813 38815 405530 11 API calls 38814->38815 38816 4607f3 gethostname 38815->38816 38817 46080b 38816->38817 38817->38809 38818->38811 38819 48cf38 38820 405530 11 API calls 38819->38820 38821 48cf57 GetForegroundWindow 38820->38821 38822 48cf62 GetWindowTextLengthA 38821->38822 38827 48cf8f 38821->38827 38823 48cf75 38822->38823 38826 48cf7e GetWindowTextA 38823->38826 38824 405530 11 API calls 38825 48cfa4 38824->38825 38826->38827 38827->38824 38828 4818f8 38829 481930 38828->38829 38830 481936 CallNextHookEx 38828->38830 38829->38830 38831 48194d 38829->38831 38830->38831 38832 481d2a CallNextHookEx 38831->38832 38897 4818e0 MapVirtualKeyA 38831->38897 38833 481d70 38832->38833 38835 405530 11 API calls 38833->38835 38837 481d85 38835->38837 38838 481978 CallNextHookEx 38839 481991 38838->38839 38840 481a4d 38839->38840 38841 481bce 38839->38841 38842 4819a2 38839->38842 38843 481c4c GetKeyState GetKeyState GetKeyState GetKeyState 38840->38843 38847 481b98 38840->38847 38848 481baa 38840->38848 38849 481bbc 38840->38849 38850 481b2c 38840->38850 38851 481b3e 38840->38851 38852 481b50 38840->38852 38853 481b62 38840->38853 38854 481b74 38840->38854 38855 481ae4 38840->38855 38856 481b86 38840->38856 38844 4055c8 11 API calls 38841->38844 38842->38840 38842->38843 38842->38855 38865 481b08 38842->38865 38866 481c28 38842->38866 38867 481b1a 38842->38867 38868 481c3a 38842->38868 38869 481be0 38842->38869 38870 481bf2 38842->38870 38871 481c04 38842->38871 38872 481af6 38842->38872 38873 481c16 38842->38873 38845 481c9e GetKeyboardState 38843->38845 38846 481af1 38843->38846 38844->38846 38983 40f310 13 API calls 38845->38983 38899 481318 38846->38899 38875 4055c8 11 API calls 38847->38875 38877 4055c8 11 API calls 38848->38877 38857 4055c8 11 API calls 38849->38857 38858 4055c8 11 API calls 38850->38858 38859 4055c8 11 API calls 38851->38859 38861 4055c8 11 API calls 38852->38861 38862 4055c8 11 API calls 38853->38862 38863 4055c8 11 API calls 38854->38863 38876 4055c8 11 API calls 38855->38876 38864 4055c8 11 API calls 38856->38864 38857->38846 38858->38846 38859->38846 38861->38846 38862->38846 38863->38846 38864->38846 38879 4055c8 11 API calls 38865->38879 38886 4055c8 11 API calls 38866->38886 38880 4055c8 11 API calls 38867->38880 38887 4055c8 11 API calls 38868->38887 38881 4055c8 11 API calls 38869->38881 38882 4055c8 11 API calls 38870->38882 38883 4055c8 11 API calls 38871->38883 38878 4055c8 11 API calls 38872->38878 38885 4055c8 11 API calls 38873->38885 38875->38846 38876->38846 38877->38846 38878->38846 38879->38846 38880->38846 38881->38846 38882->38846 38883->38846 38885->38846 38886->38846 38887->38846 38889 481caf 38889->38846 38890 405a3c 11 API calls 38889->38890 38891 481cca MapVirtualKeyA ToAscii 38890->38891 38892 481cef 38891->38892 38894 481ce8 38891->38894 38893 405530 11 API calls 38892->38893 38895 481cf7 38893->38895 38894->38846 38894->38895 38896 405530 11 API calls 38894->38896 38895->38846 38896->38846 38898 4818f0 38897->38898 38898->38838 38898->38839 38900 481320 38899->38900 38901 48135c ExitThread 38900->38901 38902 481363 38900->38902 38985 480f70 38902->38985 38904 48165f 39046 405818 38904->39046 38905 48136b 38905->38904 38994 480d08 38905->38994 38908 48166c 38909 405584 11 API calls 38908->38909 38910 481686 38909->38910 38910->38832 38984 481780 15 API calls 38910->38984 38911 48141a 39006 48adcc SHGetSpecialFolderLocation SHGetPathFromIDListA 38911->39006 38912 481387 38912->38911 39019 403918 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 38912->39019 38915 4813b2 39020 40305c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 38915->39020 38918 480d08 11 API calls 38920 481437 38918->38920 38919 4813b7 38922 48adcc 13 API calls 38919->38922 38921 4058e0 11 API calls 38920->38921 38923 481447 38921->38923 38924 4813d8 38922->38924 38925 40a26c GetFileAttributesA 38923->38925 38926 480d08 11 API calls 38924->38926 38927 48144f 38925->38927 38928 4813e8 38926->38928 38929 481453 38927->38929 38930 481464 38927->38930 38932 4058e0 11 API calls 38928->38932 39021 40350c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 38929->39021 39023 403500 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 38930->39023 38935 4813f8 38932->38935 38934 48146e 39024 40305c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 38934->39024 38939 480d08 11 API calls 38935->38939 38936 48145d 39022 40305c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 38936->39022 38940 48140d 38939->38940 38942 405584 11 API calls 38940->38942 38941 481462 39025 40c8f8 38941->39025 38942->38911 38945 4058e0 11 API calls 38946 4814c7 38945->38946 39033 4040ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 38946->39033 38948 4814d9 39034 40305c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 38948->39034 38950 4814de 39035 4810b0 38950->39035 38952 481632 39044 403918 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 38952->39044 38954 481650 39045 40305c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 38954->39045 38956 4814e6 38956->38952 38958 40c8f8 13 API calls 38956->38958 38957 481655 38959 405530 11 API calls 38957->38959 38960 48152d 38958->38960 38959->38904 38961 4058e0 11 API calls 38960->38961 38962 481569 38961->38962 39041 4040ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 38962->39041 38964 48157b 39042 40305c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 38964->39042 38966 481580 38967 405584 11 API calls 38966->38967 38968 48158d 38967->38968 38969 4735e8 11 API calls 38968->38969 38970 4815a8 38969->38970 38970->38952 38971 4815b7 38970->38971 38972 48adcc 13 API calls 38971->38972 38973 4815c4 38972->38973 38974 480d08 11 API calls 38973->38974 38975 4815d4 38974->38975 38976 4058e0 11 API calls 38975->38976 38977 4815e4 38976->38977 39043 480fec 12 API calls 38977->39043 38979 4815ec 38980 4735e8 11 API calls 38979->38980 38981 4815fb 38980->38981 38981->38952 38982 48161a CreateThread 38981->38982 38982->38952 38983->38889 38984->38832 38986 405530 11 API calls 38985->38986 38987 480f8f GetForegroundWindow 38986->38987 38988 480f9a GetWindowTextLengthA 38987->38988 38989 480fc7 38987->38989 38990 480fad 38988->38990 38991 405530 11 API calls 38989->38991 38993 480fb6 GetWindowTextA 38990->38993 38992 480fdc 38991->38992 38992->38905 38993->38989 38995 480d2a 38994->38995 38996 405864 11 API calls 38995->38996 38997 480d7d 38995->38997 38996->38997 38998 405864 11 API calls 38997->38998 38999 480da8 38997->38999 38998->38999 39000 4058e0 11 API calls 38999->39000 39001 480deb 39000->39001 39002 405554 11 API calls 39001->39002 39003 480e05 39002->39003 39004 405554 11 API calls 39003->39004 39005 480e12 39004->39005 39005->38912 39007 48ae1c 39006->39007 39008 405a44 11 API calls 39007->39008 39009 48ae3e 39008->39009 39010 48ae50 39009->39010 39011 48ae61 39009->39011 39012 405864 11 API calls 39010->39012 39013 405584 11 API calls 39011->39013 39014 48ae5f 39012->39014 39013->39014 39015 405530 11 API calls 39014->39015 39016 48ae83 39015->39016 39017 405530 11 API calls 39016->39017 39018 481427 39017->39018 39018->38918 39019->38915 39020->38919 39021->38936 39022->38941 39023->38934 39024->38941 39026 40c926 39025->39026 39027 40c91b 39025->39027 39054 40c140 13 API calls 39026->39054 39053 40c140 13 API calls 39027->39053 39030 40c923 39031 405620 11 API calls 39030->39031 39032 40c945 39031->39032 39032->38945 39033->38948 39034->38950 39036 4810b8 39035->39036 39055 431a44 IsClipboardFormatAvailable 39036->39055 39038 4810d1 39038->38956 39039 4810c1 39039->39038 39059 431584 14 API calls 39039->39059 39041->38964 39042->38966 39043->38979 39044->38954 39045->38957 39047 405826 39046->39047 39049 405584 39046->39049 39047->38908 39048 405598 39050 4055c6 39048->39050 39052 402f1c 11 API calls 39048->39052 39049->39047 39049->39048 39051 4055f4 11 API calls 39049->39051 39050->38908 39051->39048 39052->39050 39053->39030 39054->39030 39056 431a6a 39055->39056 39057 431a5b 39055->39057 39056->39039 39057->39056 39060 4319c4 44 API calls 39057->39060 39059->39038 39060->39056 39065 403558 39066 403568 WriteFile 39065->39066 39068 403564 39065->39068 39067 403580 GetLastError 39066->39067 39066->39068 39067->39068 39069 48fa10 39360 48b724 GetCurrentHwProfileA 39069->39360 39072 405584 11 API calls 39073 48fa25 39072->39073 39074 4735e8 11 API calls 39073->39074 39075 48fa32 39074->39075 39076 405584 11 API calls 39075->39076 39077 48fa3f 39076->39077 39078 48fa61 39077->39078 39079 405584 11 API calls 39077->39079 39080 4735e8 11 API calls 39078->39080 39079->39078 39081 48fa6e 39080->39081 39082 405584 11 API calls 39081->39082 39083 48fa7b 39082->39083 39084 48fa8d 39083->39084 39085 48fa9f 39083->39085 39086 405584 11 API calls 39084->39086 39087 405584 11 API calls 39085->39087 39088 48fa9d 39086->39088 39087->39088 39089 4735e8 11 API calls 39088->39089 39090 48fabb 39089->39090 39091 405584 11 API calls 39090->39091 39092 48fac8 39091->39092 39093 48fada 39092->39093 39094 48faec 39092->39094 39096 405584 11 API calls 39093->39096 39095 405584 11 API calls 39094->39095 39097 48faea 39095->39097 39096->39097 39098 4735e8 11 API calls 39097->39098 39099 48fb08 39098->39099 39100 4735e8 11 API calls 39099->39100 39101 48fb19 39100->39101 39384 48550c 39101->39384 39104 405584 11 API calls 39105 48fb32 39104->39105 39106 4735e8 11 API calls 39105->39106 39107 48fb3f 39106->39107 39108 405584 11 API calls 39107->39108 39109 48fb4c 39108->39109 39110 40a5a0 11 API calls 39109->39110 39111 48fb5b 39110->39111 39429 40a68c 39111->39429 39114 4058e0 11 API calls 39115 48fb88 39114->39115 39116 40a26c GetFileAttributesA 39115->39116 39117 48fb90 39116->39117 39118 48fbd2 39117->39118 39119 40a5a0 11 API calls 39117->39119 39120 40f234 12 API calls 39118->39120 39121 48fba3 39119->39121 39122 48fbdc 39120->39122 39124 40a68c 11 API calls 39121->39124 39433 45f588 39122->39433 39126 48fbc0 39124->39126 39125 48fbe7 39127 45f588 19 API calls 39125->39127 39128 4058e0 11 API calls 39126->39128 39130 48fbfd 39127->39130 39128->39118 39129 4902ae 39131 4735e8 11 API calls 39129->39131 39130->39129 39441 473b6c 39130->39441 39133 4902be 39131->39133 39134 4902e8 39133->39134 39135 4902d0 CreateThread 39133->39135 39138 4735e8 11 API calls 39134->39138 39135->39134 39869 48e340 15 API calls 39135->39869 39136 48fc14 39136->39129 39137 40c8f8 13 API calls 39136->39137 39139 48fc54 39137->39139 39140 4902f8 39138->39140 39141 40c8f8 13 API calls 39139->39141 39142 49030a CreateThread 39140->39142 39143 490322 39140->39143 39144 48fc7e 39141->39144 39142->39143 39868 48e29c 27 API calls 39142->39868 39145 4735e8 11 API calls 39143->39145 39146 4058e0 11 API calls 39144->39146 39151 490332 39145->39151 39147 48fc9f 39146->39147 39450 48c0a4 39147->39450 39150 49034e 39153 4735e8 11 API calls 39150->39153 39151->39150 39612 471a2c 17 API calls 39151->39612 39155 49035e 39153->39155 39154 4735e8 11 API calls 39157 48fcd6 39154->39157 39156 4735e8 11 API calls 39155->39156 39164 49038a 39156->39164 39158 48fef1 39157->39158 39160 40a5a0 11 API calls 39157->39160 39159 4735e8 11 API calls 39158->39159 39170 48ff01 39159->39170 39161 48fcfe 39160->39161 39578 40a290 39161->39578 39163 4903aa 39168 4735e8 11 API calls 39163->39168 39164->39163 39613 47204c 17 API calls 39164->39613 39166 48fd2a 39177 40f234 12 API calls 39166->39177 39167 48fd0d 39171 40a5a0 11 API calls 39167->39171 39178 4903ba 39168->39178 39169 48ff7f 39172 4735e8 11 API calls 39169->39172 39170->39169 39173 4735e8 11 API calls 39170->39173 39174 48fd1f 39171->39174 39179 48ff8f 39172->39179 39180 48ff23 39173->39180 39582 40a2b4 39174->39582 39181 48fd46 39177->39181 39183 4735e8 11 API calls 39178->39183 39184 48ffa9 39179->39184 39185 490007 39179->39185 39182 4735e8 11 API calls 39180->39182 39188 48fd51 CopyFileA 39181->39188 39187 48ff3f 39182->39187 39199 4903e1 39183->39199 39186 4735e8 11 API calls 39184->39186 39189 4735e8 11 API calls 39185->39189 39190 48ffb9 39186->39190 39198 4735e8 11 API calls 39187->39198 39191 48fe7e 39188->39191 39192 48fd5f 39188->39192 39193 490017 39189->39193 39202 48ffea 39190->39202 39203 48ffcb 39190->39203 39195 4735e8 11 API calls 39191->39195 39196 4735e8 11 API calls 39192->39196 39194 405584 11 API calls 39193->39194 39197 490027 39194->39197 39200 48fe8e 39195->39200 39201 48fd6f 39196->39201 39208 490039 39197->39208 39209 490051 39197->39209 39204 48ff5b 39198->39204 39205 4735e8 11 API calls 39199->39205 39600 485150 14 API calls 39200->39600 39207 405584 11 API calls 39201->39207 39212 4735e8 11 API calls 39202->39212 39210 4735e8 11 API calls 39203->39210 39603 46124c 11 API calls 39204->39603 39231 490408 39205->39231 39214 48fd7f 39207->39214 39606 472924 12 API calls 39208->39606 39218 4735e8 11 API calls 39209->39218 39216 48ffdb 39210->39216 39219 48fffa 39212->39219 39213 48fea1 39601 485248 18 API calls 39213->39601 39215 40a5a0 11 API calls 39214->39215 39221 48fd91 39215->39221 39604 4729dc 15 API calls 39216->39604 39217 48ff6c 39229 48ff77 MessageBoxA 39217->39229 39223 490061 39218->39223 39605 4729dc 15 API calls 39219->39605 39226 4058e0 11 API calls 39221->39226 39230 405584 11 API calls 39223->39230 39225 48fead 39233 4735e8 11 API calls 39225->39233 39234 48fdb2 39226->39234 39228 48ffe8 39228->39185 39229->39169 39235 490071 39230->39235 39232 49041f 39231->39232 39614 4722b4 17 API calls 39231->39614 39237 4735e8 11 API calls 39232->39237 39242 48febd 39233->39242 39238 40a2b4 13 API calls 39234->39238 39240 49009b 39235->39240 39241 490083 39235->39241 39245 49042f 39237->39245 39239 48fdbd 39238->39239 39244 40a5a0 11 API calls 39239->39244 39243 4735e8 11 API calls 39240->39243 39607 472974 12 API calls 39241->39607 39242->39158 39247 4735e8 11 API calls 39242->39247 39248 4900ab 39243->39248 39249 48fdd1 39244->39249 39246 490446 39245->39246 39615 4721c4 17 API calls 39245->39615 39253 4735e8 11 API calls 39246->39253 39252 48fedf 39247->39252 39257 4900bd 39248->39257 39258 4900f5 39248->39258 39254 40a68c 11 API calls 39249->39254 39602 48c308 20 API calls 39252->39602 39263 490456 39253->39263 39256 48fdf4 39254->39256 39259 4058e0 11 API calls 39256->39259 39260 40f234 12 API calls 39257->39260 39262 4735e8 11 API calls 39258->39262 39261 48fe0a 39259->39261 39265 4900cf 39260->39265 39270 40f234 12 API calls 39261->39270 39271 490105 39262->39271 39264 49046d SetLastError 39263->39264 39616 4723a4 17 API calls 39263->39616 39268 490480 39264->39268 39267 4058e0 11 API calls 39265->39267 39269 4900ea 39267->39269 39469 407978 CreateMutexA 39268->39469 39608 46d36c 12 API calls 39269->39608 39275 48fe23 39270->39275 39272 4901b1 39271->39272 39277 40f234 12 API calls 39271->39277 39278 4735e8 11 API calls 39272->39278 39281 48fe2e CopyFileA 39275->39281 39276 49048a GetLastError 39279 49049d 39276->39279 39280 490496 ExitProcess 39276->39280 39282 490128 39277->39282 39283 4901c1 39278->39283 39285 4735e8 11 API calls 39279->39285 39284 40a5a0 11 API calls 39281->39284 39286 40a5a0 11 API calls 39282->39286 39291 4901d3 39283->39291 39292 4901e2 39283->39292 39287 48fe46 39284->39287 39297 4904ad 39285->39297 39288 490139 39286->39288 39289 40a68c 11 API calls 39287->39289 39294 40f234 12 API calls 39288->39294 39293 48fe69 39289->39293 39299 4901d8 Sleep 39291->39299 39295 4735e8 11 API calls 39292->39295 39296 4058e0 11 API calls 39293->39296 39300 490167 39294->39300 39307 4901f2 39295->39307 39296->39191 39298 4904f0 39297->39298 39302 4735e8 11 API calls 39297->39302 39301 4735e8 11 API calls 39298->39301 39299->39292 39303 40a5a0 11 API calls 39300->39303 39315 490500 39301->39315 39304 4904cf 39302->39304 39305 490178 39303->39305 39304->39298 39316 4904e1 39304->39316 39308 405a44 11 API calls 39305->39308 39306 490209 39310 40a26c GetFileAttributesA 39306->39310 39307->39306 39610 48c5d0 EnumResourceNamesA 39307->39610 39311 49018b 39308->39311 39313 490215 39310->39313 39312 4058e0 11 API calls 39311->39312 39317 4901a6 39312->39317 39313->39129 39321 4735e8 11 API calls 39313->39321 39314 490539 39319 4735e8 11 API calls 39314->39319 39315->39314 39318 4735e8 11 API calls 39315->39318 39322 4904e6 Sleep 39316->39322 39609 46d36c 12 API calls 39317->39609 39325 490522 39318->39325 39324 490549 39319->39324 39323 49022d 39321->39323 39322->39298 39323->39129 39327 49023f 39323->39327 39326 4735e8 11 API calls 39324->39326 39325->39314 39617 48c5d0 EnumResourceNamesA 39325->39617 39329 490570 39326->39329 39330 4735e8 11 API calls 39327->39330 39470 48b1f8 39329->39470 39335 49024f 39330->39335 39333 405584 11 API calls 39341 490591 39333->39341 39334 49027e 39338 490290 ShellExecuteA Sleep ExitProcess 39334->39338 39335->39334 39336 40f234 12 API calls 39335->39336 39337 49026e 39336->39337 39611 474f80 43 API calls 39337->39611 39340 4905ba 39343 4735e8 11 API calls 39340->39343 39341->39340 39342 405584 11 API calls 39341->39342 39342->39340 39344 4905ca 39343->39344 39345 4905ff 39344->39345 39346 473b6c 13 API calls 39344->39346 39543 47eaec 39345->39543 39348 4905e1 39346->39348 39350 490601 39348->39350 39351 4905e5 39348->39351 39355 40f234 12 API calls 39350->39355 39354 4754c4 49 API calls 39351->39354 39352 405554 11 API calls 39353 490648 39352->39353 39356 405554 11 API calls 39353->39356 39354->39345 39357 49060e 39355->39357 39358 490655 39356->39358 39493 4754c4 39357->39493 39361 48b77f 39360->39361 39362 48b7e2 39360->39362 39363 40a5d4 11 API calls 39361->39363 39364 405a44 11 API calls 39362->39364 39365 48b79b 39363->39365 39366 48b815 39364->39366 39367 405818 11 API calls 39365->39367 39618 40a5d4 39366->39618 39368 48b7ab 39367->39368 39369 48c91c 12 API calls 39368->39369 39370 48b7bb 39369->39370 39372 4058e0 11 API calls 39370->39372 39375 48b7d5 39372->39375 39374 405818 11 API calls 39376 48b841 39374->39376 39378 405554 11 API calls 39375->39378 39628 48c91c 39376->39628 39380 48b8ac 39378->39380 39382 405554 11 API calls 39380->39382 39381 4058e0 11 API calls 39381->39375 39383 48b8b9 39382->39383 39383->39072 39386 485515 39384->39386 39385 485730 39387 405584 11 API calls 39385->39387 39386->39385 39391 48556d 39386->39391 39388 48572e 39387->39388 39389 405554 11 API calls 39388->39389 39390 485754 39389->39390 39390->39104 39392 4855a6 39391->39392 39393 40a5d4 11 API calls 39391->39393 39396 405864 11 API calls 39392->39396 39397 4855ca 39392->39397 39394 48558f 39393->39394 39395 4058e0 11 API calls 39394->39395 39395->39392 39396->39397 39398 4855ee 39397->39398 39399 405864 11 API calls 39397->39399 39400 48adcc 13 API calls 39398->39400 39403 485617 39398->39403 39399->39398 39401 48560a 39400->39401 39402 405864 11 API calls 39401->39402 39402->39403 39404 48adcc 13 API calls 39403->39404 39407 485640 39403->39407 39405 485633 39404->39405 39406 405864 11 API calls 39405->39406 39406->39407 39408 48adcc 13 API calls 39407->39408 