Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll

Overview

General Information

Sample name:SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll
Analysis ID:1419153
MD5:cd943166310d5c29ea7fecdd00c23957
SHA1:f14eb88f4cdc2fc251b4471a2975f0576b4df61c
SHA256:05d741cbb567eb90955cca6eba3b377351976e2d5d013ba3ea42ad04aad72bdb
Tags:dll
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5220 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6704 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 2080 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6728 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,_main MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6876 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll, MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1892 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll, MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllReversingLabs: Detection: 50%
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllVirustotal: Detection: 55%Perma Link
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllJoe Sandbox ML: detected
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: Binary string: sc.pdb source: loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll
Source: loaddll32.exe, 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllString found in binary or memory: http://www.kaikuoyun.com/list-127-1.htmlDVarFileInfo$
Source: loaddll32.exe, 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllString found in binary or memory: http://www.kaikuoyun.com/list-127-1.htmll)
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100511B00_2_100511B0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100A75C60_2_100A75C6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100511B03_2_100511B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100A75C63_2_100A75C6
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllBinary or memory string: OriginalFilenamebszip.dll" vs SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllBinary or memory string: OriginalFilenamesc.exej% vs SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: classification engineClassification label: mal52.winDLL@12/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3668:120:WilError_03
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,_main
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllReversingLabs: Detection: 50%
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllVirustotal: Detection: 55%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,_main
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,_mainJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll, Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll, Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\InprocServer32Jump to behavior
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllStatic file information: File size 2334720 > 1048576
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x150000
Source: Binary string: sc.pdb source: loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10050430 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,0_2_10050430
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1009FAD0 push eax; ret 0_2_1009FAFE
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10013787 push ecx; retf 0001h0_2_10013788
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100A1798 push eax; ret 0_2_100A17B6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1009FAD0 push eax; ret 3_2_1009FAFE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10013787 push ecx; retf 0001h3_2_10013788
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100A1798 push eax; ret 3_2_100A17B6
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100060FC rdtsc 0_2_100060FC
Source: C:\Windows\System32\loaddll32.exeAPI coverage: 9.5 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 6.7 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_0-19116
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_0-18447
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_0-18446
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-18447
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-18446
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-19119
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100060FC rdtsc 0_2_100060FC
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10050430 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,0_2_10050430
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000BC31 mov ebx, dword ptr fs:[00000030h]0_2_1000BC31
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000DC38 mov ecx, dword ptr fs:[00000030h]0_2_1000DC38
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E4D8 mov ebx, dword ptr fs:[00000030h]0_2_1000E4D8
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000B391 mov ecx, dword ptr fs:[00000030h]0_2_1000B391
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000BC31 mov ebx, dword ptr fs:[00000030h]3_2_1000BC31
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000DC38 mov ecx, dword ptr fs:[00000030h]3_2_1000DC38
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000E4D8 mov ebx, dword ptr fs:[00000030h]3_2_1000E4D8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000B391 mov ecx, dword ptr fs:[00000030h]3_2_1000B391
Source: C:\Windows\System32\loaddll32.exeProcess token adjusted: DebugJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1Jump to behavior
Source: SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllBinary or memory string: Program ManagerProgman
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: Progman
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002F8C8 cpuid 0_2_1002F8C8
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1009E49D GetVersion,GetCommandLineA,0_2_1009E49D
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000101CD000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: kxetray.exe
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000101CD000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000101CD000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 360Tray.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		12
Process Injection		1
Rundll32		OS Credential Dumping2
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		12
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1419153 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 03/04/2024 Architecture: WINDOWS Score: 52 19 Multi AV Scanner detection for submitted file 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 2 other processes 7->15 process5 17 rundll32.exe 9->17         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll50%ReversingLabsWin32.PUA.Generic
SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll56%VirustotalBrowse
SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.kaikuoyun.com/list-127-1.htmlDVarFileInfo$0%Avira URL Cloudsafe
http://www.kaikuoyun.com/list-127-1.htmll)0%Avira URL Cloudsafe
http://www.kaikuoyun.com/list-127-1.htmll)0%VirustotalBrowse
http://www.kaikuoyun.com/list-127-1.htmlDVarFileInfo$0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.kaikuoyun.com/list-127-1.htmll)loaddll32.exe, 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.kaikuoyun.com/list-127-1.htmlDVarFileInfo$loaddll32.exe, 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4066881545.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4066979714.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4067008230.00000000100BE000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.11946.22825.dllfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1419153
Start date and time:2024-04-03 07:21:06 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 49s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll
Detection:MAL
Classification:mal52.winDLL@12/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .dll
  • Override analysis time to 240s for rundll32