39411 485669 39407->39411 39409 48565c 39408->39409 39410 405864 11 API calls 39409->39410 39410->39411 39412 48adcc 13 API calls 39411->39412 39415 485692 39411->39415 39413 485685 39412->39413 39414 405864 11 API calls 39413->39414 39414->39415 39416 48adcc 13 API calls 39415->39416 39419 4856bb 39415->39419 39417 4856ae 39416->39417 39418 405864 11 API calls 39417->39418 39418->39419 39420 48adcc 13 API calls 39419->39420 39423 4856e4 39419->39423 39421 4856d7 39420->39421 39422 405864 11 API calls 39421->39422 39422->39423 39424 48adcc 13 API calls 39423->39424 39426 48570a 39423->39426 39425 4856fd 39424->39425 39427 405864 11 API calls 39425->39427 39426->39388 39428 405864 11 API calls 39426->39428 39427->39426 39428->39388 39430 40a69f 39429->39430 39431 405a44 11 API calls 39430->39431 39432 40a6b1 39431->39432 39432->39114 39434 40a26c GetFileAttributesA 39433->39434 39435 45f598 39434->39435 39436 45f5a5 39435->39436 39437 45f59c 39435->39437 39636 45f5f8 39436->39636 39438 405530 11 API calls 39437->39438 39440 45f5a3 39438->39440 39440->39125 39442 40f234 12 API calls 39441->39442 39443 473b94 39442->39443 39649 473a88 39443->39649 39445 473bab 39446 40f234 12 API calls 39445->39446 39449 473bcb 39445->39449 39446->39449 39447 405554 11 API calls 39448 473c14 39447->39448 39448->39136 39449->39447 39451 48c0bb 39450->39451 39660 421708 39451->39660 39453 48c0f0 39664 4217a0 39453->39664 39460 48c11c 39691 421808 39460->39691 39461 48c132 39463 4218e4 15 API calls 39461->39463 39464 48c140 39463->39464 39701 422008 RegSetValueExA 39464->39701 39466 405554 11 API calls 39468 48c189 39466->39468 39467 48c128 39467->39466 39468->39154 39469->39276 39471 48b20f 39470->39471 39472 405530 11 API calls 39471->39472 39473 48b225 39472->39473 39474 421708 14 API calls 39473->39474 39475 48b244 39474->39475 39476 4217a0 14 API calls 39475->39476 39477 48b252 39476->39477 39478 4218e4 15 API calls 39477->39478 39479 48b260 39478->39479 39480 42230c 13 API calls 39479->39480 39481 48b26c 39480->39481 39482 48b270 39481->39482 39483 48b282 39481->39483 39484 405530 11 API calls 39482->39484 39485 4218e4 15 API calls 39483->39485 39486 48b278 39484->39486 39487 48b290 39485->39487 39489 405530 11 API calls 39486->39489 39716 422264 RegQueryValueExA 39487->39716 39491 48b2dc 39489->39491 39490 48b29a 39490->39486 39717 422068 12 API calls 39490->39717 39491->39333 39494 4754e1 39493->39494 39495 40a26c GetFileAttributesA 39494->39495 39496 47553c 39495->39496 39497 47554d 39496->39497 39498 4055c8 11 API calls 39496->39498 39499 40a26c GetFileAttributesA 39497->39499 39498->39497 39500 475555 39499->39500 39501 475563 39500->39501 39502 475559 39500->39502 39504 47558d CreateProcessA 39501->39504 39503 40f234 12 API calls 39502->39503 39503->39501 39718 474d58 13 API calls 39504->39718 39506 4755a7 39719 474d58 13 API calls 39506->39719 39508 4755b6 39720 474d58 13 API calls 39508->39720 39510 4755c5 39721 474d58 13 API calls 39510->39721 39512 4755d4 39722 474d58 13 API calls 39512->39722 39514 4755e3 39723 474d58 13 API calls 39514->39723 39516 4755f2 39724 474d58 13 API calls 39516->39724 39518 475601 39725 474d58 13 API calls 39518->39725 39520 475610 39726 474d58 13 API calls 39520->39726 39522 47561f 39727 474d58 13 API calls 39522->39727 39524 47562e 39728 474d58 13 API calls 39524->39728 39526 47563d 39729 474d58 13 API calls 39526->39729 39528 475649 39730 474d58 13 API calls 39528->39730 39530 475658 39731 474d58 13 API calls 39530->39731 39532 475667 39732 474d58 13 API calls 39532->39732 39534 47567b 39733 474d58 13 API calls 39534->39733 39536 47568a 39734 474d58 13 API calls 39536->39734 39538 47569e 28 API calls 39735 474e20 VirtualAllocEx WriteProcessMemory CreateRemoteThread WaitForSingleObject ReadProcessMemory 39538->39735 39540 47580e 39541 405554 11 API calls 39540->39541 39542 475828 39541->39542 39542->39345 39544 47eaf4 39543->39544 39545 4735e8 11 API calls 39544->39545 39546 47eb30 39545->39546 39547 4058e0 11 API calls 39546->39547 39548 47eb4d 39547->39548 39549 4735e8 11 API calls 39548->39549 39550 47eb6b 39549->39550 39551 47eb9d 39550->39551 39552 47eb7a CreateThread 39550->39552 39736 40ef44 39551->39736 39552->39551 39817 482028 39552->39817 39555 405584 11 API calls 39556 47ebd4 39555->39556 39762 48bf54 39556->39762 39559 405584 11 API calls 39560 47ec04 39559->39560 39561 47ec6f 39560->39561 39564 40c8f8 13 API calls 39560->39564 39788 41fa34 39561->39788 39563 47ec7d 39799 41fef0 ResumeThread 39563->39799 39565 47ec36 39564->39565 39568 40c8f8 13 API calls 39565->39568 39567 47ecaa 39569 47ecb8 GetMessageA 39567->39569 39570 47ec55 39568->39570 39571 47ecac TranslateMessage DispatchMessageA 39569->39571 39572 47ecc8 39569->39572 39573 4058e0 11 API calls 39570->39573 39571->39569 39574 405554 11 API calls 39572->39574 39573->39561 39575 47ece2 39574->39575 39576 405554 11 API calls 39575->39576 39577 47ecef 39576->39577 39577->39352 39579 4059dc 39578->39579 39580 40a29a GetFileAttributesA 39579->39580 39581 40a2a5 39580->39581 39581->39166 39581->39167 39583 40a2c9 39582->39583 39862 40e87c 39583->39862 39585 40a30c 39586 4055c8 11 API calls 39585->39586 39587 40a317 39586->39587 39588 40a328 39587->39588 39589 40a290 GetFileAttributesA 39587->39589 39590 40a338 39588->39590 39591 40a5a0 11 API calls 39588->39591 39589->39588 39592 40a5a0 11 API calls 39590->39592 39599 40a378 39590->39599 39591->39590 39593 40a364 39592->39593 39595 40a2b4 13 API calls 39593->39595 39594 405554 11 API calls 39596 40a39c 39594->39596 39597 40a36c 39595->39597 39596->39166 39597->39599 39865 40a84c 39597->39865 39599->39594 39600->39213 39601->39225 39602->39158 39603->39217 39604->39228 39605->39185 39606->39209 39607->39240 39608->39258 39609->39272 39610->39306 39611->39334 39612->39150 39613->39163 39614->39232 39615->39246 39616->39264 39617->39314 39619 40a5e4 39618->39619 39620 40a611 39619->39620 39621 40a5fd 39619->39621 39623 40a67e 39620->39623 39625 40a63e 39620->39625 39622 405a44 11 API calls 39621->39622 39627 40a60f 39622->39627 39624 405530 11 API calls 39623->39624 39623->39627 39624->39627 39626 405a44 11 API calls 39625->39626 39626->39627 39627->39374 39629 48c935 39628->39629 39630 48c973 GetVolumeInformationA 39629->39630 39631 48c97d 39630->39631 39635 48c981 39630->39635 39632 40af98 11 API calls 39631->39632 39631->39635 39632->39635 39633 405530 11 API calls 39634 48b851 39633->39634 39634->39381 39635->39633 39637 40a26c GetFileAttributesA 39636->39637 39638 45f60d 39637->39638 39639 45f71f 39638->39639 39640 45f636 CreateFileA 39638->39640 39639->39440 39640->39639 39641 45f649 CreateFileMappingA 39640->39641 39642 45f677 MapViewOfFile 39641->39642 39643 45f701 CloseHandle 39641->39643 39644 45f6e3 CloseHandle 39642->39644 39645 45f69f GetFileSize 39642->39645 39643->39440 39644->39440 39648 45eb54 39645->39648 39647 45f6c5 UnmapViewOfFile 39647->39440 39648->39647 39656 473a40 SHGetFolderPathA 39649->39656 39651 473aab 39652 405864 11 API calls 39651->39652 39653 473aba 39652->39653 39654 405530 11 API calls 39653->39654 39655 473acf 39654->39655 39655->39445 39657 473a76 39656->39657 39659 473a66 39656->39659 39658 405530 11 API calls 39657->39658 39658->39659 39659->39651 39661 42170f 39660->39661 39702 4216c4 39661->39702 39663 421726 39663->39453 39665 4217c7 39664->39665 39666 4217ad 39664->39666 39670 4218e4 39665->39670 39667 4217b3 RegCloseKey 39666->39667 39668 4217bd 39666->39668 39667->39668 39706 421770 13 API calls 39668->39706 39671 4055c8 11 API calls 39670->39671 39673 421910 39671->39673 39672 421930 39675 42196b 39672->39675 39676 421941 39672->39676 39673->39672 39674 405a84 11 API calls 39673->39674 39674->39672 39678 421991 RegCreateKeyExA 39675->39678 39677 42195d RegOpenKeyExA 39676->39677 39679 42199d 39677->39679 39678->39679 39680 4219d3 39679->39680 39681 4219c6 39679->39681 39683 4058e0 11 API calls 39679->39683 39682 405530 11 API calls 39680->39682 39707 4217cc 13 API calls 39681->39707 39685 4219e8 39682->39685 39683->39681 39686 42230c 39685->39686 39708 422274 39686->39708 39689 422354 39689->39460 39689->39461 39690 42234e RegCloseKey 39690->39689 39692 4055c8 11 API calls 39691->39692 39693 421837 39692->39693 39694 405a84 11 API calls 39693->39694 39695 421857 39693->39695 39694->39695 39696 42187e RegCreateKeyExA 39695->39696 39697 42188f RegCloseKey 39696->39697 39698 42189a 39696->39698 39697->39698 39699 405530 11 API calls 39698->39699 39700 4218d3 39699->39700 39700->39467 39701->39467 39703 4216ca 39702->39703 39704 4217a0 14 API calls 39703->39704 39705 4216e2 39704->39705 39705->39663 39706->39665 39707->39680 39709 4055c8 11 API calls 39708->39709 39710 42229d 39709->39710 39711 405a84 11 API calls 39710->39711 39712 4222bd 39710->39712 39711->39712 39713 4222de RegOpenKeyExA 39712->39713 39714 405530 11 API calls 39713->39714 39715 4222f9 39714->39715 39715->39689 39715->39690 39716->39490 39717->39486 39718->39506 39719->39508 39720->39510 39721->39512 39722->39514 39723->39516 39724->39518 39725->39520 39726->39522 39727->39524 39728->39526 39729->39528 39730->39530 39731->39532 39732->39534 39733->39536 39734->39538 39735->39540 39737 40ef77 39736->39737 39738 40ef8e 39736->39738 39801 409aa8 12 API calls 39737->39801 39740 4055c8 11 API calls 39738->39740 39742 40ef98 39740->39742 39741 40ef81 39802 409aa8 12 API calls 39741->39802 39744 40ef8c 39742->39744 39745 4055c8 11 API calls 39742->39745 39746 4055c8 11 API calls 39744->39746 39745->39744 39747 40efad 39746->39747 39748 405530 11 API calls 39747->39748 39757 40efb4 39748->39757 39750 405530 11 API calls 39752 40f07f 39750->39752 39751 40efca 39753 405818 11 API calls 39751->39753 39754 405554 11 API calls 39752->39754 39761 40efd4 39753->39761 39755 40f08c 39754->39755 39755->39555 39756 4058e0 11 API calls 39756->39757 39757->39751 39757->39756 39758 405a44 11 API calls 39757->39758 39759 40f027 39757->39759 39757->39761 39803 40e8cc CompareStringA 39757->39803 39758->39757 39760 405818 11 API calls 39759->39760 39760->39761 39761->39750 39763 48bf6b 39762->39763 39764 405530 11 API calls 39763->39764 39765 48bf81 39764->39765 39766 421708 14 API calls 39765->39766 39767 48bfa0 39766->39767 39768 4217a0 14 API calls 39767->39768 39769 48bfb0 39768->39769 39770 4218e4 15 API calls 39769->39770 39771 48bfbf 39770->39771 39772 42230c 13 API calls 39771->39772 39773 48bfcc 39772->39773 39774 48bfd0 39773->39774 39775 48bfe2 39773->39775 39776 405530 11 API calls 39774->39776 39777 4218e4 15 API calls 39775->39777 39778 48bfd8 39776->39778 39779 48bff1 39777->39779 39782 405530 11 API calls 39778->39782 39804 422264 RegQueryValueExA 39779->39804 39781 48bffc 39783 48c010 39781->39783 39784 48c000 39781->39784 39785 47ebf7 39782->39785 39787 405584 11 API calls 39783->39787 39805 422068 12 API calls 39784->39805 39785->39559 39787->39778 39789 41fa45 39788->39789 39806 41f79c InterlockedIncrement 39789->39806 39791 41fa70 39807 4054b4 39791->39807 39793 41fa8b 39794 41fa94 GetLastError 39793->39794 39798 41faa1 39793->39798 39812 40d2e8 12 API calls 39794->39812 39795 405530 11 API calls 39797 41fadd 39795->39797 39797->39563 39798->39795 39800 41ff0b 39799->39800 39800->39567 39801->39741 39802->39744 39803->39757 39804->39781 39805->39778 39806->39791 39808 4054da 39807->39808 39810 4054ce CreateThread 39807->39810 39809 402f00 11 API calls 39808->39809 39809->39810 39810->39793 39813 40547c 39810->39813 39812->39798 39814 405484 39813->39814 39815 402f1c 11 API calls 39814->39815 39816 4054a2 39815->39816 39823 481ed8 39817->39823 39820 482041 GetMessageA 39821 482051 39820->39821 39822 482035 TranslateMessage DispatchMessageA 39820->39822 39822->39820 39824 481ee0 39823->39824 39824->39824 39825 481ee7 GetModuleHandleA SetWindowsHookExA 39824->39825 39826 48adcc 13 API calls 39825->39826 39827 481f23 39826->39827 39828 405818 11 API calls 39827->39828 39829 481f30 39828->39829 39830 40a290 GetFileAttributesA 39829->39830 39831 481f38 39830->39831 39832 481f5e 39831->39832 39833 48adcc 13 API calls 39831->39833 39834 48adcc 13 API calls 39832->39834 39835 481f49 39833->39835 39836 481f6b 39834->39836 39838 405818 11 API calls 39835->39838 39837 480d08 11 API calls 39836->39837 39839 481f7b 39837->39839 39840 481f56 39838->39840 39841 4058e0 11 API calls 39839->39841 39842 40a2b4 13 API calls 39840->39842 39843 481f8b 39841->39843 39842->39832 39844 480d08 11 API calls 39843->39844 39845 481fa0 39844->39845 39846 405584 11 API calls 39845->39846 39847 481fad 39846->39847 39848 480f70 14 API calls 39847->39848 39849 481fb5 39848->39849 39850 405584 11 API calls 39849->39850 39851 481fc2 39850->39851 39852 480f70 14 API calls 39851->39852 39853 481fca 39852->39853 39854 405584 11 API calls 39853->39854 39855 481fd7 39854->39855 39856 4810b0 48 API calls 39855->39856 39857 481fdf 39856->39857 39858 405584 11 API calls 39857->39858 39859 481fec 39858->39859 39860 405554 11 API calls 39859->39860 39861 482006 39860->39861 39861->39820 39863 405584 11 API calls 39862->39863 39864 40e88c 39862->39864 39863->39864 39864->39585 39866 4059dc 39865->39866 39867 40a858 CreateDirectoryA 39866->39867 39867->39599 39870 48ce74 GetUserNameA 39871 48cea0 39870->39871 39873 48ce93 39870->39873 39872 405530 11 API calls 39871->39872 39872->39873 39874 486374 39875 4055c8 11 API calls 39874->39875 39876 4863a3 39875->39876 39877 4613d8 11 API calls 39876->39877 39878 4863b6 39877->39878 39879 4055c8 11 API calls 39878->39879 39885 4863c1 39879->39885 39880 4863fe 39882 405530 11 API calls 39880->39882 39881 405a3c 11 API calls 39883 4863e7 send 39881->39883 39884 486421 39882->39884 39883->39880 39883->39885 39886 405530 11 API calls 39884->39886 39885->39880 39885->39881 39887 486429 39886->39887 39888 48cfb4 39889 48cfe0 capGetDriverDescriptionA 39888->39889 39890 48d008 39889->39890 39890->39889 39891 48d05d 39890->39891 39894 4058e0 11 API calls 39890->39894 39892 405554 11 API calls 39891->39892 39893 48d07a 39892->39893 39894->39890 39895 42105c 39898 4458cc 39895->39898 39896 421072 39899 445934 39898->39899 39905 445902 39898->39905 39985 445780 39899->39985 39901 44593f 39903 4459f6 39901->39903 39904 44594f 39901->39904 39906 445a4c 39903->39906 39907 4459fd 39903->39907 39908 445955 39904->39908 39909 445e7a 39904->39909 39905->39899 39956 445923 39905->39956 39993 419898 42 API calls 39905->39993 39917 445e94 39906->39917 39918 445a59 39906->39918 39926 4459da 39906->39926 39910 445a03 39907->39910 39941 445cf1 39907->39941 39914 4459df 39908->39914 39915 4459b9 39908->39915 39908->39926 39908->39956 40005 446a88 12 API calls 39909->40005 39912 445a33 39910->39912 39913 445a0a 39910->39913 39920 445e03 GetLastActivePopup 39912->39920 39921 445a3e 39912->39921 39919 445a10 39913->39919 39971 445d8a 39913->39971 39914->39926 39929 445f1e 39914->39929 39927 445b70 39915->39927 39928 4459bf 39915->39928 39916 445abe 39916->39956 39922 445eb5 39917->39922 39923 445e9d 39917->39923 39924 445a64 39918->39924 39925 445e3c 39918->39925 39931 445a17 39919->39931 39932 445a8e 39919->39932 39920->39956 39921->39926 39935 445ccf 39921->39935 40007 4466b8 43 API calls 39922->40007 40006 44665c 12 API calls 39923->40006 39924->39909 39924->39926 40003 43b75c IsIconic 39925->40003 39926->39956 39992 445844 DefWindowProcA 39926->39992 39997 445844 DefWindowProcA 39927->39997 39938 445b27 39928->39938 39939 4459c8 39928->39939 40010 445844 DefWindowProcA 39929->40010 39931->39926 39943 445c57 SendMessageA 39931->39943 39952 445ab6 39932->39952 39953 445aa7 39932->39953 39932->39956 40001 44641c IsWindowEnabled 39935->40001 39996 445844 DefWindowProcA 39938->39996 39946 4459d1 39939->39946 39947 445c83 39939->39947 39941->39956 39957 445d17 IsWindowEnabled 39941->39957 39942 445e47 39948 445e4f GetFocus 39942->39948 39942->39956 39943->39956 39944 445b76 39949 445bb5 39944->39949 39950 445b93 39944->39950 39946->39926 39954 445ef8 39946->39954 39951 445c90 39947->39951 39947->39956 39948->39956 39958 445e60 39948->39958 39999 445430 46 API calls 39949->39999 39998 445490 43 API calls 39950->39998 40000 405388 7 API calls 39951->40000 39994 446070 62 API calls 39952->39994 39995 445844 DefWindowProcA 39953->39995 39961 45d684 9 API calls 39954->39961 39956->39896 39957->39956 39963 445d25 39957->39963 40004 43ba80 GetCurrentThreadId EnumThreadWindows 39958->40004 39967 445f0a 39961->39967 39973 445d2c IsWindowVisible 39963->39973 39965 445b9b PostMessageA 39965->39956 39966 445bbd PostMessageA 39966->39956 40008 4457d8 11 API calls 39967->40008 39969 445e67 39969->39956 39974 445e6f SetFocus 39969->39974 39971->39956 39975 445dcf IsWindowEnabled 39971->39975 39973->39956 39977 445d3a GetFocus 39973->39977 39974->39956 39975->39956 39978 445dd9 39975->39978 39976 445f15 40009 445844 DefWindowProcA 39976->40009 40002 4585f8 39977->40002 39978->39956 39983 445dec SetFocus 39978->39983 39981 445d4f SetFocus 39982 451b4c 39981->39982 39984 445d6e SetFocus 39982->39984 39983->39956 39984->39956 39986 445793 39985->39986 39987 4457bd 39986->39987 39988 4457ad 39986->39988 39989 44579e SetThreadLocale 39986->39989 39987->39901 39988->39987 40011 444344 11 API calls 39988->40011 39990 40ebcc 57 API calls 39989->39990 39990->39988 39992->39956 39993->39905 39994->39916 39995->39956 39996->39956 39997->39944 39998->39965 39999->39966 40001->39956 40002->39981 40003->39942 40004->39969 40005->39916 40006->39916 40007->39916 40008->39976 40009->39956 40010->39956 40011->39987 40012 42b47c MulDiv 40013 42b4b8 40012->40013 40014 42b4ce 40012->40014 40053 42b438 GetDC SelectObject GetTextMetricsA ReleaseDC 40013->40053 40015 4216c4 14 API calls 40014->40015 40017 42b4da 40015->40017 40019 4217a0 14 API calls 40017->40019 40018 42b4bd 40018->40014 40020 4055c8 11 API calls 40018->40020 40021 42b4f8 40019->40021 40020->40014 40028 421a08 40021->40028 40024 42b521 40026 42b519 40055 421770 13 API calls 40026->40055 40029 4055c8 11 API calls 40028->40029 40030 421a32 40028->40030 40029->40030 40031 405a84 11 API calls 40030->40031 40032 421a52 40030->40032 40031->40032 40033 421a80 RegOpenKeyExA 40032->40033 40034 421a92 40033->40034 40038 421ad0 40033->40038 40035 421abe 40034->40035 40036 4058e0 11 API calls 40034->40036 40056 4217cc 13 API calls 40035->40056 40036->40035 40040 421af0 RegOpenKeyExA 40038->40040 40039 421acb 40042 405530 11 API calls 40039->40042 40041 421b02 40040->40041 40047 421b3d 40040->40047 40043 421b2e 40041->40043 40045 4058e0 11 API calls 40041->40045 40044 421bb8 40042->40044 40057 4217cc 13 API calls 40043->40057 40044->40024 40054 422068 12 API calls 40044->40054 40045->40043 40048 421b5b RegOpenKeyExA 40047->40048 40048->40039 40049 421b6d 40048->40049 40050 421b96 40049->40050 40051 4058e0 11 API calls 40049->40051 40058 4217cc 13 API calls 40050->40058 40051->40050 40053->40018 40054->40026 40055->40024 40056->40039 40057->40039 40058->40039

    Executed Functions

    Function 004818F8, Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236keyboard

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 422 4818f8-48192e 423 481930-481934 422->423 424 481936-481948 CallNextHookEx 422->424 423->424 425 48194d-481951 423->425 424->425 426 481d2a-481d85 CallNextHookEx call 405530 425->426 427 481957-48195e 425->427 428 48196d-481976 call 4818e0 427->428 429 481960-481967 427->429 435 481978-48198c CallNextHookEx 428->435 436 481991-481996 428->436 429->426 429->428 435->436 437 48199c 436->437 438 481a4d-481a53 436->438 439 481bce-481bdb call 4055c8 437->439 440 4819a2-4819a8 437->440 441 481a59 438->441 442 481c4c-481c9c GetKeyState * 4 438->442 446 481d10-481d13 call 481318 439->446 440->442 444 4819ae 440->444 441->442 447 481b98-481ba5 call 4055c8 441->447 448 481baa-481bb7 call 4055c8 441->448 449 481bbc-481bc9 call 4055c8 441->449 450 481b2c-481b39 call 4055c8 441->450 451 481b3e-481b4b call 4055c8 441->451 452 481b50-481b5d call 4055c8 441->452 453 481b62-481b6f call 4055c8 441->453 454 481b74-481b81 call 4055c8 441->454 455 481ae4-481af1 call 4055c8 441->455 456 481b86-481b93 call 4055c8 441->456 445 481c9e-481cb1 GetKeyboardState call 40f310 442->445 442->446 444->438 444->442 444->455 466 481b08-481b15 call 4055c8 444->466 467 481c28-481c35 call 4055c8 444->467 468 481b1a-481b27 call 4055c8 444->468 469 481c3a-481c47 call 4055c8 444->469 470 481be0-481bed call 4055c8 444->470 471 481bf2-481bff call 4055c8 444->471 472 481c04-481c11 call 4055c8 444->472 473 481af6-481b03 call 4055c8 444->473 474 481c16-481c23 call 4055c8 444->474 445->446 510 481cb3-481ce6 call 405c6c call 405a3c MapVirtualKeyA ToAscii 445->510 489 481d18-481d20 446->489 447->446 448->446 449->446 450->446 451->446 452->446 453->446 454->446 455->446 456->446 466->446 467->446 468->446 469->446 470->446 471->446 472->446 473->446 474->446 489->426 506 481d22-481d25 call 481780 489->506 506->426 516 481ce8 510->516 517 481cef-481cf7 call 405530 510->517 518 481cf9-481d06 call 405c6c 516->518 519 481cea-481ceb 516->519 517->446 518->446 519->446 521 481ced-481d0b call 405530 519->521 521->446
    APIs
    • CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481948
      • Part of subcall function 004818E0: MapVirtualKeyA.USER32(00000000,00000000), ref: 004818E6
    • CallNextHookEx.USER32(000601F9,00000000,00000100,?), ref: 0048198C
    • GetKeyState.USER32(00000014), ref: 00481C4E
    • GetKeyState.USER32(00000011), ref: 00481C60
    • GetKeyState.USER32(000000A0), ref: 00481C75
    • GetKeyState.USER32(000000A1), ref: 00481C8A
    • GetKeyboardState.USER32(?), ref: 00481CA5
    • MapVirtualKeyA.USER32(00000000,00000000), ref: 00481CD7
    • ToAscii.USER32(00000000,00000000,00000000,00000000,?), ref: 00481CDE
      • Part of subcall function 00481318: ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
      • Part of subcall function 00481318: CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D
    • CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481D3C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibrary

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 527 406c2c-406c6d GetModuleFileNameA RegOpenKeyExA 528 406caf-406cf2 call 406a68 RegQueryValueExA 527->528 529 406c6f-406c8b RegOpenKeyExA 527->529 534 406cf4-406d10 RegQueryValueExA 528->534 535 406d16-406d30 RegCloseKey 528->535 529->528 531 406c8d-406ca9 RegOpenKeyExA 529->531 531->528 533 406d38-406d69 lstrcpynA GetThreadLocale GetLocaleInfoA 531->533 536 406e52-406e59 533->536 537 406d6f-406d73 533->537 534->535 538 406d12 534->538 540 406d75-406d79 537->540 541 406d7f-406d95 lstrlenA 537->541 538->535 540->536 540->541 542 406d98-406d9b 541->542 543 406da7-406daf 542->543 544 406d9d-406da5 542->544 543->536 546 406db5-406dba 543->546 544->543 545 406d97 544->545 545->542 547 406de4-406de6 546->547 548 406dbc-406de2 lstrcpynA LoadLibraryExA 546->548 547->536 549 406de8-406dec 547->549 548->547 549->536 550 406dee-406e1e lstrcpynA LoadLibraryExA 549->550 550->536 551 406e20-406e50 lstrcpynA LoadLibraryExA 550->551 551->536
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2
      • Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
      • Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
      • Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
      • Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
      • Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
      • Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
      • Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
      • Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
      • Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
      • Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
      • Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9
    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
    • RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
    • RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
    • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
    • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004865E0, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 218networkwindowsleep

    Control-flow Graph

    APIs
    • Sleep.KERNEL32(000000C8), ref: 00486682
    • TranslateMessage.USER32(?), ref: 00486690
    • DispatchMessageA.USER32(?), ref: 0048669C
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004866B0
    • socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 004866CE
    • ntohs.WSOCK32(00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 004866F8
    • inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486709
    • gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 0048671F
    • connect.WSOCK32(00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486744
      • Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94
      • Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55
      • Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8
    • recv.WSOCK32(00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000), ref: 004867CD
    • shutdown.WSOCK32(00000248,00000001,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486881
    • closesocket.WSOCK32(00000248,00000248,00000001,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001), ref: 0048688E
      • Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53
      • Part of subcall function 00486528: shutdown.WSOCK32(00000248,00000002,00000001,004867E2,00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 004865BC
      • Part of subcall function 00486528: closesocket.WSOCK32(00000248,00000248,00000002,00000001,004867E2,00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001), ref: 004865C9
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythread

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1151 406d38-406d69 lstrcpynA GetThreadLocale GetLocaleInfoA 1152 406e52-406e59 1151->1152 1153 406d6f-406d73 1151->1153 1154 406d75-406d79 1153->1154 1155 406d7f-406d95 lstrlenA 1153->1155 1154->1152 1154->1155 1156 406d98-406d9b 1155->1156 1157 406da7-406daf 1156->1157 1158 406d9d-406da5 1156->1158 1157->1152 1160 406db5-406dba 1157->1160 1158->1157 1159 406d97 1158->1159 1159->1156 1161 406de4-406de6 1160->1161 1162 406dbc-406de2 lstrcpynA LoadLibraryExA 1160->1162 1161->1152 1163 406de8-406dec 1161->1163 1162->1161 1163->1152 1164 406dee-406e1e lstrcpynA LoadLibraryExA 1163->1164 1164->1152 1165 406e20-406e50 lstrcpynA LoadLibraryExA 1164->1165 1165->1152
    APIs
    • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
    • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108
    APIs
    • GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
    • OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
    • LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
    • CloseHandle.KERNEL32(?), ref: 0048AF8D
    • GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54
    APIs
    • FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
    • LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
    • SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
    • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
    • FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00481ED8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86
    APIs
    • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
    • SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09
      • Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
      • Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09
      • Part of subcall function 0040A290: GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B
      • Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
      • Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
      • Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048CE74, Relevance: 1.5, APIs: 1, Instructions: 19
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048FA10, Relevance: 104.0, APIs: 13, Strings: 46, Instructions: 713sleepfilethread

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 48fa10-48fa46 call 48b724 call 405584 call 4735e8 call 405584 9 48fa48-48fa4b 0->9 10 48fa4d-48fa4f 0->10 9->10 11 48fa61-48fa82 call 4735e8 call 405584 10->11 12 48fa51-48fa5c call 405584 10->12 18 48fa89-48fa8b 11->18 19 48fa84-48fa87 11->19 12->11 20 48fa8d-48fa9d call 405584 18->20 21 48fa9f-48faa9 call 405584 18->21 19->18 25 48faae-48facf call 4735e8 call 405584 20->25 21->25 30 48fad1-48fad4 25->30 31 48fad6-48fad8 25->31 30->31 32 48fada-48faea call 405584 31->32 33 48faec-48faf6 call 405584 31->33 36 48fafb-48fb92 call 4735e8 * 2 call 48550c call 405584 call 4735e8 call 405584 call 40a5a0 call 40a68c call 4058e0 call 40a26c 32->36 33->36 58 48fbd2-48fc09 call 40f234 call 45f588 * 2 call 405974 36->58 59 48fb94-48fbcd call 40a5a0 call 40a68c call 4058e0 36->59 73 4902ae-4902ce call 4735e8 call 405974 58->73 74 48fc0f-48fc16 call 473b6c 58->74 59->58 83 4902e8-490308 call 4735e8 call 405974 73->83 84 4902d0-4902e3 CreateThread 73->84 74->73 80 48fc1c-48fcad call 40bc98 call 40c8f8 call 40bcc4 call 40c8f8 call 4058e0 call 48c0a4 74->80 105 48fcb2-48fce6 call 4735e8 call 405974 80->105 95 49030a-49031d CreateThread 83->95 96 490322-490342 call 4735e8 call 405974 83->96 84->83 95->96 106 49034e-49036e call 4735e8 call 405974 96->106 107 490344-490349 call 471a2c 96->107 121 48fcec-48fd0b call 40a5a0 call 40a290 105->121 122 48fef1-48ff11 call 4735e8 call 405974 105->122 118 49037a-49039a call 4735e8 call 405974 106->118 119 490370-490375 call 471b6c 106->119 107->106 133 4903aa-4903ca call 4735e8 call 405974 118->133 134 49039c-4903a5 call 471edc call 47204c 118->134 119->118 137 48fd2a-48fd59 call 4059dc call 40f234 call 4059dc CopyFileA 121->137 138 48fd0d-48fd25 call 40a5a0 call 40a2b4 121->138 141 48ff7f-48ffa7 call 4735e8 call 409b7c 122->141 142 48ff13-48ff7a call 4735e8 call 409edc call 4735e8 call 4059dc call 4735e8 call 46124c call 4059dc MessageBoxA 122->142 161 4903cc call 471cb4 133->161 162 4903d1-4903f1 call 4735e8 call 405974 133->162 134->133 179 48fe7e-48fecd call 4735e8 call 485150 call 485248 call 4735e8 call 405974 137->179 180 48fd5f-48fe79 call 4735e8 call 405584 call 40a5a0 call 4058e0 call 40a2b4 call 40a5a0 call 40a68c call 4058e0 call 4059dc call 40f234 call 4059dc CopyFileA call 40a5a0 call 40a68c call 4058e0 137->180 138->137 169 48ffa9-48ffc9 call 4735e8 call 405974 141->169 170 490007-49002e call 4735e8 call 405584 141->170 142->141 161->162 191 4903f8-490418 call 4735e8 call 405974 162->191 192 4903f3 call 471dec 162->192 197 48ffea-490002 call 4735e8 call 4729dc 169->197 198 48ffcb-48ffe8 call 4735e8 call 4729dc 169->198 195 490030-490033 170->195 196 490035-490037 170->196 179->122 253 48fecf-48feec call 4735e8 call 48c308 179->253 180->179 233 49041a call 4722b4 191->233 234 49041f-49043f call 4735e8 call 405974 191->234 192->191 195->196 204 490039-49004c call 409edc call 472924 196->204 205 490051-490078 call 4735e8 call 405584 196->205 197->170 198->170 204->205 244 49007a-49007d 205->244 245 49007f-490081 205->245 233->234 257 490441 call 4721c4 234->257 258 490446-490466 call 4735e8 call 405974 234->258 244->245 249 49009b-4900bb call 4735e8 call 405974 245->249 250 490083-490096 call 409edc call 472974 245->250 273 4900bd-4900f0 call 40f234 call 4058e0 call 46d36c 249->273 274 4900f5-490115 call 4735e8 call 405974 249->274 250->249 253->122 257->258 281 490468 call 4723a4 258->281 282 49046d-490494 SetLastError call 4059dc call 407978 GetLastError 258->282 273->274 294 49011b-490147 call 40f234 call 40a5a0 274->294 295 4901b1-4901d1 call 4735e8 call 405974 274->295 281->282 303 49049d-4904bd call 4735e8 call 405974 282->303 304 490496-490498 ExitProcess 282->304 318 490149-49014c 294->318 319 49014e-4901ac call 40f234 call 40a5a0 call 405a44 call 4058e0 call 46d36c 294->319 320 4901d3-4901dd call 48bee4 Sleep 295->320 321 4901e2-490202 call 4735e8 call 405974 295->321 328 4904bf-4904df call 4735e8 call 405974 303->328 329 4904f0-490510 call 4735e8 call 405974 303->329 318->319 319->295 320->321 341 490209-490217 call 40a26c 321->341 342 490204 call 48c5d0 321->342 328->329 355 4904e1-4904eb call 48bee4 Sleep 328->355 353 490539-490559 call 4735e8 call 405974 329->353 354 490512-490532 call 4735e8 call 405974 329->354 341->73 357 49021d-49023d call 4735e8 call 405974 341->357 342->341 372 49055b call 473c24 353->372 373 490560-4905a8 call 4735e8 call 48b1f8 call 405584 call 409b7c 353->373 354->353 375 490534 call 48c5d0 354->375 355->329 357->73 378 49023f-49025f call 4735e8 call 405974 357->378 372->373 398 4905ba-4905da call 4735e8 call 405974 373->398 399 4905aa-4905b5 call 405584 373->399 375->353 389 49027e-4902a9 call 4059dc ShellExecuteA Sleep ExitProcess 378->389 390 490261-490279 call 40f234 call 474f80 378->390 390->389 405 4905dc-4905e3 call 473b6c 398->405 406 490626 call 47eaec 398->406 399->398 411 490601-490621 call 40f234 call 4754c4 405->411 412 4905e5-4905ff call 4754c4 405->412 410 49062b-490655 call 405554 * 2 406->410 411->406 412->406
    APIs
      • Part of subcall function 0048B724: GetCurrentHwProfileA.ADVAPI32(?), ref: 0048B776
      • Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277
      • Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B
    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0048FD52
    • CopyFileA.KERNEL32(00000000,00000000,?), ref: 0048FE2F
      • Part of subcall function 00485150: RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
      • Part of subcall function 00485150: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
      • Part of subcall function 00485150: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF
      • Part of subcall function 0048C308: CloseHandle.KERNEL32(?), ref: 0048C390
    • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0048FF7A
      • Part of subcall function 004729DC: SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472B0D,?,?,00000000,?,00000000,00000000,00472BD6,?,00000000,00472C12), ref: 00472AFE
    • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00490298
      • Part of subcall function 00472924: SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00472969,?,?,?,?,00490051), ref: 0047294E
    • Sleep.KERNEL32(000003E8), ref: 004902A2
      • Part of subcall function 00472974: SetFileAttributesA.KERNEL32(00000000,00000000,00000000,004729D0), ref: 004729B0
      • Part of subcall function 0046D36C: ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9
    • Sleep.KERNEL32(000001F4), ref: 004901DD
    • ExitProcess.KERNEL32(00000000,000003E8), ref: 004902A9
      • Part of subcall function 00474F80: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B
      • Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
      • Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
      • Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
      • Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
      • Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
      • Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
      • Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
      • Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
      • Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
      • Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
      • Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
      • Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
      • Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
      • Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
      • Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
      • Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
      • Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
      • Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
      • Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
      • Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
      • Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
      • Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211
      • Part of subcall function 0040A290: GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B
    • CreateThread.KERNEL32(00000000,00000000,0048E340,00000000,00000000,00499F94), ref: 004902E3
    • CreateThread.KERNEL32(00000000,00000000,0048E29C,00000000,00000000,00499F94), ref: 0049031D
    • SetLastError.KERNEL32(00000000,?,00490710,?), ref: 0049046F
      • Part of subcall function 00407978: CreateMutexA.KERNEL32(?,?,?,?,0049048A,00000000,00000000,00000000,00000000,?,00490710,?), ref: 0040798E
    • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,00490710,?), ref: 0049048A
    • ExitProcess.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00490710,?), ref: 00490498
    • Sleep.KERNEL32(000001F4,00000000,00000000,00000000,00000000,?,00490710,?), ref: 004904EB
      • Part of subcall function 004754C4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590
      • Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
      • Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
      • Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
      • Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
      • Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
      • Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
      • Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
      • Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
      • Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
      • Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
      • Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
      • Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
      • Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
      • Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
      • Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
      • Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
      • Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
      • Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
      • Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
      • Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
      • Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
      • Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
      • Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
      • Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
      • Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
      • Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
      • Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
      • Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1
      • Part of subcall function 0047EAEC: CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
      • Part of subcall function 0047EAEC: TranslateMessage.USER32(00499F5C), ref: 0047ECAD
      • Part of subcall function 0047EAEC: DispatchMessageA.USER32(00499F5C), ref: 0047ECB3
      • Part of subcall function 0047EAEC: GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF
      • Part of subcall function 00473C24: ExitProcess.KERNEL32(00000000,00000000,00473CF8,?,?,00000000,00000000,00000000,?,00490560,00000000,00000000,00000000,00000000,?,00490710), ref: 00473C8E
      • Part of subcall function 00473C24: ExitProcess.KERNEL32(00000000,00000000,00473CF8,?,?,00000000,00000000,00000000,?,00490560,00000000,00000000,00000000,00000000,?,00490710), ref: 00473CD8
      • Part of subcall function 0048C5D0: EnumResourceNamesA.KERNEL32(00000000,DPLUG,0048C494,00000000), ref: 0048C5F2
      • Part of subcall function 0048BEE4: EnumResourceNamesA.KERNEL32(00000000,DBIND,0048BDD4,00000000), ref: 0048BF06
      • Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0
      • Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149windowthread

    Control-flow Graph

    APIs
    • CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
    • GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF
      • Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0
      • Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC
      • Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94
      • Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55
      • Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8
    • TranslateMessage.USER32(00499F5C), ref: 0047ECAD
    • DispatchMessageA.USER32(00499F5C), ref: 0047ECB3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386window

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 676 4458cc-445900 677 445934-445949 call 445780 676->677 678 445902-445903 676->678 683 4459f6-4459fb 677->683 684 44594f 677->684 680 445905-445921 call 419898 678->680 707 445930-445932 680->707 708 445923-44592b 680->708 686 445a4c-445a51 683->686 687 4459fd 683->687 688 445955-445958 684->688 689 445e7a-445e8f call 446a88 684->689 696 445a72-445a77 686->696 697 445a53 686->697 690 445cf1-445cf9 687->690 691 445a03-445a08 687->691 692 4459b4-4459b7 688->692 693 44595a 688->693 711 445f4d-445f55 689->711 690->711 712 445cff-445d0a call 4585f8 690->712 700 445a33-445a38 691->700 701 445a0a 691->701 704 4459df-4459e2 692->704 705 4459b9 692->705 702 445960-445963 693->702 703 445c9f-445ca9 693->703 698 445ecd-445ed4 696->698 699 445a7d-445a83 696->699 709 445e94-445e9b 697->709 710 445a59-445a5e 697->710 723 445ed6-445ee5 698->723 724 445ee7-445ef6 698->724 725 445cae-445cca call 447c6c 699->725 726 445a89 699->726 716 445e03-445e1f GetLastActivePopup 700->716 717 445a3e-445a41 700->717 714 445a10-445a15 701->714 715 445d8a-445d95 701->715 727 445f46-445f47 call 445844 702->727 728 445969 702->728 703->711 731 445f1e-445f2f call 4449c4 call 445844 704->731 732 4459e8-4459eb 704->732 729 445b70-445b91 call 445844 705->729 730 4459bf-4459c2 705->730 707->677 707->680 718 445f6c-445f72 708->718 719 445eb5-445ec8 call 4466b8 709->719 720 445e9d-445eb0 call 44665c 709->720 721 445a64-445a67 710->721 722 445e3c-445e49 call 43b75c 710->722 711->718 712->711 754 445d10-445d1f call 4585f8 IsWindowEnabled 712->754 737 445a17-445a1d 714->737 738 445a8e-445a9e 714->738 744 445d97-445d9d 715->744 745 445da9-445db2 715->745 716->711 751 445e25-445e37 716->751 741 445a47 717->741 742 445ccf-445cdc call 44641c 717->742 719->711 720->711 721->689 747 445a6d 721->747 722->711 774 445e4f-445e5a GetFocus 722->774 723->711 724->711 725->711 726->727 759 445f4c 727->759 728->692 778 445bb5-445bd2 call 445430 PostMessageA 729->778 779 445b93-445bb0 call 445490 PostMessageA 729->779 749 445b27-445b37 call 445844 730->749 750 4459c8-4459cb 730->750 731->711 733 4459f1 732->733 734 445b3c-445b4a call 445f74 732->734 733->727 734->711 757 445c57-445c7e SendMessageA 737->757 758 445a23-445a28 737->758 765 445aa0-445aa5 738->765 766 445aa9-445ab1 call 445f90 738->766 741->727 742->711 802 445ce2-445cec 742->802 744->745 762 445db4-445dc0 call 44821c 745->762 763 445df7-445dfe 745->763 747->727 749->711 769 4459d1-4459d4 750->769 770 445c83-445c8a 750->770 751->711 754->711 804 445d25-445d34 call 4585f8 IsWindowVisible 754->804 757->711 776 445f31-445f3b call 432228 call 43238c 758->776 777 445a2e 758->777 759->711 762->763 809 445dc2-445dd7 call 4585f8 IsWindowEnabled 762->809 763->711 782 445ab6-445abe call 446070 765->782 783 445aa7-445aca call 445844 765->783 766->711 786 445ef8-445f1c call 45d684 call 4457d8 call 445844 769->786 787 4459da 769->787 770->711 780 445c90-445c9a call 40f320 call 405388 770->780 774->711 793 445e60-445e69 call 43ba80 774->793 776->711 777->727 778->711 779->711 780->711 782->711 783->711 786->711 787->727 793->711 822 445e6f-445e75 SetFocus 793->822 802->711 804->711 826 445d3a-445d85 GetFocus call 4585f8 SetFocus call 451b4c SetFocus 804->826 809->763 827 445dd9-445dea call 4585f8 809->827 822->711 826->711 827->763 835 445dec-445df2 SetFocus 827->835 835->763
    APIs
      • Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3
      • Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
      • Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
      • Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
      • Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040
      • Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
      • Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
      • Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
      • Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
      • Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
      • Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180
      • Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A
    • PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD
      • Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE
    • PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
    • SendMessageA.USER32(?,?,?,?), ref: 00445C73
      • Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
      • Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448
      • Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458
    • IsWindowEnabled.USER32(00000000), ref: 00445D18
    • IsWindowVisible.USER32(00000000), ref: 00445D2D
    • GetFocus.USER32 ref: 00445D41
    • SetFocus.USER32(00000000), ref: 00445D50
    • SetFocus.USER32(00000000), ref: 00445D6F
    • IsWindowEnabled.USER32(00000000), ref: 00445DD0
    • SetFocus.USER32(00000000), ref: 00445DF2
    • GetLastActivePopup.USER32(?), ref: 00445E0A
      • Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773
    • GetFocus.USER32 ref: 00445E4F
      • Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
      • Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0
    • SetFocus.USER32(00000000), ref: 00445E70
      • Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1
      • Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC
      • Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E
      • Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
      • Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB
      • Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004450B4, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131windowregistry