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.198716405019505
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 98.32%
  • Windows Screen Saver (13104/52) 1.29%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll
File size:2'334'720 bytes
MD5:cd943166310d5c29ea7fecdd00c23957
SHA1:f14eb88f4cdc2fc251b4471a2975f0576b4df61c
SHA256:05d741cbb567eb90955cca6eba3b377351976e2d5d013ba3ea42ad04aad72bdb
SHA512:b74199ce9a52d76cb7c6dd712b2baf9fd488e7f09216716748cb43cc2156ac324a26723a11639608bb8559b8525753ce7238c2c5271e30642fd7d43d90d74973
SSDEEP:49152:v+4MAGd9NjIC9Cmf9LGFA5m5edFMxfSb7C1jMz0:un9NjIsCmf9WgdaxV1jMz
TLSH:1CB5BF13F69644F1D10C37BA2AA5273D39F59E202A65CC47EBF0EEB63C72951962320D
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*./.K.|.K.|.K.|.W.|.K.|.m.|+K.|.W.|.K.|.T.|.K.|.T.|.K.|.K.|.I.|.m.|.K.|.T.|.K.|.T.|.K.|.K.|.K.|PM.|.K.|hk.|.K.|Rich.K.|.......

File Icon

Icon Hash:9eb3c18c2ceea99a

Static PE Info

General

Entrypoint:0x1009e576
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x10000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:0x6605888F [Thu Mar 28 15:11:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:09adf08de1c24b959dc1d60d4aeafc73

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F385CCA128Bh
cmp dword ptr [102375F8h], 00000000h
jmp 00007F385CCA12A8h
cmp esi, 01h
je 00007F385CCA1287h
cmp esi, 02h
jne 00007F385CCA12A4h
mov eax, dword ptr [10238D68h]
test eax, eax
je 00007F385CCA128Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F385CCA128Eh
push edi
push esi
push ebx
call 00007F385CCA116Ch
test eax, eax
jne 00007F385CCA1286h
xor eax, eax
jmp 00007F385CCA12D0h
push edi
push esi
push ebx
call 00007F385CCA006Fh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F385CCA128Eh
test eax, eax
jne 00007F385CCA12B9h
push edi
push eax
push ebx
call 00007F385CCA1148h
test esi, esi
je 00007F385CCA1287h
cmp esi, 03h
jne 00007F385CCA12A8h
push edi
push esi
push ebx
call 00007F385CCA1137h
test eax, eax
jne 00007F385CCA1285h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F385CCA1293h
mov eax, dword ptr [10238D68h]
test eax, eax
je 00007F385CCA128Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
mov eax, dword ptr [10237604h]
cmp eax, 01h
je 00007F385CCA128Fh
test eax, eax
jne 00007F385CCA1290h
cmp dword ptr [10237608h], 01h
jne 00007F385CCA1287h
call 00007F385CCA60E2h
push dword ptr [esp+04h]
call 00007F385CCA6112h
push 000000FFh