    Control-flow Graph

    APIs
      • Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2
    • GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
    • RegisterClassA.USER32(004925FC), ref: 0044512B
      • Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582
      • Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB
    • SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
    • DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235
      • Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A
    • SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
    • SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
    • GetSystemMenu.USER32(?,00000000), ref: 00445202
    • DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
    • DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0045DAE0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103registrylibraryloader

    Control-flow Graph

    APIs
    • GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
    • GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
    • GetCurrentThreadId.KERNEL32(?,?,00000000,0045DC58), ref: 0045DB4F
    • GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
    • RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,0045DC58), ref: 0045DB9B
      • Part of subcall function 00419AB0: InitializeCriticalSection.KERNEL32(004174C8,?,?,0045DBB1,00000000,00000000,?,?,00000000,0045DC58), ref: 00419ACF
      • Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(00008000), ref: 0045D701
      • Part of subcall function 0045D6E8: GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
      • Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
      • Part of subcall function 0045D6E8: LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
      • Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
      • Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
      • Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
      • Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
      • Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
      • Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
      • Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
      • Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
      • Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
      • Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
      • Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848
      • Part of subcall function 00443B58: GetKeyboardLayout.USER32(00000000), ref: 00443B9D
      • Part of subcall function 00443B58: GetDC.USER32(00000000), ref: 00443BF2
      • Part of subcall function 00443B58: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00443BFC
      • Part of subcall function 00443B58: ReleaseDC.USER32(00000000,00000000), ref: 00443C07
      • Part of subcall function 00444D60: LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
      • Part of subcall function 00444D60: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
      • Part of subcall function 00444D60: OemToCharA.USER32(?,?), ref: 00444E9C
      • Part of subcall function 00444D60: CharNextA.USER32(?), ref: 00444EDB
      • Part of subcall function 00444D60: CharLowerA.USER32(00000000), ref: 00444EE1
    • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
    • GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC30
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00444D60, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135window

    Control-flow Graph

    APIs
    • LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
      • Part of subcall function 0042B29C: GetIconInfo.USER32(?,?), ref: 0042B2BD
      • Part of subcall function 0042B29C: GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
      • Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B30A
      • Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B313
    • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
    • OemToCharA.USER32(?,?), ref: 00444E9C
    • CharNextA.USER32(?), ref: 00444EDB
    • CharLowerA.USER32(00000000), ref: 00444EE1
      • Part of subcall function 00421140: GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
      • Part of subcall function 00421140: UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
      • Part of subcall function 00421140: RegisterClassA.USER32(00491B50), ref: 00421194
      • Part of subcall function 00421140: SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF
      • Part of subcall function 004450B4: GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
      • Part of subcall function 004450B4: RegisterClassA.USER32(004925FC), ref: 0044512B
      • Part of subcall function 004450B4: SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
      • Part of subcall function 004450B4: SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
      • Part of subcall function 004450B4: SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
      • Part of subcall function 004450B4: GetSystemMenu.USER32(?,00000000), ref: 00445202
      • Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
      • Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E
      • Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00481318, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 241thread

    Control-flow Graph

    APIs
    • ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
      • Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
      • Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
      • Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8
      • Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
      • Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09
      • Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277
      • Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC
      • Part of subcall function 00480FEC: FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E
    • CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1069 48b908-48b94b GetCurrentProcess OpenProcessToken 1070 48b951-48b976 GetTokenInformation 1069->1070 1071 48ba37-48ba74 call 405584 call 409b7c 1069->1071 1073 48b978-48b97c 1070->1073 1074 48b9c2-48b9ca call 405584 1070->1074 1098 48ba95-48bab2 call 405530 * 2 1071->1098 1099 48ba76-48ba90 call 4058e0 1071->1099 1076 48b97e-48b97f 1073->1076 1077 48b986-48b993 call 4055c8 1073->1077 1081 48b9cf-48b9e6 GetTokenInformation 1074->1081 1079 48b981-48b982 1076->1079 1080 48b995-48b9a2 call 4055c8 1076->1080 1077->1081 1084 48b9a4-48b9b1 call 4055c8 1079->1084 1085 48b984-48b9c0 call 4055c8 1079->1085 1080->1081 1086 48b9e8-48b9ec 1081->1086 1087 48ba0c-48ba14 call 405584 1081->1087 1084->1081 1085->1081 1093 48b9fd-48ba0a call 405584 1086->1093 1094 48b9ee-48b9fb call 405584 1086->1094 1103 48ba19-48ba2f CloseHandle 1087->1103 1093->1103 1094->1103 1099->1098
    APIs
    • GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
    • OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
    • GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
    • GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
    • CloseHandle.KERNEL32(?), ref: 0048BA2A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129file

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1113 4035c4-4035d8 1114 4035e5-4035fb 1113->1114 1115 4035da-4035db 1113->1115 1118 403624-403636 1114->1118 1116 4035fd-40360c 1115->1116 1117 4035dd-4035de 1115->1117 1123 40361d 1116->1123 1121 4035e0 1117->1121 1122 40360e-403618 1117->1122 1119 40363c-403654 CreateFileA 1118->1119 1120 4036ee-40370b 1118->1120 1124 403762-40376d GetLastError 1119->1124 1125 40365a-403662 1119->1125 1127 403711-403717 1120->1127 1128 40370d-40370f 1120->1128 1126 40374c-40374d 1121->1126 1122->1123 1123->1118 1124->1126 1132 403668-403676 GetFileSize 1125->1132 1133 40372b-403731 1125->1133 1130 403719-40371b 1127->1130 1131 40371d 1127->1131 1129 40371f-403727 GetStdHandle 1128->1129 1129->1124 1135 403729 1129->1135 1130->1129 1131->1129 1132->1124 1134 40367c-403681 1132->1134 1136 403733-40373c GetFileType 1133->1136 1137 40374a 1133->1137 1138 403683 1134->1138 1139 403685-403692 SetFilePointer 1134->1139 1135->1133 1140 40374e-403760 CloseHandle 1136->1140 1141 40373e-403741 1136->1141 1137->1126 1138->1139 1139->1124 1142 403698-4036b4 ReadFile 1139->1142 1140->1126 1141->1137 1143 403743 1141->1143 1142->1124 1144 4036ba 1142->1144 1143->1137 1145 4036bc-4036be 1144->1145 1145->1133 1146 4036c0-4036c8 1145->1146 1147 4036ca-4036cb 1146->1147 1148 4036cd-4036dc SetFilePointer 1146->1148 1147->1145 1148->1124 1149 4036e2-4036ea SetEndOfFile 1148->1149 1149->1124 1150 4036ec 1149->1150 1150->1133
    APIs
    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
    • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
    • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
    • ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
    • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
    • GetStdHandle.KERNEL32(000000F5), ref: 0040371F
    • GetFileType.KERNEL32 ref: 00403735
    • CloseHandle.KERNEL32 ref: 00403750
    • GetLastError.KERNEL32(000000F5), ref: 00403768
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201thread

    Control-flow Graph

    APIs
      • Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
      • Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
      • Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C
      • Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404
    • GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02
      • Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352
      • Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393
      • Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F
      • Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
      • Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
      • Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
      • Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
      • Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117file

    Control-flow Graph

    APIs
      • Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277
    • CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
    • CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
    • GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
    • UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
    • CloseHandle.KERNEL32(00000000), ref: 0045F6F4
    • CloseHandle.KERNEL32(000000FF), ref: 0045F712
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94sleep
    APIs
    • GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
    • OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
    • Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
    • Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
    • LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
    • LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8
      • Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
      • Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
      • Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
      • Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
      • Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
      • Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048F888, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110
    APIs
      • Part of subcall function 004076D4: GetModuleHandleA.KERNEL32(00000000,?,0048F8A5,?,?,?,0000002F,00000000,00000000), ref: 004076E0
    • CoInitialize.OLE32(00000000), ref: 0048F8B5
      • Part of subcall function 0048AFE8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
      • Part of subcall function 0048AFE8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
      • Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
      • Part of subcall function 0048AFE8: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
      • Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
      • Part of subcall function 0048AFE8: LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
      • Part of subcall function 0048AFE8: LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8
      • Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B
      • Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
    APIs
    • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2
      • Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4
      • Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
      • Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
      • Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C
      • Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
      • Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A
      • Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
      • Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
      • Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
      • Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F
    Strings
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
    • MS Shell Dlg 2, xrefs: 0042B50C
    • Tahoma, xrefs: 0042B4C4
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00480F70, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
    APIs
    • GetForegroundWindow.USER32 ref: 00480F8F
    • GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
    • GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59registry
    APIs
    • GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
    • UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
    • RegisterClassA.USER32(00491B50), ref: 00421194
      • Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB
      • Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2
    • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00421808, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74registry
    APIs
    • RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 0042187F
    • RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 00421893
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00486374, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66network
    APIs
    • send.WSOCK32(?,?,?,00000000,00000000,0048642A), ref: 004863F3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048DD0C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
    APIs
    • GlobalMemoryStatus.KERNEL32(00000020), ref: 0048DD44
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00421A04, Relevance: 4.6, APIs: 3, Instructions: 146registry
    APIs
    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040EB08, Relevance: 4.6, APIs: 3, Instructions: 56thread
    APIs
    • GetThreadLocale.KERNEL32 ref: 0040EB2A
    • GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
    • GetSystemMetrics.USER32(0000002A), ref: 0040EB8C
      • Part of subcall function 0040EAAC: GetCPInfo.KERNEL32(00000000,?), ref: 0040EABC
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048CF38, Relevance: 4.5, APIs: 3, Instructions: 43
    APIs
    • GetForegroundWindow.USER32 ref: 0048CF57
    • GetWindowTextLengthA.USER32(00000000), ref: 0048CF63
    • GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048CF80
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19window
    APIs
      • Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
      • Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09
    • TranslateMessage.USER32 ref: 00482036
    • DispatchMessageA.USER32 ref: 0048203C
    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
    APIs
    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048CFB4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
    APIs
    • capGetDriverDescriptionA.AVICAP32(00000000,?,00000105,?,00000105,00000000,0048D07B), ref: 0048CFF9
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00475E2C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51network
    APIs
    • send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004221F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47registry
    APIs
    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0042221B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00421F68, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registry
    APIs
    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,n"B,?,?,?,?,00000000,0042226E), ref: 00421F9A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004218E4, Relevance: 3.1, APIs: 2, Instructions: 94registry
    APIs
    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,004219E9,?,?,00000000), ref: 0042195E
    • RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,004219E9,?,?,00000000), ref: 00421992
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048ADCC, Relevance: 3.1, APIs: 2, Instructions: 61
    APIs
    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
    • SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00403558, Relevance: 3.0, APIs: 2, Instructions: 29file
    APIs
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00403577
    • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00403580
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048D6A4, Relevance: 3.0, APIs: 2, Instructions: 17
    APIs
    • GetUserDefaultLangID.KERNEL32 ref: 0048D6AA
    • VerLanguageNameA.KERNEL32(?,00000064,00000064), ref: 0048D6BA
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048B724, Relevance: 1.6, APIs: 1, Instructions: 107
    APIs
    • GetCurrentHwProfileA.ADVAPI32(?), ref: 0048B776
      • Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC
      • Part of subcall function 0048C91C: GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00421A08, Relevance: 1.6, APIs: 1, Instructions: 75registry
    APIs
    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00422274, Relevance: 1.6, APIs: 1, Instructions: 50registry
    APIs
    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,004222FA,?,?,00000000), ref: 004222DF
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00404544, Relevance: 1.5, APIs: 1, Instructions: 46
    APIs
    • CompareStringA.KERNEL32(00000800,00000001,00000000,00000000,00000000,00000000,00000000,004045CB), ref: 004045AA
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040857A, Relevance: 1.5, APIs: 1, Instructions: 45
    APIs
    • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040857C, Relevance: 1.5, APIs: 1, Instructions: 44
    APIs
    • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004054B4, Relevance: 1.5, APIs: 1, Instructions: 38thread
    APIs
    • CreateThread.KERNEL32(00000000,?,Function_0000547C,00000000,?,00499F5C), ref: 00405504
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042230C, Relevance: 1.5, APIs: 1, Instructions: 37registry
    APIs
      • Part of subcall function 00422274: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,004222FA,?,?,00000000), ref: 004222DF
    • RegCloseKey.ADVAPI32(00000000,00000000,00422371,?,00000000), ref: 0042234F
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048F6D4, Relevance: 1.5, APIs: 1, Instructions: 34
    APIs
    • GetVersion.KERNEL32(00000000,0048F75A), ref: 0048F6EE
      • Part of subcall function 0045DAE0: GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
      • Part of subcall function 0045DAE0: GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
      • Part of subcall function 0045DAE0: GetCurrentThreadId.KERNEL32(?,?,00000000,0045DC58), ref: 0045DB4F
      • Part of subcall function 0045DAE0: GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
      • Part of subcall function 0045DAE0: RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,0045DC58), ref: 0045DB9B
      • Part of subcall function 0045DAE0: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
      • Part of subcall function 0045DAE0: GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC30
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004069C8, Relevance: 1.5, APIs: 1, Instructions: 26
    APIs
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 004069E6
      • Part of subcall function 00406C2C: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
      • Part of subcall function 00406C2C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
      • Part of subcall function 00406C2C: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
      • Part of subcall function 00406C2C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2
      • Part of subcall function 00406C2C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
      • Part of subcall function 00406C2C: RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
      • Part of subcall function 00406C2C: RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
      • Part of subcall function 00406C2C: lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
      • Part of subcall function 00406C2C: GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
      • Part of subcall function 00406C2C: GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
      • Part of subcall function 00406C2C: lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
      • Part of subcall function 00406C2C: lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
      • Part of subcall function 00406C2C: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
      • Part of subcall function 00406C2C: lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
      • Part of subcall function 00406C2C: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
      • Part of subcall function 00406C2C: lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
      • Part of subcall function 00406C2C: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004607E0, Relevance: 1.5, APIs: 1, Instructions: 25network
    APIs
    • gethostname.WSOCK32(?,00000100,?,?,0046084B,00000000,0046086D,?,?,?,00000000), ref: 004607FD
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00473A40, Relevance: 1.5, APIs: 1, Instructions: 25
    APIs
    • SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?,00473AAB,00000000,00473AD0,?,00000000,00000000,?,00473BAB,?,00000000), ref: 00473A51
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00445844, Relevance: 1.5, APIs: 1, Instructions: 24
    APIs
    • DefWindowProcA.USER32(?,?,?,?), ref: 0044586E
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0041FEF0, Relevance: 1.5, APIs: 1, Instructions: 17thread
    APIs
    • ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8
      • Part of subcall function 0041FC00: GetLastError.KERNEL32(00000005,0041FC67,?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC07
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040A26C, Relevance: 1.5, APIs: 1, Instructions: 16
    APIs
    • GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040A290, Relevance: 1.5, APIs: 1, Instructions: 16
    APIs
    • GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00407978, Relevance: 1.5, APIs: 1, Instructions: 14synchronization
    APIs
    • CreateMutexA.KERNEL32(?,?,?,?,0049048A,00000000,00000000,00000000,00000000,?,00490710,?), ref: 0040798E
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040A84C, Relevance: 1.5, APIs: 1, Instructions: 12
    APIs
    • CreateDirectoryA.KERNEL32(00000000,00000000,00000001,0040A378,00000000,0040A39D,?,?,00000000,00000000,00000000,00000000,?,0048FDBD,00490710,?), ref: 0040A859
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0041FA34, Relevance: 1.3, APIs: 1, Instructions: 60
    APIs
      • Part of subcall function 0041F79C: InterlockedIncrement.KERNEL32(004999E8), ref: 0041F7A1
      • Part of subcall function 004054B4: CreateThread.KERNEL32(00000000,?,Function_0000547C,00000000,?,00499F5C), ref: 00405504
    • GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94
      • Part of subcall function 0040D2E8: FormatMessageA.KERNEL32(00003200,00000000,00000000,00000000,?,00000100,00000000), ref: 0040D307
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00421084, Relevance: 1.3, APIs: 1, Instructions: 52memory
    APIs
    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004016F8, Relevance: 1.3, APIs: 1, Instructions: 38memory
    APIs
    • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00401D07,?,004019DA), ref: 0040170E
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches

    Non-executed Functions

    Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219keyboard
    APIs
    • keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
    • keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
    • keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
    • keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
    • keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
    • keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
    • keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
    • keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
    • keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
    • keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
    • keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
    • keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
    • keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
    • keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
    • keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
    • keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
    • keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
    • keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
    • keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
    • keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
    • keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
    • keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
    • keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
    • keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
    • keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
    • keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
    • keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
    • keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
    • keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
    • keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
    • keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
    • keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloader
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
    • GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
    • GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
    • GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
    • GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
    • GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
    • GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
    • GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
    • GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
    • GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
    • GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
    • GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
    • GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
    • GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500window
    APIs
    • GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
    • GetDC.USER32(00000000), ref: 00428B99
    • CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
    • CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
    • CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
    • GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
    • GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
    • SelectObject.GDI32(?,?), ref: 00428D7F
      • Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
      • Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE
    • SelectObject.GDI32(?,00000000), ref: 00428D21
    • GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
    • GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
    • CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
    • GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
      • Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
      • Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6
    • SelectObject.GDI32(?,?), ref: 00428E77
    • SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
    • RealizePalette.GDI32(?), ref: 00428EC3
    • SelectPalette.GDI32(?,?,000000FF), ref: 004290CE
      • Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097
    • FillRect.USER32(?,?,00000000), ref: 00428F14
    • SetTextColor.GDI32(?,00000000), ref: 00428F2C
    • SetBkColor.GDI32(?,00000000), ref: 00428F46
    • SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
    • PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
    • CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
    • SelectObject.GDI32(?,00000000), ref: 00428FE6
    • SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
    • RealizePalette.GDI32(?), ref: 0042900D
    • DeleteDC.GDI32(?), ref: 004290A4
      • Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A
    • SetTextColor.GDI32(?,00000000), ref: 0042902B
    • SetBkColor.GDI32(?,00000000), ref: 00429045
    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
    • SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
    • SelectObject.GDI32(?,00000000), ref: 00429089
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0047FA8C, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 241networkwindow
    APIs
    • socket.WSOCK32(00000002,00000001,00000000,00000000,0047FD80), ref: 0047FACB
    • ntohs.WSOCK32(00000774), ref: 0047FAEF
    • inet_addr.WSOCK32(015EAA88,00000774), ref: 0047FB03
    • gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047FB1B
    • connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB42
    • recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB59
      • Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38
    • recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FBA9
    • GetDC.USER32(00000000), ref: 0047FBE3
    • CreateCompatibleDC.GDI32(?), ref: 0047FBEF
    • GetDeviceCaps.GDI32(?,0000000A), ref: 0047FBFD
    • GetDeviceCaps.GDI32(?,00000008), ref: 0047FC09
    • CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 0047FC13
    • SelectObject.GDI32(?,?), ref: 0047FC23
    • GetDeviceCaps.GDI32(?,0000000A), ref: 0047FC3E
    • GetDeviceCaps.GDI32(?,00000008), ref: 0047FC4A
    • BitBlt.GDI32(?,00000000,00000000,00000000,?,00000008,00000000,?,0000000A), ref: 0047FC58
    • send.WSOCK32(000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010), ref: 0047FCCD
    • recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 0047FCE4
    • SelectObject.GDI32(?,?), ref: 0047FD08
    • DeleteObject.GDI32(?), ref: 0047FD11
    • DeleteObject.GDI32(?), ref: 0047FD1A
    • ReleaseDC.USER32(00000000,?), ref: 0047FD25
    • shutdown.WSOCK32(000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD54
    • closesocket.WSOCK32(000000FF,000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD5D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00486918, Relevance: 40.8, APIs: 27, Instructions: 343networksleep
    APIs
    • recv.WSOCK32(?,?,00000002,00000002,00000000,00486E16), ref: 00486971
    • recv.WSOCK32(?,00000005,?,00000000), ref: 004869A0
    • send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 004869EE
    • send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A0B
    • recv.WSOCK32(?,?,00000259,00000000,?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A1F
    • send.WSOCK32(?,00000001,00000002,00000000), ref: 00486A9E
    • send.WSOCK32(?,00000001,00000002,00000000), ref: 00486ABB
    • send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486AE8
    • send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B02
    • send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B2B
    • recv.WSOCK32(?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B41
    • recv.WSOCK32(?,?,0000000C,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B7C
    • recv.WSOCK32(?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BD9
    • gethostbyname.WSOCK32(00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BFF
    • ntohs.WSOCK32(?,00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486C29
    • socket.WSOCK32(00000002,00000001,00000000), ref: 00486C44
    • connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486C55
    • getsockname.WSOCK32(00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CA8
    • send.WSOCK32(?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CDD
    • select.WSOCK32(00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002), ref: 00486D1D
    • Sleep.KERNEL32(00000096,00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010), ref: 00486DCA
      • Part of subcall function 00408710: __WSAFDIsSet.WSOCK32(00000000,?,00000000,?,00486D36,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000), ref: 00408718
    • recv.WSOCK32(00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486D5B
    • send.WSOCK32(?,?,00000000,00000000,00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486D72
    • recv.WSOCK32(?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486DA9
    • send.WSOCK32(00000000,?,00000000,00000000,?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486DC0
    • closesocket.WSOCK32(?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE2
    • closesocket.WSOCK32(?,?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE8
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004801FC, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 286network
    APIs
    • socket.WSOCK32(00000002,00000001,00000000), ref: 00480264
    • ntohs.WSOCK32(00000774), ref: 00480288
    • inet_addr.WSOCK32(015EAA88,00000774), ref: 0048029C
    • gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004802B4
    • connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004802DB
    • recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004802F2
    • closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805DE
      • Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38
    • recv.WSOCK32(000000FF,?,00002000,00000000,?,0048064C,?,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0048036A
    • recv.WSOCK32(000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER,000000FF,?,00002000,00000000), ref: 00480401
      • Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277
    • recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480451
    • send.WSOCK32(000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?), ref: 004804DB
    • recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?), ref: 004804F5
    • recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480583
      • Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF
    • recv.WSOCK32(000000FF,?,00002000,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805B6
    • shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805D5
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048E06C, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 175windowmemorythread
    APIs
      • Part of subcall function 0048DFF0: GetForegroundWindow.USER32 ref: 0048E00F
      • Part of subcall function 0048DFF0: GetWindowTextLengthA.USER32(00000000), ref: 0048E01B
      • Part of subcall function 0048DFF0: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048E038
    • FindWindowA.USER32(#32770,00000000), ref: 0048E0C3
    • FindWindowExA.USER32(?,00000000,#32770,00000000), ref: 0048E0D8
    • FindWindowExA.USER32(?,00000000,SysListView32,00000000), ref: 0048E0ED
    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0048E102
    • VirtualAlloc.KERNEL32(00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273,?,?,?,?), ref: 0048E12A
    • GetWindowThreadProcessId.USER32(?,?), ref: 0048E139
    • OpenProcess.KERNEL32(00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273), ref: 0048E146
    • VirtualAllocEx.KERNEL32(00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000), ref: 0048E158
    • WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000), ref: 0048E18A
    • SendMessageA.USER32(d"H,0000102D,00000000,00000000), ref: 0048E19D
    • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000,00000000,00000000,00000000,00000400,?,00000000,00000000), ref: 0048E1AE
    • SendMessageA.USER32(d"H,00001008,00000000,00000000), ref: 0048E219
    • VirtualFree.KERNEL32(00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000), ref: 0048E226
    • VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?), ref: 0048E234
    • CloseHandle.KERNEL32(00000000), ref: 0048E23A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00480880, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 276network
    APIs
    • socket.WSOCK32(00000002,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000,00480C86), ref: 004808B5
    • ntohs.WSOCK32(00000774), ref: 004808D9
    • inet_addr.WSOCK32(015EAA88,00000774), ref: 004808ED
    • gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00480905
    • connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0048092C
    • recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480943
    • closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C2F
      • Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38
    • recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480993
    • recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88), ref: 004809C8
    • shutdown.WSOCK32(000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 00480B80
    • closesocket.WSOCK32(000000FF,000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?), ref: 00480B89
      • Part of subcall function 00480860: send.WSOCK32(?,00000000,00000001,00000000), ref: 00480879
    • shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C26
      • Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048851C, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 302network
    APIs
    • socket.WSOCK32(00000002,00000001,00000000,00000000,00488943), ref: 00488581
    • ntohs.WSOCK32(00000774), ref: 004885A7
    • inet_addr.WSOCK32(015EAA88,00000774), ref: 004885BB
    • gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004885D3
    • connect.WSOCK32(?,00000002,00000010,015EAA88,00000774), ref: 004885FD
    • recv.WSOCK32(?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488617
      • Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38
    • recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488670
    • recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88), ref: 004886B7
    • mouse_event.USER32(00000800,00000000,00000000,00000000,00000000), ref: 00488743
      • Part of subcall function 00488F80: SetCursorPos.USER32(00000000,00000000), ref: 004890E0
      • Part of subcall function 00488F80: mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004890FB
      • Part of subcall function 00488F80: mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0048910A
      • Part of subcall function 00488F80: mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 0048911B
      • Part of subcall function 00488F80: mouse_event.USER32(00000010,00000000,00000000,00000000,00000000), ref: 0048912A
      • Part of subcall function 00488F80: mouse_event.USER32(00000020,00000000,00000000,00000000,00000000), ref: 0048913B
      • Part of subcall function 00488F80: mouse_event.USER32(00000040,00000000,00000000,00000000,00000000), ref: 0048914A
    • shutdown.WSOCK32(?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488907
    • closesocket.WSOCK32(?,?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488913
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048317C, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 191networkthread
    APIs
    • socket.WSOCK32(00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483247
    • ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483257
    • ntohs.WSOCK32(00000774), ref: 0048326E
    • inet_addr.WSOCK32(015EAA88,00000774), ref: 00483282
    • gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0048329A
    • ExitThread.KERNEL32(00000000,015EAA88,015EAA88,00000774), ref: 004832A7
    • connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004832C6
    • recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004832D7
    • ExitThread.KERNEL32(00000000,000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048339A
      • Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38
    • recv.WSOCK32(000000FF,?,00000400,00000000,?,00483440,?,DATAFLUX,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88), ref: 0048331D
    • send.WSOCK32(000000FF,?,00000000,00000000), ref: 0048335C
    • recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,?,00000000,00000000), ref: 00483370
    • shutdown.WSOCK32(000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00483382
    • closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048338B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0047F4E0, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 295network
    APIs
    • socket.WSOCK32(00000002,00000001,00000000,?,00000000,0047F930,?,?,?,?,00000000,00000000), ref: 0047F543
    • ntohs.WSOCK32(00000774), ref: 0047F567
    • inet_addr.WSOCK32(015EAA88,00000774), ref: 0047F57B
    • gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047F593
    • connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5BA
    • recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5D1
    • closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8C2
      • Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38
    • recv.WSOCK32(000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0047F63F
    • recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?), ref: 0047F66F
      • Part of subcall function 0047F4C0: send.WSOCK32(?,00000000,00000001,00000000), ref: 0047F4D9
    • recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F859
      • Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
      • Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09
    • recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F786
      • Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
      • Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
      • Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
      • Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60
      • Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
      • Part of subcall function 0047EE3C: SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
      • Part of subcall function 0047EE3C: DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
      • Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
      • Part of subcall function 0047EE3C: PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059
      • Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1
    • shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8B9
      • Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00489244, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 150networkthread
    APIs
    • socket.WSOCK32(00000002,00000001,00000000,00000000,00489441), ref: 004892BA
    • ntohs.WSOCK32(00000774), ref: 004892DC
    • inet_addr.WSOCK32(015EAA88,00000774), ref: 004892F0
    • gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00489308
    • connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774), ref: 0048932C
    • recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88,00000774), ref: 00489340
      • Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38
    • recv.WSOCK32(00000000,?,00000400,00000000,?,0048946C,?,DATAFLUX,00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88), ref: 00489399
    • send.WSOCK32(00000000,?,00000000,00000000), ref: 004893E3
    • recv.WSOCK32(00000000,?,00000400,00000000,00000000,?,00000000,00000000), ref: 004893FA
    • shutdown.WSOCK32(00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 00489409
    • closesocket.WSOCK32(00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048940F
    • ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048941E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00406A68, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfile
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
    • GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
    • lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
    • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
      • Part of subcall function 00406A48: CharNextA.USER32(?), ref: 00406A4F
    • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
    • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
    • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
    • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
    • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
    • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00486E2C, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 178networkthreadsleep
    APIs
    • socket.WSOCK32(00000002,00000001,00000006,00000000,00487046), ref: 00486E87
    • ntohs.WSOCK32(?,00000002,00000001,00000006,00000000,00487046), ref: 00486EA8
    • bind.WSOCK32(00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486EBD
    • listen.WSOCK32(00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486ECD
      • Part of subcall function 004870D4: EnterCriticalSection.KERNEL32(0049C3A8,00000000,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 00487110
      • Part of subcall function 004870D4: LeaveCriticalSection.KERNEL32(0049C3A8,004872E1,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 004872D4
    • accept.WSOCK32(00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006), ref: 00486F37
    • LocalAlloc.KERNEL32(00000040,00000010,00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002), ref: 00486F49
    • CreateThread.KERNEL32(00000000,00000000,Function_00086918,00000000,00000000,?), ref: 00486F83
    • CloseHandle.KERNEL32(00000000), ref: 00486F89
    • Sleep.KERNEL32(00000064,00000000,00000000,00000000,Function_00086918,00000000,00000000,?,00000040,00000010,00000000,?,00000010,00000000,?,?), ref: 00486FD0
      • Part of subcall function 00487488: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
      • Part of subcall function 00487488: closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
      • Part of subcall function 00487488: LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649
    • ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00487018
    Strings
    • ERR|Socket error..|, xrefs: 00486FA4
    • OK|Successfully started..|, xrefs: 00486EEF
    • ERR|Cannot listen to port, try another one..|, xrefs: 00486FEE
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048298C, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 119threadnetwork
    APIs
    • socket.WSOCK32(00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 004829FE
    • ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A0C
    • ntohs.WSOCK32(?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A18
    • inet_addr.WSOCK32(00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A2A
    • gethostbyname.WSOCK32(00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A40
    • ExitThread.KERNEL32(00000000,00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A4D
    • connect.WSOCK32(00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A63
    • ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AB2
      • Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D
    • closesocket.WSOCK32(00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482A9C
    • ExitThread.KERNEL32(00000000,00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482AA3
    • closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AAB
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004836D8, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 99threadnetworksleep
    APIs
    • socket.WSOCK32(00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048373A
    • ExitThread.KERNEL32(00000000,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483747
    • inet_addr.WSOCK32(?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483762
    • ntohs.WSOCK32(00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048376B
    • gethostbyname.WSOCK32(?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048377B
    • ExitThread.KERNEL32(00000000,?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483788
    • connect.WSOCK32(00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048379E
    • ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 004837A9
      • Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF
    • recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ), ref: 004837C7
    • Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?), ref: 004837DF
    • closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000), ref: 004837E5
    • ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854), ref: 004837EC
    Strings
    • POST /index.php/1.0Host: , xrefs: 00483708
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00482630, Relevance: 18.1, APIs: 12, Instructions: 116threadnetworksleep
    APIs
    • socket.WSOCK32(00000002,00000001,00000006,?,00000000,004827A8), ref: 004826CB
    • ExitThread.KERNEL32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826D8
    • inet_addr.WSOCK32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826F3
    • ntohs.WSOCK32(00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826FC
    • gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048270C
    • ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482719
    • connect.WSOCK32(00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048272F
    • ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048273A
      • Part of subcall function 004824B0: send.WSOCK32(?,?,00000400,00000000,00000000,00482542), ref: 00482525
    • recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482758
    • Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482770
    • closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000), ref: 00482776
    • ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?), ref: 0048277D
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004821A0, Relevance: 15.1, APIs: 10, Instructions: 112threadnetworksleep
    APIs
    • socket.WSOCK32(00000002,00000002,00000000,?,00000000,00482302), ref: 0048223B
    • ExitThread.KERNEL32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482248
    • inet_addr.WSOCK32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482263
    • ntohs.WSOCK32(00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048226C
    • gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048227C
    • ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482289
    • sendto.WSOCK32(00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822B2
    • Sleep.KERNEL32(000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822CA
    • closesocket.WSOCK32(00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822D0
    • ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000), ref: 004822D7
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64window
    APIs
    • IsIconic.USER32(?), ref: 0045891F
    • GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
    • GetWindowRect.USER32(?), ref: 00458955
    • GetWindowLongA.USER32(?,000000F0), ref: 00458963
    • GetWindowLongA.USER32(?,000000F8), ref: 00458978
    • ScreenToClient.USER32(00000000), ref: 00458985
    • ScreenToClient.USER32(00000000,?), ref: 00458990
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72window
    APIs
    • GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
    • IsIconic.USER32(?), ref: 0043B800
    • IsWindowVisible.USER32(?), ref: 0043B80C
    • ShowWindow.USER32(?,00000000), ref: 0043B840
    • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
    • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
    • ShowWindow.USER32(?,00000006), ref: 0043B881
    • ShowWindow.USER32(?,00000005), ref: 0043B88B
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405window
    APIs
    • DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA
      • Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
      • Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77
    • GetSubMenu.USER32(?,?), ref: 00438AB0
      • Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128
    • SaveDC.GDI32(?), ref: 00438C84
    • RestoreDC.GDI32(?,?), ref: 00438CF8
    • GetWindowDC.USER32(?), ref: 00438D72
    • SaveDC.GDI32(?), ref: 00438DA9
    • RestoreDC.GDI32(?,?), ref: 00438E16
      • Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
      • Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
      • Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356window
    APIs
      • Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
      • Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289
    • SetFocus.USER32(00000000), ref: 0043E76F
      • Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B
      • Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
      • Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
      • Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
      • Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336
    • GetParent.USER32(?), ref: 0043E78A
      • Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128
    • SaveDC.GDI32(?), ref: 0043E92D
    • RestoreDC.GDI32(?,?), ref: 0043E99E
    • GetWindowDC.USER32(00000000), ref: 0043EA0A
    • SaveDC.GDI32(?), ref: 0043EA41
    • RestoreDC.GDI32(?,?), ref: 0043EAA5
      • Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
      • Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6
      • Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
      • Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
      • Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
      • Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97service
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
    • CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1
      • Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
      • Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
      • Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269
    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
    • CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89service
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
    • OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
    • StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
    • ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
    • QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
    • CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
    • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51shutdown
    APIs
    • GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
    • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
    • AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
    • ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042E370, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46window
    APIs
    • IsIconic.USER32(?), ref: 0042E3B9
    • GetWindowPlacement.USER32(?,?), ref: 0042E3C7
    • GetWindowRect.USER32(?,?), ref: 0042E3D3
      • Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000000), ref: 0042E331
      • Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000001), ref: 0042E33D
      • Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49service
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
    • OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
    • DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
    • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
    • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00474D58, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57memoryinjection
    APIs
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
    • WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00466038, Relevance: 6.1, APIs: 4, Instructions: 80memory
    APIs
    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
    • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
    • GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
    • HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45
    APIs
    • ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140service
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
    • EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC
      • Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
      • Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
      • Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
      • Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
      • Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
      • Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
      • Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579
    • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00428418, Relevance: 4.6, APIs: 3, Instructions: 51fileclipboard
    APIs
    • GetClipboardData.USER32(0000000E), ref: 00428425
    • CopyEnhMetaFileA.GDI32(00000000,00000000), ref: 00428447
    • GetEnhMetaFileHeader.GDI32(?,00000064,?), ref: 00428459
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004576CC, Relevance: 3.1, APIs: 2, Instructions: 64window
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00460628, Relevance: 3.0, APIs: 2, Instructions: 50
    APIs
      • Part of subcall function 004606CC: inet_addr.WSOCK32(00000000), ref: 004606F6
      • Part of subcall function 004606CC: gethostbyname.WSOCK32(00000000), ref: 00460711
    • inet_addr.WSOCK32(00000000,00000000,004606BD), ref: 00460679
      • Part of subcall function 004607A4: getservbyname.WSOCK32(00000000,00000000,?,?,?,0046068D,00000000,00000000,004606BD), ref: 004607BA
      • Part of subcall function 004607A4: ntohs.WSOCK32(?,00000000,00000000,?,?,?,0046068D,00000000,00000000,004606BD), ref: 004607C8
    • ntohs.WSOCK32(00000000,00000000,00000000,004606BD), ref: 0046068E
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00425A70, Relevance: 3.0, APIs: 2, Instructions: 46window
    APIs
    • GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
    • FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040A488, Relevance: 3.0, APIs: 2, Instructions: 33file
    APIs
    • FindFirstFileA.KERNEL32(00000000,?,?,?,?,00461DB1,00000000,00461F3B), ref: 0040A4A3
    • GetLastError.KERNEL32(00000000,?,?,?,?,00461DB1,00000000,00461F3B), ref: 0040A4C8
      • Part of subcall function 0040A404: FindNextFileA.KERNEL32(?,?), ref: 0040A415
      • Part of subcall function 0040A404: GetLastError.KERNEL32(?,?), ref: 0040A41E
      • Part of subcall function 0040A404: FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
      • Part of subcall function 0040A404: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443
      • Part of subcall function 0040A4FC: FindClose.KERNEL32(?,?,0040A4C6,00000000,?,?,?,?,00461DB1,00000000,00461F3B), ref: 0040A508
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004607A4, Relevance: 3.0, APIs: 2, Instructions: 28
    APIs
    • getservbyname.WSOCK32(00000000,00000000,?,?,?,0046068D,00000000,00000000,004606BD), ref: 004607BA
    • ntohs.WSOCK32(?,00000000,00000000,?,?,?,0046068D,00000000,00000000,004606BD), ref: 004607C8
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00474DF0, Relevance: 3.0, APIs: 2, Instructions: 28memoryinjection
    APIs
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D,DCPERSFWBP,?,?), ref: 00474E06
    • WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D), ref: 00474E12
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0046ADBC, Relevance: 1.6, Strings: 1, Instructions: 368
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00480FEC, Relevance: 1.6, APIs: 1, Instructions: 57file
    APIs
    • FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040A746, Relevance: 1.6, APIs: 1, Instructions: 50
    APIs
    • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 0040A769
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00473560, Relevance: 1.5, APIs: 1, Instructions: 42filenetwork
    APIs
    • FtpPutFileA.WININET(00000000,00000000,00000000,00000002,00000000), ref: 004735B2
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040D334, Relevance: 1.5, APIs: 1, Instructions: 29
    APIs
    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048CEEC, Relevance: 1.5, APIs: 1, Instructions: 24
    APIs
    • GetLocaleInfoA.KERNEL32(00000400,0000005A,00000005,00000005), ref: 0048CF00
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040D380, Relevance: 1.5, APIs: 1, Instructions: 23
    APIs
    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0043B75C, Relevance: 1.5, APIs: 1, Instructions: 10window
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0045EC78, Relevance: .9, Instructions: 908
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0046797C, Relevance: .2, Instructions: 238
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00402370, Relevance: .1, Instructions: 94
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004064C0, Relevance: .1, Instructions: 64
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040838E, Relevance: .0, Instructions: 2
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloader
    APIs
    • LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
    • GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
    • GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
    • GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
    • GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
    • GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
    • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
    • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
    • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
    • GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
    • GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
    • GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
    • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
    • GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
    • GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
    • GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
    • GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
    • GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
    • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
    • GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
    • GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
    • GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
    • GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
    • GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
    • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
    • GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
    • GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
    • GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
    • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
    • GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
    • GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
    • GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
    • GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
    • GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
    • GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
    • GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
    • GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
    • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
    • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
    • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
    • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
    • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
    • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
    • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
    • GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004754C4, Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233libraryloaderprocess
    APIs
      • Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590
      • Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
      • Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE
    • GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
    • GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
    • GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
    • GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
    • GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
    • GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
    • GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
    • GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
    • GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
    • GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
    • GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
    • GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
    • GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
    • GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
    • GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
    • GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
    • GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
    • GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
    • GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
    • GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
    • GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
    • GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
    • GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
    • GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
    • GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
    • GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
    • GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
    • GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1
      • Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
      • Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
      • Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81
      • Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132libraryloader
    APIs
    • LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
    • GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
    • GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
    • GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
    • GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
    • GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
    • GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
    • GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
    • GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
    • GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
    • GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
    • GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
    • GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
    • GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
    • GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
    • GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
    • GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
    • GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00474F80, Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 193libraryloaderprocess
    APIs
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B
      • Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277
      • Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
      • Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE
    • GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
    • GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
    • GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
    • GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
    • GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
    • GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
    • GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
    • GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
    • GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
    • GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
    • GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
    • GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
    • GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
    • GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
    • GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
    • GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
    • GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
    • GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
    • GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
    • GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
    • GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
    • GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211
      • Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
      • Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
      • Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81
      • Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloader
    APIs
    • SetErrorMode.KERNEL32(00008000), ref: 0045D701
    • GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
    • GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
    • LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
    • GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
    • GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
    • GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
    • GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
    • GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
    • GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
    • GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
    • GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
    • GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
    • GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
    • SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
    APIs
    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9
      • Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0047EE3C, Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 210file
    APIs
    • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
    • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
    • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
    • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60
      • Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
      • Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33
    • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
    • CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1
      • Part of subcall function 00489C78: GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00489CB4
    • SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
    • DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
    • PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00489580, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221pipewindowsleep
    APIs
    • CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
    • CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
    • GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?), ref: 00489668
    • Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
    • TranslateMessage.USER32(?), ref: 00489693
    • DispatchMessageA.USER32(?), ref: 0048969F
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
    • GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
    • PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
    • ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000), ref: 00489717
    • OemToCharA.USER32(?,?), ref: 0048972E
    • PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781
      • Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94
      • Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55
      • Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8
      • Part of subcall function 0041FF20: GetCurrentThreadId.KERNEL32 ref: 0041FF2E
      • Part of subcall function 0041FF20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
      • Part of subcall function 0041FF20: MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
      • Part of subcall function 0041FF20: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
      • Part of subcall function 0041FF20: GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7
    • TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
    • CloseHandle.KERNEL32(?), ref: 00489813
    • CloseHandle.KERNEL32(?), ref: 0048981C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194window
    APIs
    • GetObjectA.GDI32(?,00000054,?), ref: 004291F3
    • GetDC.USER32(00000000), ref: 00429221
    • CreateCompatibleDC.GDI32(?), ref: 00429232
    • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
    • SelectObject.GDI32(?,00000000), ref: 00429267
    • PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
    • CreateCompatibleDC.GDI32(?), ref: 00429297
    • DeleteDC.GDI32(?), ref: 0042937D
      • Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
      • Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
      • Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
      • Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
      • Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
      • Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
      • Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
      • Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
      • Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
      • Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
      • Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
      • Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
      • Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
      • Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
      • Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
      • Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
      • Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
      • Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
      • Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
      • Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
      • Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
      • Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
      • Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
      • Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
      • Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
      • Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
      • Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
      • Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
      • Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
      • Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
      • Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
      • Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE
    • SelectObject.GDI32(?), ref: 004292DF
    • SelectPalette.GDI32(?,?,00000000), ref: 004292F2
    • RealizePalette.GDI32(?), ref: 004292FB
    • SelectPalette.GDI32(?,?,00000000), ref: 00429307
    • RealizePalette.GDI32(?), ref: 00429310
    • SetBkColor.GDI32(?), ref: 0042931A
    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
    • SetBkColor.GDI32(?,00000000), ref: 00429348
    • SelectObject.GDI32(?,00000000), ref: 0042935B
    • DeleteObject.GDI32 ref: 00429367
    • SelectObject.GDI32(?,00000000), ref: 00429398
    • DeleteDC.GDI32(00000000), ref: 004293B4
    • ReleaseDC.USER32(00000000,00000000), ref: 004293C5
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110
    APIs
    • CharNextA.USER32(00000000), ref: 00403208
    • CharNextA.USER32(00000000), ref: 00403236
    • CharNextA.USER32(00000000), ref: 00403240
    • CharNextA.USER32(00000000), ref: 0040325F
    • CharNextA.USER32(00000000), ref: 00403269
    • CharNextA.USER32(00000000), ref: 00403295
    • CharNextA.USER32(00000000), ref: 0040329F
    • CharNextA.USER32(00000000), ref: 004032C7
    • CharNextA.USER32(00000000), ref: 004032D1
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199network
    APIs
    • socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
    • WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
    • inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
    • inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
    • inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
    • closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258
    APIs
    • GetWindowDC.USER32(00000000), ref: 00459480
    • GetClientRect.USER32(00000000,?), ref: 004594A3
    • GetWindowRect.USER32(00000000,?), ref: 004594B5
    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
    • OffsetRect.USER32(?,?,?), ref: 004594E0
    • ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
    • InflateRect.USER32(?,00000000,00000000), ref: 00459517
    • GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
    • DrawEdge.USER32(?,?,?,00000008), ref: 00459630
    • IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
    • OffsetRect.USER32(?,?,?), ref: 00459673
    • GetRgnBox.GDI32(?,?), ref: 00459682
    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
    • IntersectRect.USER32(?,?,?), ref: 004596A9
    • OffsetRect.USER32(?,?,?), ref: 004596BE
      • Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097
    • FillRect.USER32(?,?,00000000), ref: 004596DA
    • ReleaseDC.USER32(00000000,?), ref: 004596F9
      • Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
      • Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
      • Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
      • Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
      • Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
      • Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
      • Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
      • Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
      • Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
      • Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
      • Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
      • Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00465A0C, Relevance: 21.2, APIs: 6, Strings: 8, Instructions: 232memory
    APIs
    • VirtualAlloc.KERNEL32(?,?,00002000,00000004), ref: 00465AC1
    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,00002000,00000004), ref: 00465ADC
    • GetProcessHeap.KERNEL32(00000000,00000011,?,?,00002000,00000004), ref: 00465B07
    • HeapAlloc.KERNEL32(00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B0D
    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B41
    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B55
      • Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00465410
      • Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 0046545B
      • Part of subcall function 00465598: LoadLibraryA.KERNEL32(00000000), ref: 00465607
      • Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 00465737
      • Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 0046576B
      • Part of subcall function 00465598: IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9
      • Part of subcall function 004658F4: VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
      • Part of subcall function 004658F4: VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5
      • Part of subcall function 00466038: FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
      • Part of subcall function 00466038: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
      • Part of subcall function 00466038: GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
      • Part of subcall function 00466038: HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6
    Strings
    • BTMemoryLoadLibary: BuildImportTable failed, xrefs: 00465BD5
    • BTMemoryLoadLibary: Can't attach library, xrefs: 00465C5A
    • BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 00465A95
    • BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 00465AEC
    • PE, xrefs: 00465A84
    • BTMemoryLoadLibary: dll dos header is not valid, xrefs: 00465A4E
    • MZ, xrefs: 00465A41
    • BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 00465C28
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217window
    APIs
      • Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
      • Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
      • Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
      • Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
      • Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00
    • SelectPalette.GDI32(?,?,000000FF), ref: 00429723
    • RealizePalette.GDI32(?), ref: 00429732
    • GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
    • GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
    • GetBrushOrgEx.GDI32(?,?), ref: 00429786
    • SetStretchBltMode.GDI32(?,00000004), ref: 00429794
    • SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
    • SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
    • SelectPalette.GDI32(?,?,000000FF), ref: 00429918
      • Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F
    • CreateCompatibleDC.GDI32(00000000), ref: 0042982A
    • SelectObject.GDI32(?,?), ref: 0042983F
      • Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
      • Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
      • Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
      • Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
      • Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
      • Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
      • Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
      • Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
      • Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
      • Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
      • Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
      • Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
      • Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
      • Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
      • Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
      • Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
      • Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
      • Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
      • Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
      • Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
      • Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
      • Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
      • Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
      • Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
      • Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37
    • SelectObject.GDI32(?,00000000), ref: 0042989E
    • DeleteDC.GDI32(00000000), ref: 004298AD
    • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00474208, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloader
    APIs
    • LoadLibraryA.KERNEL32(wlanapi.dll), ref: 00474216
    • GetProcAddress.KERNEL32(00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047422E
    • GetProcAddress.KERNEL32(00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474249
    • GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474264
    • GetProcAddress.KERNEL32(00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047427F
    • GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList,00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047429A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132
    APIs
    • GetVersionExA.KERNEL32(00000094), ref: 0048D410
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102filememorythread
    APIs
    • FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3
      • Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC
    • CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
    • SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
    • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
    • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
    • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
    • CloseHandle.KERNEL32(00000000), ref: 0048C53B
    • LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
    • CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
    • CloseHandle.KERNEL32(00000000), ref: 0048C58C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61windowregistry
    APIs
    • FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
    • RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
    • RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
    • RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
    • SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
    • SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471window
    APIs
      • Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222
    • SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
    • ShowWindow.USER32(00000000,00000003), ref: 004426CE
    • ShowWindow.USER32(00000000,00000002), ref: 004426F0
    • CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
    • SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
    • ShowWindow.USER32(00000000,?), ref: 00442763
    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
    • GetActiveWindow.USER32 ref: 00442815
    • ShowWindow.USER32(00000000,00000000), ref: 00442872
      • Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773
      • Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
      • Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0
    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
    • SetActiveWindow.USER32(00000000), ref: 00442860
    • ShowWindow.USER32(00000000,00000001), ref: 004428A2
      • Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142
    APIs
    • GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
    • GetWindowRect.USER32(00000000,?), ref: 00432932
    • OffsetRect.USER32(?,?,?), ref: 00432947
    • GetWindowDC.USER32(00000000), ref: 00432955
    • GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
    • GetSystemMetrics.USER32(00000002), ref: 0043299B
    • GetSystemMetrics.USER32(00000003), ref: 004329A4
    • InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
    • GetSysColorBrush.USER32(0000000F), ref: 004329E0
    • FillRect.USER32(?,?,00000000), ref: 004329EE
    • ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
    • ReleaseDC.USER32(00000000,?), ref: 00432A51
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254window
    APIs
    • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116window
    APIs
    • GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
    • GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
    • IsWindowVisible.USER32(?), ref: 0046F258
      • Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
      • Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109
    APIs
    • EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
    • GetSystemMetrics.USER32(00000000), ref: 0042E77A
    • GetSystemMetrics.USER32(00000001), ref: 0042E785
    • GetClipBox.GDI32(?,?), ref: 0042E797
    • GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
    • OffsetRect.USER32(?,?,?), ref: 0042E7BD
    • IntersectRect.USER32(?,?,?), ref: 0042E7CE
    • IntersectRect.USER32(?,?,?), ref: 0042E7E4
    • IntersectRect.USER32(?,?,?), ref: 0042E804
      • Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91
    APIs
    • IsWindowUnicode.USER32(?), ref: 0044D1CA
    • SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
    • GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
    • GetWindowLongW.USER32(?,000000F4), ref: 0044D202
    • SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
    • SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
    • GetWindowLongA.USER32(?,000000F0), ref: 0044D239
    • GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
    • SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
    • SetPropA.USER32(?,00000000,00000000), ref: 0044D275
    • SetPropA.USER32(?,00000000,00000000), ref: 0044D28C
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00485954, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 236filewindow
    APIs
    • Beep.KERNEL32(00000000,00000000,?,00000000,00485C82), ref: 00485C68
      • Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC
      • Part of subcall function 0048AB58: DeleteFileA.KERNEL32(00000000,00000000,0048ABE5,?,00000000,0048AC07), ref: 0048ABA5
      • Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
      • Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
      • Part of subcall function 0048A8AC: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
      • Part of subcall function 0048A8AC: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
      • Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA68
      • Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA77
      • Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA86
      • Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA95
    • DeleteFileA.KERNEL32(00000000,Error,00000000,00485C82), ref: 00485A63
    • DeleteFileA.KERNEL32(00000000,00000000,Error,00000000,00485C82), ref: 00485A92
      • Part of subcall function 00485888: LocalAlloc.KERNEL32(00000040,00000014,00000000,00485939), ref: 004858C3
      • Part of subcall function 00485888: CreateThread.KERNEL32(00000000,00000000,Function_0008317C,00000000,00000000,00499F94), ref: 00485913
      • Part of subcall function 00485888: CloseHandle.KERNEL32(00000000), ref: 00485919
    • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00485BE3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00462C84, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 197com
    APIs
    • CoCreateInstance.OLE32(00492A2C,00000000,00000003,0049296C,00000000), ref: 00462CC9
    • CoCreateInstance.OLE32(00492A8C,00000000,00000001,00462EC8,00000000), ref: 00462CF4
    • CoCreateInstance.OLE32(00492A9C,00000000,00000001,0049295C,00000000), ref: 00462D20
    • CoCreateInstance.OLE32(00492A1C,00000000,00000003,004929AC,00000000), ref: 00462E12
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048485C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185networkfile
    APIs
    • InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
    • HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
    • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
    • InternetCloseHandle.WININET(00000000), ref: 00484A95
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00448A94, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170window
    APIs
    • ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00448AF3
      • Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385
    • ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00448B94
    • SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448BE1
    • SetBkColor.GDI32(00000000,00000000), ref: 00448BE9
    • BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C0E
    • SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448C2F
    • SetBkColor.GDI32(00000000,00000000), ref: 00448C37
    • BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C5A
      • Part of subcall function 00448A6C: ImageList_GetBkColor.COMCTL32(00000000,?,00448ACD,00000000,?), ref: 00448A82
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146fileprocesssynchronization
    APIs
      • Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277
    • CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
    • CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
    • CloseHandle.KERNEL32(00000000), ref: 0048AA68
    • CloseHandle.KERNEL32(00000000), ref: 0048AA77
    • CloseHandle.KERNEL32(00000000), ref: 0048AA86
    • CloseHandle.KERNEL32(00000000), ref: 0048AA95
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00466D4C, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146fileprocesssynchronization
    APIs
      • Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277
    • CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 00466DF3
    • CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 00466E2D
    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 00466EB0
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00466ECD
    • CloseHandle.KERNEL32(00000000), ref: 00466F08
    • CloseHandle.KERNEL32(00000000), ref: 00466F17
    • CloseHandle.KERNEL32(00000000), ref: 00466F26
    • CloseHandle.KERNEL32(00000000), ref: 00466F35
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00483468, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 118networkthread
    APIs
    • InternetOpenA.WININET(myappname,00000000,00000000,00000000,00000000), ref: 0048350C
    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,00000000,00000000), ref: 00483537
    • InternetCloseHandle.WININET(00000000), ref: 0048353D
    • InternetCloseHandle.WININET(?), ref: 00483553
      • Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D
    • ExitThread.KERNEL32(00000000, Times.,?,?,00000000,00483684,?,BTRESULTVisit URL|finished to visit ,?,004835AC,?,myappname,00000000,00000000,00000000,00000000), ref: 0048359F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110
    APIs
    • GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
    • GetWindowPlacement.USER32(?,0000002C), ref: 0046F429
      • Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
      • Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197
    APIs
    • SaveDC.GDI32(?), ref: 00456295
      • Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
      • Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4
    • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
    • GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
    • GetWindowLongA.USER32(00000000,000000F0), ref: 00456303
      • Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
      • Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
      • Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
      • Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
      • Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C
    • RestoreDC.GDI32(?,?), ref: 004564AB
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133window
    APIs
    • GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
    • GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
    • GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
    • SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
    • SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
    • SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
    • SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
    • SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
    • GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74window
    APIs
    • GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
    • DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
    • DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
    • DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
    • DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
    • DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
    • DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
    • DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
    • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
    • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188window
    APIs
    • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE
    Strings
    • An unexpected memory leak has occurred. , xrefs: 00402980
    • , xrefs: 00402B04
    • The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
    • The unexpected small block leaks are:, xrefs: 004029F7
    • Unexpected Memory Leak, xrefs: 00402BB0
    • 7, xrefs: 00402991
    • bytes: , xrefs: 00402A4D
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66
    APIs
    • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
    • GetWindow.USER32(00000000,00000005), ref: 00471125
    • GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
    • ShowWindow.USER32(00000000,00000001), ref: 0047117C
    • ShowWindow.USER32(00000000,00000000), ref: 00471186
    • GetWindow.USER32(00000000,00000002), ref: 0047118E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040DA34, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56filewindow
    APIs
      • Part of subcall function 0040D8AC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
      • Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
      • Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
      • Part of subcall function 0040D8AC: LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E
    • CharToOemA.USER32(?,?), ref: 0040DA6B
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DA88
    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040DA8E
    • GetStdHandle.KERNEL32(000000F4,0040DAF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DAA3
    • WriteFile.KERNEL32(00000000,000000F4,0040DAF8,00000002,?), ref: 0040DAA9
    • LoadStringA.USER32(00000000,0000FFEE,?,00000040), ref: 0040DACB
    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040DAE1
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177window
    APIs
      • Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
      • Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
      • Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
      • Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
      • Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9
    • BeginPaint.USER32(00000000,?), ref: 004565EA
    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
    • CreateCompatibleDC.GDI32(00000000), ref: 00456617
    • SelectObject.GDI32(?,?), ref: 00456627
    • SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B
      • Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
      • Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0
    • BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
    • SelectObject.GDI32(?,?), ref: 004566B3
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0045049C, Relevance: 13.7, APIs: 9, Instructions: 154
    APIs
    • MulDiv.KERNEL32(?,?,?), ref: 004504D7
    • MulDiv.KERNEL32(?,?,?), ref: 004504F1
    • MulDiv.KERNEL32(?,?,?), ref: 0045051F
    • MulDiv.KERNEL32(?,?,?), ref: 00450535
    • MulDiv.KERNEL32(?,?,?), ref: 0045056D
    • MulDiv.KERNEL32(?,?,?), ref: 00450585
      • Part of subcall function 00450350: MulDiv.KERNEL32(?,00000000,00000000), ref: 00450365
      • Part of subcall function 00450350: MulDiv.KERNEL32(?,00000000,00000000), ref: 00450382
      • Part of subcall function 00450350: MulDiv.KERNEL32(?,00000000,00000000), ref: 0045039F
      • Part of subcall function 00450350: MulDiv.KERNEL32(?,00000000,00000000), ref: 004503BC
    • MulDiv.KERNEL32(?), ref: 004505DC
    • MulDiv.KERNEL32(?), ref: 00450606
      • Part of subcall function 00424A40: MulDiv.KERNEL32(00000000,00000048,?), ref: 00424A51
    • MulDiv.KERNEL32(00000000), ref: 0045062C
      • Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150
    APIs
    • OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
    • OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
    • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
    • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
    • GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
    • CloseHandle.KERNEL32(?), ref: 00484185
    • LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
    • LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
    • CloseHandle.KERNEL32(00000000), ref: 00484255
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122window
    APIs
    • GetDesktopWindow.USER32 ref: 0045148F
    • GetDCEx.USER32(?,00000000,00000402), ref: 004514A2
      • Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097
    • SelectObject.GDI32(?,00000000), ref: 004514C5
    • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
    • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
    • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
    • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
    • SelectObject.GDI32(?,?), ref: 00451553
    • ReleaseDC.USER32(?,?), ref: 0045156D
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00465598, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194libraryloader
    APIs
    • LoadLibraryA.KERNEL32(00000000), ref: 00465607
    • GetProcAddress.KERNEL32(?,?), ref: 00465737
    • GetProcAddress.KERNEL32(?,?), ref: 0046576B
    • IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9
    Strings
    • BuildImportTable: can't load library: , xrefs: 00465644
    • BuildImportTable: ReallocMemory failed, xrefs: 0046568D
    • BuildImportTable: GetProcAddress failed, xrefs: 0046577C
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00482E34, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 193sleepthread
    APIs
    • ExitThread.KERNEL32(00000000,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 004830A6
      • Part of subcall function 00473208: socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
      • Part of subcall function 00473208: WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
      • Part of subcall function 00473208: inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
      • Part of subcall function 00473208: inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
      • Part of subcall function 00473208: closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319
    • CreateThread.KERNEL32(00000000,00000000,Function_00082CDC,?,00000000,?), ref: 00483005
    • Sleep.KERNEL32(00000032,00000000,00000000,Function_00082CDC,?,00000000,?,?,00000000,00000000,00483104,?,00483104,?,00483104,?), ref: 0048300C
    • Sleep.KERNEL32(00000064,.255,?,00483104,?,00483104,?,?,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 00483054
      • Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
    • VariantCopy.OLEAUT32(?), ref: 004119A1
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registry
    APIs
      • Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582
    • GetClassInfoA.USER32(?,?,?), ref: 004549F8
    • UnregisterClassA.USER32(?,?), ref: 00454A20
    • RegisterClassA.USER32(?), ref: 00454A36
    • GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
    • GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
    • SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A
      • Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
      • Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
      • Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
      • Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
      • Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
      • Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
      • Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990
      • Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
      • Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D
      • Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110
    APIs
    • GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
    • OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
    • LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE
      • Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84
    • LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD
    Strings
    • GetTokenInformation error, xrefs: 0048AC86
    • OpenProcessToken error, xrefs: 0048AC60
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0041F7B4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109thread
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 0041F7BF
    • GetCurrentThreadId.KERNEL32 ref: 0041F7CE
    • EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7
      • Part of subcall function 0041F774: WaitForSingleObject.KERNEL32(000000EC), ref: 0041F77E
      • Part of subcall function 0041F768: ResetEvent.KERNEL32(000000EC,0041F809), ref: 0041F76E
    • EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
    • InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
    • LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00449834, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80libraryloader
    APIs
    • ImageList_Write.COMCTL32(00000000,?,00000000,0044992E), ref: 004498F8
      • Part of subcall function 0040E3A4: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040E47A), ref: 0040E3E6
      • Part of subcall function 0040E3A4: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E41B
      • Part of subcall function 0040E3A4: VerQueryValueA.VERSION(?,0040E48C,?,?,00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E435
    • GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00449868
    • GetProcAddress.KERNEL32(00000000,ImageList_WriteEx,comctl32.dll), ref: 00449879
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68string
    APIs
    • GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
    • GetSystemMetrics.USER32(00000000), ref: 0042E50D
    • GetSystemMetrics.USER32(00000001), ref: 0042E518
    • lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542
      • Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042E574, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68string
    APIs
    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E5CC
    • GetSystemMetrics.USER32(00000000), ref: 0042E5E1
    • GetSystemMetrics.USER32(00000001), ref: 0042E5EC
    • lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E616
      • Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042E648, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68string
    APIs
    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E6A0
    • GetSystemMetrics.USER32(00000000), ref: 0042E6B5
    • GetSystemMetrics.USER32(00000001), ref: 0042E6C0
    • lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E6EA
      • Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindow
    APIs
    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
    • GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
    • WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154window
    APIs
      • Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582
    • GetCapture.USER32 ref: 00442D0D
    • GetCapture.USER32 ref: 00442D1C
    • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
    • ReleaseCapture.USER32 ref: 00442D27
    • GetActiveWindow.USER32 ref: 00442D78
      • Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
      • Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
      • Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
      • Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
      • Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
      • Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
      • Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332
      • Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
      • Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C
    • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
    • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
    • GetActiveWindow.USER32 ref: 00442E8A
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100registry
    APIs
    • RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
    • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
    • RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
    • RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
    • RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
    • RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
    • RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99windowthread
    APIs
    • GetCapture.USER32 ref: 0044631A
    • GetParent.USER32(00000000), ref: 00446340
    • IsWindowUnicode.USER32(00000000), ref: 0044635D
    • SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
    • SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
    • GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
    • GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
    • SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95registry
    APIs
    • RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
    • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
    • RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
    • RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
    • RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
    • RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
    • RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
    • RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79window
    APIs
    • GetDC.USER32(00000000), ref: 0042608E
    • GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
    • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
    • GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
    • GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
    • GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
    • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
    • ReleaseDC.USER32(00000000,?), ref: 00426157
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177window
    APIs
    • GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
    • InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
    • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E
      • Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
      • Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79
    • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00488F80, Relevance: 10.7, APIs: 7, Instructions: 169
    APIs
    • SetCursorPos.USER32(00000000,00000000), ref: 004890E0
    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004890FB
    • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0048910A
    • mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 0048911B
    • mouse_event.USER32(00000010,00000000,00000000,00000000,00000000), ref: 0048912A
    • mouse_event.USER32(00000020,00000000,00000000,00000000,00000000), ref: 0048913B
    • mouse_event.USER32(00000040,00000000,00000000,00000000,00000000), ref: 0048914A
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00488D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139window
    APIs
    • CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488DAA
    • CreateCompatibleDC.GDI32(?), ref: 00488DC4
    • CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00488DDC
    • SelectObject.GDI32(?,?), ref: 00488DEC
    • BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 00488E15
      • Part of subcall function 0045FB1C: GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?), ref: 0045FB43
      • Part of subcall function 0045FA24: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,0045FA7A), ref: 0045FA54
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00446834, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138window
    APIs
      • Part of subcall function 00447BE4: GetActiveWindow.USER32 ref: 00447C0B
      • Part of subcall function 00447BE4: GetLastActivePopup.USER32(?), ref: 00447C1D
    • GetWindowRect.USER32(?,?), ref: 004468B6
    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 004468EE
      • Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
      • Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C
    • MessageBoxA.USER32(00000000,?,?,?), ref: 0044692D
    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0044697D
      • Part of subcall function 0043B9E4: IsWindow.USER32(?), ref: 0043B9F2
      • Part of subcall function 0043B9E4: EnableWindow.USER32(?,000000FF), ref: 0043BA01
    • SetActiveWindow.USER32(00000000), ref: 0044698E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105window
    APIs
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
    • IsWindowUnicode.USER32 ref: 0044654C
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583
      • Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
      • Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08
      • Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3
      • Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
      • Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
      • Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
      • Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
      • Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
      • Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
      • Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
      • Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4
      • Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
      • Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
      • Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296
    • TranslateMessage.USER32 ref: 0044660C
    • DispatchMessageW.USER32 ref: 00446618
    • DispatchMessageA.USER32 ref: 00446620
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99
    APIs
    • MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
    • MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
    • GetDC.USER32(00000000), ref: 00428350
    • GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
    • GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7
      • Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
      • Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89
    APIs
    • SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
    • CreateFontIndirectA.GDI32(?), ref: 004443A6
    • GetStockObject.GDI32(0000000D), ref: 004443BC
    • SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
    • CreateFontIndirectA.GDI32(?), ref: 004443F5
    • CreateFontIndirectA.GDI32(?), ref: 0044440E
      • Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69
    • GetStockObject.GDI32(0000000D), ref: 00444434
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00482B34, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84threadsleepmemory
    APIs
    • ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BA4
    • LocalAlloc.KERNEL32(00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BAD
    • CreateThread.KERNEL32(00000000,00000000,Function_0008298C,00000000,00000000,?), ref: 00482BD6
    • Sleep.KERNEL32(00000064,00000000,00000000,Function_0008298C,00000000,00000000,?,00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BDD
    • ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BEA
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66
    APIs
      • Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
      • Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE
    • GetDC.USER32(00000000), ref: 00428A3E
    • CreateCompatibleDC.GDI32(?), ref: 00428A4A
    • SelectObject.GDI32(?), ref: 00428A57
    • SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
    • SelectObject.GDI32(?,?), ref: 00428A95
    • DeleteDC.GDI32(?), ref: 00428A9E
    • ReleaseDC.USER32(00000000,?), ref: 00428AA9
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57threadwindow
    APIs
    • GetCursorPos.USER32 ref: 004442C3
    • WindowFromPoint.USER32(?,?), ref: 004442D0
    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
    • GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
    • SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
    • SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
    • SetCursor.USER32(00000000), ref: 00444332
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49registry
    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
    • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
    • RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00488B18, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49
    APIs
    • CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488B3D
    • GetDeviceCaps.GDI32(00000000,00000008), ref: 00488B47
    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00488B54
    • EnumDisplayMonitors.USER32(00000000,00000000,004889F0,00000000), ref: 00488B85
      • Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040F3A4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46
    APIs
    • FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3C1
    • LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3CF
    • FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3F3
    • LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3FA
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00484B30, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 176sleep
    APIs
      • Part of subcall function 0048485C: InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
      • Part of subcall function 0048485C: InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
      • Part of subcall function 0048485C: HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
      • Part of subcall function 0048485C: InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
      • Part of subcall function 0048485C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
      • Part of subcall function 0048485C: InternetCloseHandle.WININET(00000000), ref: 00484A95
      • Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A
      • Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D
    • Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,00000000,00484D9A,?,?,?,?,00000006,00000000), ref: 00484D38
      • Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
      • Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33
    Strings
    • DownloadFail, xrefs: 00484CBC
    • BTRESULTMass Download|Downloading File...|, xrefs: 00484C52
    • BTERRORDownload File| Error on downloading file check if you type the correct url...|, xrefs: 00484D0C
    • BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|, xrefs: 00484CEA
    • DownloadSuccess, xrefs: 00484CA2
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150
    APIs
      • Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097
    • FillRect.USER32(?,?), ref: 0043EC91
    • GetClientRect.USER32(00000000,?), ref: 0043ECBC
    • FillRect.USER32(?,?,00000000), ref: 0043ECDB
      • Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6
      • Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
      • Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
      • Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE
    • BeginPaint.USER32(?,?), ref: 0043ED53
    • GetWindowRect.USER32(?,?), ref: 0043ED80
      • Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
      • Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4
      • Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
      • Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
      • Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
      • Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
      • Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9
    • EndPaint.USER32(?,?), ref: 0043EDE0
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125
    APIs
      • Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
      • Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
      • Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE
    • SaveDC.GDI32(?), ref: 004411AD
    • ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
    • GetStockObject.GDI32(00000004), ref: 00441256
    • FillRect.USER32(00000000,?,00000000), ref: 0044126F
      • Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A
    • SetBkColor.GDI32(00000000,00000000), ref: 004412BA
      • Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385
    • RestoreDC.GDI32(00000000,?), ref: 004412E5
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004556F4, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353
    APIs
    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
    • DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
      • Part of subcall function 0044D640: GetCapture.USER32 ref: 0044D640
    • _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
      • Part of subcall function 00455640: GetCapture.USER32 ref: 00455653
      • Part of subcall function 004554F4: GetMessagePos.USER32 ref: 00455503
      • Part of subcall function 004554F4: GetKeyboardState.USER32(?), ref: 00455600
    • GetCapture.USER32 ref: 00455B5A
      • Part of subcall function 00451C28: GetKeyboardState.USER32(?), ref: 00451E90
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00446070, Relevance: 9.1, APIs: 6, Instructions: 99window
    APIs
      • Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773
    • SetActiveWindow.USER32(?), ref: 0044608F
    • ShowWindow.USER32(00000000,00000009), ref: 004460B4
    • IsWindowEnabled.USER32(00000000), ref: 004460D3
    • DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
      • Part of subcall function 00444C44: ShowWindow.USER32(?,00000006), ref: 00444C5F
    • SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
    • SetFocus.USER32(00000000), ref: 00446180
      • Part of subcall function 0043FDB4: ShowWindow.USER32(00000000,?), ref: 0043FDEA
      • Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE
      • Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
      • Part of subcall function 004455EC: ShowWindow.USER32(?,00000000), ref: 00445655
      • Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684
      • Part of subcall function 004455EC: ShowWindow.USER32(?,00000005), ref: 004456EA
      • Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445719
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84
    APIs
    • GetSystemMetrics.USER32(0000000B), ref: 004265B2
    • GetSystemMetrics.USER32(0000000C), ref: 004265BE
    • GetDC.USER32(00000000), ref: 004265DA
    • GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
    • ReleaseDC.USER32(00000000,00000000), ref: 00426647
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65window
    APIs
      • Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C
    • CreateCompatibleDC.GDI32(00000000), ref: 004269FE
    • SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
    • RealizePalette.GDI32(?), ref: 00426A2B
    • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
    • SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
    • DeleteDC.GDI32(?), ref: 00426A73
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56window
    APIs
    • CreateCompatibleDC.GDI32(00000000), ref: 00426229
    • SelectObject.GDI32(00000000,00000000), ref: 00426232
    • GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
    • SelectObject.GDI32(00000000,00000000), ref: 00426252
    • DeleteDC.GDI32(00000000), ref: 00426258
    • CreatePalette.GDI32 ref: 0042629F
      • Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
      • Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
      • Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
      • Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
      • Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00401A0C, Relevance: 9.0, APIs: 7, Instructions: 298sleepmemory
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,004019DA), ref: 004017D8
      • Part of subcall function 00401770: Sleep.KERNEL32(00000000,004017F3,00000000,?,00101000,00000004,?,?,?,?,004019DA), ref: 00401786
      • Part of subcall function 00401770: Sleep.KERNEL32(0000000A,00000000,004017F3,00000000,?,00101000,00000004,?,?,?,?,004019DA), ref: 0040179F
    • Sleep.KERNEL32(00000000,?,004019DA), ref: 00401AC3
    • Sleep.KERNEL32(0000000A,00000000,?,004019DA), ref: 00401AD9
    • Sleep.KERNEL32(00000000,?,?,?,004019DA), ref: 00401B07
    • Sleep.KERNEL32(0000000A,00000000,?,?,?,004019DA), ref: 00401B1D
    • Sleep.KERNEL32(00000000,?,004019DA), ref: 00401C4C
    • Sleep.KERNEL32(0000000A,00000000,?,004019DA), ref: 00401C62
      • Part of subcall function 004016F8: VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00401D07,?,004019DA), ref: 0040170E
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43
    APIs
      • Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097
    • UnrealizeObject.GDI32(00000000), ref: 004258F8
    • SelectObject.GDI32(?,00000000), ref: 0042590A
    • SetBkColor.GDI32(?,00000000), ref: 0042592D
    • SetBkMode.GDI32(?,00000002), ref: 00425938
      • Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A
    • SetBkColor.GDI32(?,00000000), ref: 00425953
    • SetBkMode.GDI32(?,00000001), ref: 0042595E
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112window
    APIs
    • GetDC.USER32(00000000), ref: 0042A9EC
    • CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
    • ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
    • DeleteObject.GDI32(00000000), ref: 0042AA76
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102
    APIs
    • Netbios.NETAPI32(00000032), ref: 0048DA8A
    • Netbios.NETAPI32(00000033), ref: 0048DB01
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00446EDC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98timethreadwindow
    APIs
      • Part of subcall function 00446E50: GetCursorPos.USER32 ref: 00446E57
    • SetTimer.USER32(00000000,00000000,?,00446E74), ref: 00446FAB
      • Part of subcall function 00446DEC: IsWindowVisible.USER32(00000000), ref: 00446E24
      • Part of subcall function 00446DEC: IsWindowEnabled.USER32(00000000), ref: 00446E35
    • GetCurrentThreadId.KERNEL32(00000000,00447029,?,?,?,015B8130), ref: 00446FE5
    • WaitMessage.USER32 ref: 00447009
      • Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7BF
      • Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7CE
      • Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
      • Part of subcall function 0041F7B4: InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
      • Part of subcall function 0041F7B4: LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888
      • Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00482320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85threadsleep
    APIs
    • Sleep.KERNEL32(00000064,?,00000000,00482455), ref: 004823D3
    • CreateThread.KERNEL32(00000000,00000000,Function_000821A0,00000000,00000000,?), ref: 004823E8
      • Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A
      • Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D
    • ExitThread.KERNEL32(00000000,00000000,00000000,Function_000821A0,00000000,00000000,?,00000064,?,00000000,00482455), ref: 0048242B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004827C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85threadsleep
    APIs
    • Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
    • CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C
      • Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A
      • Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D
    • ExitThread.KERNEL32(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00483858, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85threadsleep
    APIs
    • Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
    • CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920
      • Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A
      • Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D
    • ExitThread.KERNEL32(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963
    Strings
    • @, xrefs: 004838F6
    • BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00431630, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68clipboard
    APIs
    • EnumClipboardFormats.USER32(00000000), ref: 00431657
    • GetClipboardData.USER32(00000000), ref: 00431677
    • GetClipboardData.USER32(00000009), ref: 00431680
    • EnumClipboardFormats.USER32(00000000), ref: 0043169F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50thread
    APIs
      • Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
      • Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE
    • IsWindow.USER32(?), ref: 0042EA99
    • FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
    • GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0043D9A4, Relevance: 7.7, APIs: 5, Instructions: 183
    APIs
    • MulDiv.KERNEL32(00000000,?,?), ref: 0043DA73
      • Part of subcall function 00450350: MulDiv.KERNEL32(?,00000000,00000000), ref: 00450365
      • Part of subcall function 00450350: MulDiv.KERNEL32(?,00000000,00000000), ref: 00450382
      • Part of subcall function 00450350: MulDiv.KERNEL32(?,00000000,00000000), ref: 0045039F
      • Part of subcall function 00450350: MulDiv.KERNEL32(?,00000000,00000000), ref: 004503BC
    • MulDiv.KERNEL32(?,00000000,00000000), ref: 0043DB05
    • MulDiv.KERNEL32(?,00000000,00000000), ref: 0043DB34
    • MulDiv.KERNEL32(?,00000000,00000000), ref: 0043DB63
    • MulDiv.KERNEL32(?,00000000,00000000), ref: 0043DB86
      • Part of subcall function 0043CF00: MulDiv.KERNEL32(?,00000001,00000001), ref: 0043CF5D
      • Part of subcall function 0043CF00: MulDiv.KERNEL32(?,00000001,00000001), ref: 0043CF7D
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174window
    APIs
      • Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582
    • GetMenu.USER32(00000000), ref: 0043FA38
    • SetMenu.USER32(00000000,00000000), ref: 0043FA55
    • SetMenu.USER32(00000000,00000000), ref: 0043FA8A
    • SetMenu.USER32(00000000,00000000), ref: 0043FAA6
      • Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
      • Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
      • Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB
    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168
    APIs
    • DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
    • OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
    • DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
    • OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A
      • Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A
    • DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00473208, Relevance: 7.6, APIs: 5, Instructions: 114network
    APIs
    • socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
    • WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
    • inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
    • inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
    • closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109
    APIs
    • EnumWindows.USER32(00445518,00000000), ref: 00445620
    • ShowWindow.USER32(?,00000000), ref: 00445655
    • ShowOwnedPopups.USER32(00000000,?), ref: 00445684
    • ShowWindow.USER32(?,00000005), ref: 004456EA
    • ShowOwnedPopups.USER32(00000000,?), ref: 00445719
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004878A4, Relevance: 7.6, APIs: 5, Instructions: 109memorythread
    APIs
    • EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487A08), ref: 004878F3
      • Part of subcall function 00487318: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487347
      • Part of subcall function 00487318: LeaveCriticalSection.KERNEL32(0049C3A8,0048744D,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487440
    • LocalAlloc.KERNEL32(00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 0048795A
    • CreateThread.KERNEL32(00000000,00000000,Function_00086E2C,00000000,00000000,?), ref: 004879AE
    • CloseHandle.KERNEL32(00000000), ref: 004879B4
    • LeaveCriticalSection.KERNEL32(0049C3A8,004879D8,Function_00086E2C,00000000,00000000,?,00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 004879CB
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86window
    APIs
      • Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
      • Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
      • Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
      • Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A
    • MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
    • TranslateMessage.USER32(?), ref: 0042EB92
    • DispatchMessageA.USER32(?), ref: 0042EB9B
    • WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77window
    APIs
      • Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
      • Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79
    • GetMenuItemCount.USER32(00000000), ref: 0043495C
    • GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
    • RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
    • GetMenuItemCount.USER32(00000000), ref: 004349C4
    • DestroyMenu.USER32(00000000), ref: 004349D1
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61
    APIs
    • GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
    • SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
    • SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
    • SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
    • RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55window
    APIs
    • GetDC.USER32(00000000), ref: 00426190
    • GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
    • GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
    • GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
    • ReleaseDC.USER32(00000000,?), ref: 004261F8
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040D5C0, Relevance: 7.6, APIs: 5, Instructions: 50thread
    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
      • Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352
    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
    • EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
    • EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthread
    APIs
    • UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
    • SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
    • GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
    • CloseHandle.KERNEL32(00000000), ref: 00444BDF
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00487488, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155
    APIs
    • EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
    • closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
    • LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148thread
    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F
      • Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00448CDC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128
    APIs
    • ImageList_GetImageCount.COMCTL32(?,?,?,00000000,00448E75), ref: 00448D9D
      • Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385
    • ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00448E75), ref: 00448DDF
    • ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00448E0E
      • Part of subcall function 004488AC: ImageList_Add.COMCTL32(?,00000000,00000000,00000000,0044893E,?,00000000,0044895B), ref: 00448920
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00486094, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112window
    APIs
      • Part of subcall function 00485EAC: shutdown.WSOCK32(00000000,00000002), ref: 00485F0E
      • Part of subcall function 00485EAC: closesocket.WSOCK32(00000000,00000000,00000002), ref: 00485F19
      • Part of subcall function 00485F40: socket.WSOCK32(00000002,00000001,00000000,00000000,00486072), ref: 00485F69
      • Part of subcall function 00485F40: ntohs.WSOCK32(00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485F8F
      • Part of subcall function 00485F40: inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FA0
      • Part of subcall function 00485F40: gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FB5
      • Part of subcall function 00485F40: connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FD8
      • Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FEF
      • Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 0048603F
      • Part of subcall function 00466AFC: waveInOpen.WINMM(00000094,00000000,?,?,00000000,00010004), ref: 00466B36
      • Part of subcall function 00466AFC: waveInStart.WINMM(?), ref: 00466B5B
    • TranslateMessage.USER32(?), ref: 004861CA
    • DispatchMessageA.USER32(?), ref: 004861D0
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004861DE
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72window
    APIs
    • GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
    • GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
    • IsWindowVisible.USER32(?), ref: 0046F655
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00473448, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68network
    APIs
    • InternetOpenA.WININET(DCSC,00000000,00000000,00000000,00000000), ref: 00473493
    • InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 004734D9
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registry
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF
    Strings
    • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59network
    APIs
    • inet_addr.WSOCK32(00000000), ref: 004606F6
    • gethostbyname.WSOCK32(00000000), ref: 00460711
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58window
    APIs
    • GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
    • SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
    • DrawMenuBar.USER32(00000000), ref: 004380F9
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00474E20, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51synchronizationthreadinjection
    APIs
      • Part of subcall function 00474DF0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D,DCPERSFWBP,?,?), ref: 00474E06
      • Part of subcall function 00474DF0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D), ref: 00474E12
    • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
    • ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47libraryloader
    APIs
    • LoadLibraryA.KERNEL32(00000000), ref: 0048C431
    • GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
    • FreeLibrary.KERNEL32(00000000), ref: 0048C44A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042E2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
    APIs
    • GetSystemMetrics.USER32(00000000), ref: 0042E331
    • GetSystemMetrics.USER32(00000001), ref: 0042E33D
      • Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00431584, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43clipboard
    APIs
    • GetClipboardData.USER32(00000001), ref: 0043159A
    • GlobalLock.KERNEL32(00000000,00000000,004315F6), ref: 004315BA
    • GlobalUnlock.KERNEL32(00000000,004315FD), ref: 004315E8
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
    APIs
    • ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloader
    APIs
    • LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
    • GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloader
    APIs
    • LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
    • GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloader
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloader
    APIs
    • GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
    • GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004538D4, Relevance: 6.3, APIs: 4, Instructions: 308
    APIs
    • MulDiv.KERNEL32(?,00000000,00000000), ref: 004539AF
    • MulDiv.KERNEL32(?,?,?), ref: 00453A13
    • MulDiv.KERNEL32(?,00000000,00000000), ref: 00453A53
    • MulDiv.KERNEL32(?,?,?), ref: 00453A8E
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0044E40C, Relevance: 6.2, APIs: 4, Instructions: 212
    APIs
    • GetDesktopWindow.USER32 ref: 0044E481
    • GetDesktopWindow.USER32 ref: 0044E5B1
      • Part of subcall function 0045A27C: ImageList_DragMove.COMCTL32(?,?), ref: 0045A2AA
      • Part of subcall function 0045A2F0: ImageList_EndDrag.COMCTL32(?,00000000,0044EC23,00000000,0044ED3F,?,00000000,0044EDB1), ref: 0045A30C
    • SetCursor.USER32(00000000), ref: 0044E5F1
    • SetCursor.USER32(00000000), ref: 0044E606
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0046E724, Relevance: 6.2, APIs: 4, Instructions: 198
    APIs
      • Part of subcall function 004032F8: GetCommandLineA.KERNEL32(00000000,00403349,?,?,?,00000000), ref: 0040330F
      • Part of subcall function 00403358: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040337C
      • Part of subcall function 00403358: GetCommandLineA.KERNEL32(?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040338E
    • NetShareEnum.NETAPI32(?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E79C
    • NetShareGetInfo.NETAPI32(?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000,0046E984), ref: 0046E7D5
    • NetApiBufferFree.NETAPI32(?,?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000), ref: 0046E936
    • NetApiBufferFree.NETAPI32(?,?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E964
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115
    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
    • VariantClear.OLEAUT32(?), ref: 004115AF
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040D8AC, Relevance: 6.1, APIs: 4, Instructions: 102
    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
    • LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101
    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
    • LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83window
    APIs
      • Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
      • Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
      • Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE
      • Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
      • Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
      • Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
      • Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
      • Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00
    • CreateCompatibleDC.GDI32(00000000), ref: 0042889D
    • SelectObject.GDI32(00000000,?), ref: 004288B6
    • SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
    • RealizePalette.GDI32(00000000), ref: 004288EB
      • Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
      • Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
      • Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73file
    APIs
      • Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996
    • GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
    • DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
    • DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
    • GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72window
    APIs
    • GetMenuState.USER32(?,?,?), ref: 00438733
    • GetSubMenu.USER32(?,?), ref: 0043873E
    • GetMenuItemID.USER32(?,?), ref: 00438757
    • GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71threadwindow
    APIs
    • GetWindow.USER32(?,00000004), ref: 00445528
    • GetWindowThreadProcessId.USER32(?,?), ref: 00445542
    • GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
    • IsWindowVisible.USER32(?), ref: 0044559E
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00466888, Relevance: 6.1, APIs: 4, Instructions: 59registry
    APIs
    • GetClassInfoA.USER32(00400000,004667A4,?), ref: 004668A9
    • UnregisterClassA.USER32(004667A4,00400000), ref: 004668D2
    • RegisterClassA.USER32(00492AC8), ref: 004668DC
      • Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB
      • Part of subcall function 004667DC: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004667FA
    • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 00466927
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58window
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00450350, Relevance: 6.1, APIs: 4, Instructions: 56
    APIs
    • MulDiv.KERNEL32(?,00000000,00000000), ref: 00450365
    • MulDiv.KERNEL32(?,00000000,00000000), ref: 00450382
    • MulDiv.KERNEL32(?,00000000,00000000), ref: 0045039F
    • MulDiv.KERNEL32(?,00000000,00000000), ref: 004503BC
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56
    APIs
    • EnumWindows.USER32(Function_000452BC), ref: 0044535E
    • GetWindow.USER32(?,00000003), ref: 00445376
    • GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
    • SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004314A0, Relevance: 6.1, APIs: 4, Instructions: 56memoryclipboard
    APIs
    • GlobalAlloc.KERNEL32(00002002,?,00000000,00431572), ref: 004314CF
    • GlobalLock.KERNEL32(?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 004314E9
    • SetClipboardData.USER32(?,?), ref: 00431517
    • GlobalUnlock.KERNEL32(?,0043153A,?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 0043152D
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54timefile
    APIs
    • FindNextFileA.KERNEL32(?,?), ref: 0040A415
    • GetLastError.KERNEL32(?,?), ref: 0040A41E
    • FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
    • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51
    APIs
    • FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
    • LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
    • SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
    • LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40time
    APIs
    • DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
    • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
    • GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39
    APIs
    • OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
    • GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
    • TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
    • CloseHandle.KERNEL32(00000000), ref: 004843DA
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37thread
    APIs
    • GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
    • GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
    • GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
    • GetPropA.USER32(00000000,00000000), ref: 0044E296
      • Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
      • Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
      • Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0044D2F4, Relevance: 6.0, APIs: 4, Instructions: 35thread
    APIs
    • GetWindowThreadProcessId.USER32(?), ref: 0044D301
    • GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
    • GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
    • GetPropA.USER32(?,00000000), ref: 0044D336
      • Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
      • Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
      • Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34thread
    APIs
    • GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
    • SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
    • CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29
    APIs
    • GetDC.USER32(00000000), ref: 0042B441
    • SelectObject.GDI32(00000000,018A002E), ref: 0042B453
    • GetTextMetricsA.GDI32(00000000), ref: 0042B45E
    • ReleaseDC.USER32(00000000,00000000), ref: 0042B46F
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20
    • CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
    • CreateFontIndirectA.GDI32(?), ref: 0042490D
      • Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
      • Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
      • Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
      • Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F
      • Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00404C5A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124
    APIs
    • UnhandledExceptionFilter.KERNEL32(00000006), ref: 00404D2E
    • UnhandledExceptionFilter.KERNEL32(?), ref: 00404D62
      • Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
      • Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00405028, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
    APIs
    • UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0045E7B4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108
    APIs
    • GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E817
      • Part of subcall function 0042BE18: ProgIDFromCLSID.OLE32(?), ref: 0042BE21
      • Part of subcall function 0042BE18: CoTaskMemFree.OLE32(00000000), ref: 0042BE39
      • Part of subcall function 0042BD90: StringFromCLSID.OLE32(?), ref: 0042BD99
      • Part of subcall function 0042BD90: CoTaskMemFree.OLE32(00000000), ref: 0042BDB1
      • Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582
    • GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E89E
      • Part of subcall function 0042BF5C: GetComputerNameA.KERNEL32(?,00000010), ref: 0042C00D
      • Part of subcall function 0042BF5C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,0042C0FD), ref: 0042C07D
      • Part of subcall function 0042BF5C: CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0042C0B6
      • Part of subcall function 00405D28: SysFreeString.OLEAUT32(7942540A), ref: 00405D36
      • Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004630C8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108com
    APIs
    • CoCreateInstance.OLE32(00492A3C,00000000,00000003,0049299C,00000000), ref: 0046315A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103
    APIs
    • SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
    • SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463
      • Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98
    APIs
      • Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF
    • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16
    Strings
    • drivers\etc\hosts, xrefs: 00472CD3, 00472D00
    • I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91com
    APIs
    • CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91memory
    APIs
    • VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
    • VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5
    Strings
    • FinalizeSections: VirtualProtect failed, xrefs: 004659B3
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00404B2E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
    APIs
    • UnhandledExceptionFilter.KERNEL32(00000006), ref: 00404B9A
    • UnhandledExceptionFilter.KERNEL32(?), ref: 00404BD7
      • Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
      • Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79thread
    APIs
    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72
    APIs
    • GetMonitorInfoA.USER32(?,00000048), ref: 00488A28
      • Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00486210, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66network
    APIs
      • Part of subcall function 00466470: acmStreamConvert.MSACM32(?,00000108,00000000), ref: 004664AB
      • Part of subcall function 00466470: acmStreamReset.MSACM32(?,00000000,?,00000108,00000000), ref: 004664B9
    • send.WSOCK32(00000000,0049A3A0,00000000,00000000), ref: 004862AA
    • recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00000000,00000000), ref: 004862C1
      • Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004843EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52
    APIs
    • OpenProcess.KERNEL32(001F0FFF,00000000), ref: 0048440F
    • CloseHandle.KERNEL32(00000000), ref: 00484475
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
    APIs
    • GetSystemMetrics.USER32(00000000), ref: 0042E456
    • GetSystemMetrics.USER32(00000001), ref: 0042E468
      • Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00405026, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
    APIs
    • UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 004319C4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43clipboard
    APIs
    • EnumClipboardFormats.USER32(00000000), ref: 004319E8
    • EnumClipboardFormats.USER32(00000000), ref: 00431A0E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 00422188, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42registry
    APIs
    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,004724E0,00000000,004724E0), ref: 004221BA
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches
    Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
    APIs
    • GetSystemMetrics.USER32(?), ref: 0042E2BA
      • Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3
    • GetSystemMetrics.USER32(?), ref: 0042E280
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
    • Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
    • Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_regdrv.jbxd
    Yara matches