Rich Headers

Programming Language:
  • [ C ] VS98 (6.0) SP6 build 8804
  • [C++] VS98 (6.0) SP6 build 8804
  • [C++] VS98 (6.0) build 8168
  • [ C ] VS98 (6.0) build 8168
  • [EXP] VC++ 6.0 SP5 build 8804
  • [LNK] VC++ 6.0 SP5 build 8804

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x20dd000xae.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x20b9900x104.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x2390000x5758.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x23f0000x971c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xbe0000x708.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xbc0e20xbd000a92b9144edb8252b8145430e69544fceFalse0.4707728794642857data6.530144673517311IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xbe0000x14fdae0x150000add82c211ac47f171f4eb18e1addd05aFalse0.7559843517485119data7.572126946883007IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x20e0000x2ad6c0x1200007051be0d9064b7957bcf78f94ca5455False0.3106011284722222data5.2063919782989725IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x2390000x57580x600014ec16686192035bb705814998a976a0False0.2864583333333333data4.261691498308698IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x23f0000x13f9c0x14000db9f1e0f6b77f2e8fe158b0c084b3352False0.30501708984375data4.0208220606384835IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
TEXTINCLUDE0x23aa100xbASCII text, with no line terminatorsChineseChina1.7272727272727273
TEXTINCLUDE0x23aa200x16dataChineseChina1.3636363636363635
TEXTINCLUDE0x23aa380x151C source, ASCII text, with CRLF line terminatorsChineseChina0.6201780415430267
RT_CURSOR0x23c2f00x134dataChineseChina0.5811688311688312
RT_CURSOR0x23c4400x134Targa image data - Map 64 x 65536 x 1 +32 "\001"ChineseChina0.37662337662337664
RT_CURSOR0x23c5900x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"ChineseChina0.4805194805194805
RT_CURSOR0x23c6c80xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"ChineseChina0.7
RT_BITMAP0x239bc00x248Device independent bitmap graphic, 64 x 15 x 4, image size 480ChineseChina0.3407534246575342
RT_BITMAP0x239e080x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina0.4444444444444444
RT_BITMAP0x239f500x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.26453488372093026
RT_BITMAP0x23a0a80x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2616279069767442
RT_BITMAP0x23a2000x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2441860465116279
RT_BITMAP0x23a3580x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.24709302325581395
RT_BITMAP0x23a4b00x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2238372093023256
RT_BITMAP0x23a6080x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.19476744186046513
RT_BITMAP0x23a7600x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.20930232558139536
RT_BITMAP0x23a8b80x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.18895348837209303
RT_BITMAP0x23c7a80x5e4Device independent bitmap graphic, 70 x 39 x 4, image size 1404ChineseChina0.34615384615384615
RT_BITMAP0x23ce780xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80ChineseChina0.44565217391304346
RT_BITMAP0x23cf300x16cDevice independent bitmap graphic, 39 x 13 x 4, image size 260ChineseChina0.28296703296703296
RT_BITMAP0x23d0a00x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina0.37962962962962965
RT_ICON0x23ab900x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640ChineseChina0.26344086021505375
RT_ICON0x23ae900x128Device independent bitmap graphic, 16 x 32 x 4, image size 192ChineseChina0.41216216216216217
RT_ICON0x23dae00x128Device independent bitmap graphic, 16 x 32 x 4, image size 1920.3885135135135135
RT_ICON0x23dc080x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.33198924731182794
RT_ICON0x23def00x668Device independent bitmap graphic, 48 x 96 x 4, image size 15360.22378048780487805
RT_MENU0x23c0580xcdataChineseChina1.5
RT_MENU0x23c0680x284dataChineseChina0.5
RT_DIALOG0x23bd400x98dataChineseChina0.7171052631578947
RT_DIALOG0x23bdd80x17adataChineseChina0.5185185185185185
RT_DIALOG0x23bf580xfadataChineseChina0.696
RT_DIALOG0x23ba080xeadataChineseChina0.6239316239316239
RT_DIALOG0x23afd00x8aedataChineseChina0.39603960396039606
RT_DIALOG0x23b8800xb2dataChineseChina0.7359550561797753
RT_DIALOG0x23b9380xccdataChineseChina0.7647058823529411
RT_DIALOG0x23baf80xb2dataChineseChina0.6629213483146067
RT_DIALOG0x23cd900xe2dataChineseChina0.6637168141592921
RT_DIALOG0x23bbb00x18cdataChineseChina0.5227272727272727
RT_STRING0x23d1e80x50dataChineseChina0.85
RT_STRING0x23d2380x2cdataChineseChina0.5909090909090909
RT_STRING0x23d2680x78dataChineseChina0.925
RT_STRING0x23d2e00x1c4dataChineseChina0.8141592920353983
RT_STRING0x23d6300x12adataChineseChina0.5201342281879194
RT_STRING0x23d4e80x146dataChineseChina0.6288343558282209
RT_STRING0x23d4a80x40dataChineseChina0.65625
RT_STRING0x23da500x64dataChineseChina0.73
RT_STRING0x23d7600x1d8dataChineseChina0.6758474576271186
RT_STRING0x23d9380x114dataChineseChina0.6376811594202898
RT_STRING0x23dab80x24dataChineseChina0.4444444444444444
RT_GROUP_CURSOR0x23c5780x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.25
RT_GROUP_CURSOR0x23c4280x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.25
RT_GROUP_CURSOR0x23c7800x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina1.0294117647058822
RT_GROUP_ICON0x23e5580x30data0.9166666666666666
RT_GROUP_ICON0x23ae780x14dataChineseChina1.2
RT_GROUP_ICON0x23afb80x14dataChineseChina1.25
RT_MANIFEST0x23e5880x1cdXML 1.0 document, ASCII text, with very long lines (461), with no line terminators0.5878524945770065