    Analysis Process: Regdriver.exe PID: 3484 Parent PID: 1464

    Executed Functions

    Function 002A7228, Relevance: 1.5, APIs: 1, Instructions: 29
    APIs
    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 002A7246
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002B3D20, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 190
    APIs
    • GetModuleFileNameA.KERNEL32(?,?,000000FF,00000000,002B402F), ref: 002B3F33
      • Part of subcall function 002B3CFC: CreateFileA.KERNEL32(002B3CEC,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002B3D12
    • GetLastError.KERNEL32(00000000,002B3E64,?,00000000,002B402F), ref: 002B3E0D
    • GetLastError.KERNEL32(00000000,002B3E64,?,00000000,002B402F), ref: 002B3E25
    • GetLastError.KERNEL32(00000000,002B3E64,?,00000000,002B402F), ref: 002B3E3D
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 0040D9E0, Relevance: 7.7, Strings: 6, Instructions: 201
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 002AA580, Relevance: 3.1, APIs: 2, Instructions: 93registry
    APIs
    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,000F003F,?,00000000,002AA688), ref: 002AA5FC
    • RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,002AA688), ref: 002AA631
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 00406554, Relevance: 2.7, Strings: 2, Instructions: 184
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 002B414C, Relevance: 2.6, Strings: 2, Instructions: 99
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002B2F64, Relevance: 2.5, Strings: 2, Instructions: 42
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002B2F31, Relevance: 2.5, Strings: 2, Instructions: 26
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002A729C, Relevance: 1.6, APIs: 1, Instructions: 99
    APIs
    • GetSystemDefaultLCID.KERNEL32(00000000,002A73D2), ref: 002A72BB
      • Part of subcall function 002A653C: LoadStringA.USER32(002A1778,0000FF86,?,00000400), ref: 002A6559
      • Part of subcall function 002A7228: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 002A7246
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002AA57E, Relevance: 1.6, APIs: 1, Instructions: 75registry
    APIs
    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,000F003F,?,00000000,002AA688), ref: 002AA5FC
    • RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,002AA688), ref: 002AA631
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002AA7C2, Relevance: 1.5, APIs: 1, Instructions: 43registry
    APIs
    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 002AA7F5
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002AA7C4, Relevance: 1.5, APIs: 1, Instructions: 42registry
    APIs
    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 002AA7F5
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002AA6A4, Relevance: 1.5, APIs: 1, Instructions: 37registry
    APIs
    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,002AA70C,?,?,?,?,?,002AA70C), ref: 002AA6DA
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002AA6A8, Relevance: 1.5, APIs: 1, Instructions: 36registry
    APIs
    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,002AA70C,?,?,?,?,?,002AA70C), ref: 002AA6DA
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002A6574, Relevance: 1.5, APIs: 1, Instructions: 23file
    APIs
    • CreateFileA.KERNEL32(00000000,00000001,00000001,00000000,00000003,00000080,00000000), ref: 002A65AA
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002A65D8, Relevance: 1.5, APIs: 1, Instructions: 23file
    APIs
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 002A65EC
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002B3CFC, Relevance: 1.5, APIs: 1, Instructions: 14file
    APIs
    • CreateFileA.KERNEL32(002B3CEC,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002B3D12
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002B42DC, Relevance: 1.4, Strings: 1, Instructions: 163
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002B1F78, Relevance: 1.3, Strings: 1, Instructions: 61
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 00418184, Relevance: 1.3, Strings: 1, Instructions: 52
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 0040706A, Relevance: 1.1, Instructions: 1111
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 0041D6FC, Relevance: .2, Instructions: 190
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 0041C7F0, Relevance: .2, Instructions: 176
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 002B3B7C, Relevance: .1, Instructions: 89
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 0040D1EE, Relevance: .1, Instructions: 78
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 0041CAA0, Relevance: .1, Instructions: 69
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 0040D91C, Relevance: .1, Instructions: 56
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 0041801C, Relevance: .1, Instructions: 53
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 0041FCA0, Relevance: .1, Instructions: 52
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 0041822C, Relevance: .0, Instructions: 46
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 00407B64, Relevance: .0, Instructions: 44
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 00407BBC, Relevance: .0, Instructions: 43
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 00404BCC, Relevance: .0, Instructions: 41
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 0041CA30, Relevance: .0, Instructions: 40
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 00415110, Relevance: .0, Instructions: 39
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 004016E0, Relevance: .0, Instructions: 38
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 00406E30, Relevance: .0, Instructions: 32
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 0041AE48, Relevance: .0, Instructions: 29
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 002B2224, Relevance: .0, Instructions: 27
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 004062F0, Relevance: .0, Instructions: 26
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 00419CD4, Relevance: .0, Instructions: 25
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 002A8514, Relevance: .0, Instructions: 21
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002AA720, Relevance: .0, Instructions: 20
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 00404C35, Relevance: .0, Instructions: 19
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 0041FC76, Relevance: .0, Instructions: 15
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 00404C34, Relevance: .0, Instructions: 12
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 0041F058, Relevance: .0, Instructions: 3
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd

    Non-executed Functions

    Function 002A66A8, Relevance: 3.0, APIs: 2, Instructions: 33file
    APIs
    • FindFirstFileA.KERNEL32(00000000,?,?,?,?,002B2B47,00000000,002B2B89), ref: 002A66C3
    • GetLastError.KERNEL32(00000000,?,?,?,?,002B2B47,00000000,002B2B89), ref: 002A66E6
      • Part of subcall function 002A6644: FindNextFileA.KERNEL32(?,?), ref: 002A6654
      • Part of subcall function 002A6644: GetLastError.KERNEL32(?,?), ref: 002A665D
      • Part of subcall function 002A6644: FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
      • Part of subcall function 002A6644: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680
      • Part of subcall function 002A66F4: FindClose.KERNEL32(?,002A66E4,00000000,?,?,?,?,002B2B47,00000000,002B2B89), ref: 002A66FD
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002A7274, Relevance: 1.5, APIs: 1, Instructions: 23
    APIs
    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,002A7476,00000000,002A7628,?,?,?,?,00000000), ref: 002A7287
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002AE7C9, Relevance: 1.0, Instructions: 984
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002AB5CA, Relevance: .7, Instructions: 706
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002AAA00, Relevance: .3, Instructions: 253
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002B13D8, Relevance: .2, Instructions: 219
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002B4B31, Relevance: .2, Instructions: 209
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002B087E, Relevance: .2, Instructions: 162
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002B0A9E, Relevance: .2, Instructions: 161
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002B11FC, Relevance: .1, Instructions: 143
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002B0D66, Relevance: .1, Instructions: 125
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002B0D68, Relevance: .1, Instructions: 124
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 004021D8, Relevance: .1, Instructions: 94
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 002B04D1, Relevance: .1, Instructions: 79
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002B05D6, Relevance: .1, Instructions: 75
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002B0CBC, Relevance: .1, Instructions: 66
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 0040EF78, Relevance: 28.9, Strings: 23, Instructions: 141
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 002B2570, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 71window
    APIs
    • GetWindowTextA.USER32(?,?,00000100), ref: 002B258C
    • GetClassNameA.USER32(?,?,00000100), ref: 002B25A6
    • FindWindowExA.USER32(?,00000000,SysListView32,00000000), ref: 002B25F3
    • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 002B2608
    • SendMessageA.USER32(?,0000000F,00000000,00000000), ref: 002B2617
    • SendMessageA.USER32(?,00000002,00000000,00000000), ref: 002B2623
    • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 002B262F
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002A53BF, Relevance: 15.1, APIs: 10, Instructions: 122file
    APIs
    • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 002A5446
    • GetFileSize.KERNEL32(?,00000000), ref: 002A546A
    • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 002A5486
    • ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 002A54A7
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 002A54D0
    • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 002A54DA
    • GetStdHandle.KERNEL32(000000F5), ref: 002A54FA
    • GetFileType.KERNEL32 ref: 002A5511
    • CloseHandle.KERNEL32 ref: 002A552C
    • GetLastError.KERNEL32(000000F5), ref: 002A5546
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002B3578, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112libraryloader
    APIs
    • LoadLibraryA.KERNEL32(?), ref: 002B359B
    • GetProcAddress.KERNEL32(?,?,00000000,002B36DD), ref: 002B35AB
    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,00000000,002B36DD), ref: 002B35CF
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002A314C, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 59
    APIs
    • RtlEnterCriticalSection.NTDLL((&), ref: 002A3179
    • LocalFree.KERNEL32(002C4780,00000000,002A3224), ref: 002A318B
    • VirtualFree.KERNEL32(01410000,00000000,00008000,002C4780,00000000,002A3224), ref: 002A31AA
    • LocalFree.KERNEL32(002C5DD0,01410000,00000000,00008000,002C4780,00000000,002A3224), ref: 002A31E9
    • RtlLeaveCriticalSection.NTDLL((&), ref: 002A3214
    • RtlDeleteCriticalSection.NTDLL((&), ref: 002A321E
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
    • VariantCopy.OLEAUT32(?), ref: 00410325
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 00402644, Relevance: 11.5, Strings: 9, Instructions: 254
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 00403020, Relevance: 11.4, Strings: 9, Instructions: 110
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 002A73E0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167
    APIs
    • GetSystemDefaultLCID.KERNEL32(00000000,002A7628,?,?,?,?,00000000,00000000,00000000), ref: 002A73FA
      • Part of subcall function 002A7228: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 002A7246
      • Part of subcall function 002A7274: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,002A7476,00000000,002A7628,?,?,?,?,00000000), ref: 002A7287
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002A492C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66memory
    APIs
    • TlsAlloc.KERNEL32(0000001B,?,002B4DBF), ref: 002A48D0
    • TlsFree.KERNEL32(0000001B,?,002B4DBF), ref: 002A4924
      • Part of subcall function 002A48F0: TlsGetValue.KERNEL32(0000001B,002A4915,?,002B4DBF), ref: 002A48FF
      • Part of subcall function 002A48F0: LocalFree.KERNEL32(00000000,0000001B,002A4915,?,002B4DBF), ref: 002A4909
      • Part of subcall function 002A4844: LocalAlloc.KERNEL32(00000040,00000008,?,002A48AC,0000001B,002A5C4B,00000000,002A5CB2), ref: 002A485F
      • Part of subcall function 002A4844: TlsSetValue.KERNEL32(0000001B,00000000,00000040,00000008,?,002A48AC,0000001B,002A5C4B,00000000,002A5CB2), ref: 002A487D
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002A3088, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48memory
    APIs
    • RtlInitializeCriticalSection.NTDLL((&), ref: 002A309E
    • RtlEnterCriticalSection.NTDLL((&), ref: 002A30B1
    • LocalAlloc.KERNEL32(00000000,00000FF8,00000000,002A313E), ref: 002A30DB
    • RtlLeaveCriticalSection.NTDLL((&), ref: 002A3138
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002A562A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72window
    APIs
    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 002A56C5
      • Part of subcall function 002A314C: RtlEnterCriticalSection.NTDLL((&), ref: 002A3179
      • Part of subcall function 002A314C: LocalFree.KERNEL32(002C4780,00000000,002A3224), ref: 002A318B
      • Part of subcall function 002A314C: VirtualFree.KERNEL32(01410000,00000000,00008000,002C4780,00000000,002A3224), ref: 002A31AA
      • Part of subcall function 002A314C: LocalFree.KERNEL32(002C5DD0,01410000,00000000,00008000,002C4780,00000000,002A3224), ref: 002A31E9
      • Part of subcall function 002A314C: RtlLeaveCriticalSection.NTDLL((&), ref: 002A3214
      • Part of subcall function 002A314C: RtlDeleteCriticalSection.NTDLL((&), ref: 002A321E
    • ExitProcess.KERNEL32 ref: 002A570D
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002A3744, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
    APIs
    • RtlEnterCriticalSection.NTDLL((&), ref: 002A3787
    • RtlLeaveCriticalSection.NTDLL((&), ref: 002A38B2
      • Part of subcall function 002A3088: RtlInitializeCriticalSection.NTDLL((&), ref: 002A309E
      • Part of subcall function 002A3088: RtlEnterCriticalSection.NTDLL((&), ref: 002A30B1
      • Part of subcall function 002A3088: LocalAlloc.KERNEL32(00000000,00000FF8,00000000,002A313E), ref: 002A30DB
      • Part of subcall function 002A3088: RtlLeaveCriticalSection.NTDLL((&), ref: 002A3138
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 004146C0, Relevance: 6.3, Strings: 5, Instructions: 85
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 00407C1D, Relevance: 6.3, Strings: 5, Instructions: 54
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115
    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
    • VariantClear.OLEAUT32(?), ref: 00410037
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 002A2C14, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45memory
    APIs
    • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,b,,?,?,?,002A2F70), ref: 002A2C32
    • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,b,,?,?,?,002A2F70), ref: 002A2C57
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,b,,?,?,?,002A2F70), ref: 002A2C7D
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39timefile
    APIs
    • FindNextFileA.KERNEL32(?,?), ref: 002A6654
    • GetLastError.KERNEL32(?,?), ref: 002A665D
    • FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
    • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002A38CC, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118
    APIs
    • RtlEnterCriticalSection.NTDLL((&), ref: 002A3920
    • RtlLeaveCriticalSection.NTDLL((&), ref: 002A3A58
      • Part of subcall function 002A3088: RtlInitializeCriticalSection.NTDLL((&), ref: 002A309E
      • Part of subcall function 002A3088: RtlEnterCriticalSection.NTDLL((&), ref: 002A30B1
      • Part of subcall function 002A3088: LocalAlloc.KERNEL32(00000000,00000FF8,00000000,002A313E), ref: 002A30DB
      • Part of subcall function 002A3088: RtlLeaveCriticalSection.NTDLL((&), ref: 002A3138
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002B2B9C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79
    APIs
    • GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,002B2CB1), ref: 002B2BDF
      • Part of subcall function 002A71A4: GetLocalTime.KERNEL32(?), ref: 002A71AC
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002A3C40, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
    APIs
    • RtlEnterCriticalSection.NTDLL((&), ref: 002A3C83
      • Part of subcall function 002A3744: RtlEnterCriticalSection.NTDLL((&), ref: 002A3787
      • Part of subcall function 002A3744: RtlLeaveCriticalSection.NTDLL((&), ref: 002A38B2
    • RtlLeaveCriticalSection.NTDLL((&), ref: 002A3CEC
      • Part of subcall function 002A38CC: RtlEnterCriticalSection.NTDLL((&), ref: 002A3920
      • Part of subcall function 002A38CC: RtlLeaveCriticalSection.NTDLL((&), ref: 002A3A58
      • Part of subcall function 002A3088: RtlInitializeCriticalSection.NTDLL((&), ref: 002A309E
      • Part of subcall function 002A3088: RtlEnterCriticalSection.NTDLL((&), ref: 002A30B1
      • Part of subcall function 002A3088: LocalAlloc.KERNEL32(00000000,00000FF8,00000000,002A313E), ref: 002A30DB
      • Part of subcall function 002A3088: RtlLeaveCriticalSection.NTDLL((&), ref: 002A3138
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 002A3229, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 8
    APIs
    • RtlLeaveCriticalSection.NTDLL((&), ref: 002A3214
    • RtlDeleteCriticalSection.NTDLL((&), ref: 002A321E
    Strings
    Memory Dump Source
    • Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_2a1000_Regdriver.jbxd
    Function 0041AFB0, Relevance: 5.1, Strings: 4, Instructions: 105
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 0041B788, Relevance: 5.1, Strings: 4, Instructions: 71
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd
    Function 0041CCC4, Relevance: 5.0, Strings: 4, Instructions: 48
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
    • Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
    • Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
    • Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
    • Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
    • Associated: 00000004.00000002.463306188.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_Regdriver.jbxd

    Analysis Process: regdrv.exe PID: 3532 Parent PID: 3484

    Executed Functions

    Function 0040D9E0, Relevance: 7.7, Strings: 6, Instructions: 201
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 00406554, Relevance: 2.7, Strings: 2, Instructions: 184
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 00418184, Relevance: 1.3, Strings: 1, Instructions: 52
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 0040706A, Relevance: 1.1, Instructions: 1111
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 0041D6FC, Relevance: .2, Instructions: 190
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 0041C7F0, Relevance: .2, Instructions: 176
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 00401BA0, Relevance: .2, Instructions: 174
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 0040D1EE, Relevance: .1, Instructions: 78
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 0041CAA0, Relevance: .1, Instructions: 69
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 0040D91C, Relevance: .1, Instructions: 56
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 0041801C, Relevance: .1, Instructions: 53
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 0041FCA0, Relevance: .1, Instructions: 52
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 0041822C, Relevance: .0, Instructions: 46
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 00407B64, Relevance: .0, Instructions: 44
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 00407BBC, Relevance: .0, Instructions: 43
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 00404BCC, Relevance: .0, Instructions: 41
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 0041CA30, Relevance: .0, Instructions: 40
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 00415110, Relevance: .0, Instructions: 39
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 004016E0, Relevance: .0, Instructions: 38
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 00406E30, Relevance: .0, Instructions: 32
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 0041AE48, Relevance: .0, Instructions: 29
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 004062F0, Relevance: .0, Instructions: 26
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 004017FA, Relevance: .0, Instructions: 26
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 00419CD4, Relevance: .0, Instructions: 25
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 00404C35, Relevance: .0, Instructions: 19
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 0041FC76, Relevance: .0, Instructions: 15
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 00404C34, Relevance: .0, Instructions: 12
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 0041F058, Relevance: .0, Instructions: 3
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd

    Non-executed Functions

    Function 004021D8, Relevance: .1, Instructions: 94
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 0040EF78, Relevance: 28.9, Strings: 23, Instructions: 141
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
    • VariantCopy.OLEAUT32(?), ref: 00410325
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 00402644, Relevance: 11.5, Strings: 9, Instructions: 254
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 00403020, Relevance: 11.4, Strings: 9, Instructions: 110
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 004146C0, Relevance: 6.3, Strings: 5, Instructions: 85
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 00407C1D, Relevance: 6.3, Strings: 5, Instructions: 54
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115
    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
    • VariantClear.OLEAUT32(?), ref: 00410037
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 0041B788, Relevance: 5.1, Strings: 4, Instructions: 71
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd
    Function 0041CCC4, Relevance: 5.0, Strings: 4, Instructions: 48
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
    • Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
    • Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
    • Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
    • Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
    • Associated: 00000005.00000002.487895278.00616000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_regdrv.jbxd