Imports

DLLImport
KERNEL32.dlllstrcpynA, SetLastError, FileTimeToLocalFileTime, FileTimeToSystemTime, LocalFree, InterlockedDecrement, GetCurrentProcess, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, SetStdHandle, IsBadCodePtr, IsBadReadPtr, CompareStringW, CompareStringA, SetUnhandledExceptionFilter, GetStringTypeW, GetStringTypeA, IsBadWritePtr, VirtualAlloc, LCMapStringW, LCMapStringA, SetEnvironmentVariableA, VirtualFree, HeapCreate, HeapDestroy, GetEnvironmentVariableA, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, GetStartupInfoA, GetFileType, GetStdHandle, SetHandleCount, GetACP, HeapSize, TerminateProcess, GetLocalTime, GetSystemTime, GetTimeZoneInformation, RaiseException, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, lstrlenW, RemoveDirectoryA, GetModuleFileNameA, WideCharToMultiByte, MultiByteToWideChar, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetUserDefaultLCID, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, CreateThread, CreateEventA, Sleep, ExpandEnvironmentStringsA, GlobalAlloc, GlobalLock, GlobalUnlock, FindFirstFileA, FindClose, GetFileAttributesA, DeleteFileA, SetCurrentDirectoryA, RtlUnwind, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GlobalFlags, GetCurrentThread, GetFileTime, GetFileSize, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, lstrcmpA, GetVersion, GlobalGetAtomNameA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, GetCommandLineA, GetTickCount, WaitForSingleObject, CloseHandle, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcmpiA, DuplicateHandle, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, InterlockedIncrement
USER32.dllGetCursorPos, MessageBoxA, SetWindowPos, SendMessageA, DestroyCursor, SetParent, IsWindow, PostMessageA, GetTopWindow, GetParent, GetFocus, GetClientRect, InvalidateRect, ValidateRect, UpdateWindow, EqualRect, GetWindowRect, SetForegroundWindow, DestroyMenu, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, GetSystemMetrics, IsChild, ReleaseDC, IsRectEmpty, FillRect, GetDC, SetCursor, LoadCursorA, SetCursorPos, SetActiveWindow, GetSysColor, SetWindowLongA, GetWindowLongA, RedrawWindow, EnableWindow, IsWindowVisible, OffsetRect, PtInRect, DestroyIcon, IntersectRect, InflateRect, SetRect, SetScrollPos, SetScrollRange, GetScrollRange, SetCapture, GetCapture, ReleaseCapture, SetTimer, GetForegroundWindow, LoadIconA, TranslateMessage, DrawFrameControl, DrawEdge, DrawFocusRect, WindowFromPoint, GetMessageA, DispatchMessageA, SetRectEmpty, RegisterClipboardFormatA, CreateIconFromResourceEx, CreateIconFromResource, DrawIconEx, CreatePopupMenu, AppendMenuA, ModifyMenuA, CreateMenu, CreateAcceleratorTableA, GetDlgCtrlID, GetSubMenu, EnableMenuItem, ClientToScreen, EnumDisplaySettingsA, LoadImageA, SystemParametersInfoA, ShowWindow, IsWindowEnabled, TranslateAcceleratorA, GetKeyState, CopyAcceleratorTableA, PostQuitMessage, IsZoomed, GetClassInfoA, DefWindowProcA, GetMenu, SetMenu, PeekMessageA, IsIconic, GetWindowTextA, GetWindowTextLengthA, CharUpperA, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, GetDlgItem, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetNextDlgTabItem, GetWindowPlacement, RegisterWindowMessageA, GetLastActivePopup, GetMessageTime, RemovePropA, CallWindowProcA, GetPropA, UnhookWindowsHookEx, SetPropA, GetClassLongA, CallNextHookEx, SetWindowsHookExA, CreateWindowExA, GetMenuItemID, GetMenuItemCount, RegisterClassA, GetScrollPos, AdjustWindowRectEx, MapWindowPoints, SendDlgItemMessageA, ScrollWindowEx, IsDialogMessageA, SetWindowTextA, MoveWindow, CheckMenuItem, SetMenuItemBitmaps, GetMenuState, GetMenuCheckMarkDimensions, GetClassNameA, GetDesktopWindow, UnregisterClassA, LoadStringA, GetSysColorBrush, SetFocus, GetActiveWindow, GetWindow, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, WinHelpA, KillTimer
GDI32.dllSelectPalette, RealizePalette, GetDIBits, GetWindowExtEx, GetViewportOrgEx, GetWindowOrgEx, BeginPath, EndPath, PathToRegion, CreateEllipticRgn, CreateRoundRectRgn, GetTextColor, GetBkMode, GetBkColor, GetROP2, GetStretchBltMode, GetPolyFillMode, CreateCompatibleBitmap, CreateDCA, CreateBitmap, SelectObject, CreatePen, PatBlt, CombineRgn, CreateRectRgn, FillRgn, CreateSolidBrush, CreateFontIndirectA, GetStockObject, GetObjectA, CreateRectRgnIndirect, EndDoc, DeleteDC, StartDocA, StartPage, StretchBlt, CreateCompatibleDC, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, GetTextExtentPoint32A, GetDeviceCaps, SaveDC, RestoreDC, SetBkMode, SetPolyFillMode, SetROP2, SetTextColor, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, GetClipBox, ExcludeClipRect, MoveToEx, LineTo, CreatePalette, GetSystemPaletteEntries, CreateDIBitmap, DeleteObject, SelectClipRgn, CreatePolygonRgn, GetClipRgn, SetStretchBltMode, BitBlt, SetBkColor, EndPage, GetTextMetricsA, Escape, ExtTextOutA, TextOutA, RectVisible, PtVisible, GetViewportExtEx, ExtSelectClipRgn
WINMM.dllmidiStreamRestart, midiStreamClose, midiOutReset, midiStreamStop, midiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutGetNumDevs, waveOutClose, waveOutReset, waveOutPause, waveOutWrite, waveOutPrepareHeader, waveOutUnprepareHeader
WINSPOOL.DRVClosePrinter, DocumentPropertiesA, OpenPrinterA
ADVAPI32.dllRegQueryValueA, RegDeleteKeyA, RegDeleteValueA, RegCreateKeyA, RegSetValueExA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, RegCreateKeyExA
SHELL32.dllShell_NotifyIconA, ShellExecuteA
ole32.dllCLSIDFromProgID, OleInitialize, OleUninitialize, CLSIDFromString, CoCreateInstance, OleRun
OLEAUT32.dllVariantCopy, VariantClear, VariantChangeType, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetDim, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetElement, VariantCopyInd, VariantInit, SysAllocString, SafeArrayDestroy, SafeArrayCreate, SafeArrayPutElement, RegisterTypeLib, LHashValOfNameSys, LoadTypeLib, UnRegisterTypeLib
COMCTL32.dllImageList_Destroy
WS2_32.dllclosesocket, WSAAsyncSelect, gethostname, recvfrom, WSACleanup, ioctlsocket, recv, inet_ntoa, getpeername, accept, WSAStartup
comdlg32.dllGetFileTitleA, GetSaveFileNameA, ChooseColorA, GetOpenFileNameA

Exports

NameOrdinalAddress
_main10x10036717

Possible Origin

Language of compilation systemCountry where language is spokenMap
ChineseChina

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:07:21:51
Start date:03/04/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll"
Imagebase:0xb50000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:1
Start time:07:21:51
Start date:03/04/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:2
Start time:07:21:51
Start date:03/04/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1
Imagebase:0x240000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:3
Start time:07:21:51
Start date:03/04/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,_main
Imagebase:0xd30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:4
Start time:07:21:51
Start date:03/04/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll",#1
Imagebase:0xd30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:5
Start time:07:21:54
Start date:03/04/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,
Imagebase:0xd30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:6
Start time:07:21:57
Start date:03/04/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.11946.22825.dll,
Imagebase:0xd30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:1.5%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:9.5%
    Total number of Nodes:1161
    Total number of Limit Nodes:6
    execution_graph 17939 100018c0 17940 100018c6 17939->17940 17945 1000aa4c 17940->17945 17942 10001a33 17949 1000c6c6 17942->17949 17944 10001a48 17946 1000aa62 17945->17946 17948 1000aa6a 17945->17948 17953 1000aaf2 17946->17953 17948->17942 17950 1000c6dc 17949->17950 17952 1000c6e4 17949->17952 18001 1000c704 17950->18001 17952->17944 17954 1000ab2e 17953->17954 17960 1000ab24 17953->17960 17955 1000aca4 17954->17955 17961 1000ab38 17954->17961 17956 1000ad09 17955->17956 17957 1000acae 17955->17957 17956->17960 17967 1000bb0b 17956->17967 17958 1000b301 GetPEB 17957->17958 17958->17960 17960->17948 17963 1000b301 17961->17963 17964 1000b312 17963->17964 17971 1000b37c 17964->17971 17968 1000bb20 17967->17968 17976 1000bb98 17968->17976 17970 1000bb8d 17970->17960 17974 1000b391 GetPEB 17971->17974 17975 1000b327 17974->17975 17975->17960 17978 1000c231 17976->17978 17977 1000c23d 17977->17970 17978->17977 17987 1000bdd1 17978->17987 17980 1000c3a7 17980->17977 17990 1000bf31 17980->17990 17982 1000c46b 17996 1000be41 17982->17996 17983 1000c47e 17983->17970 17985 1000c438 17985->17982 17985->17983 17993 1000c161 17985->17993 17999 1000bc31 GetPEB 17987->17999 17989 1000bddf 17989->17980 17991 1000bc31 GetPEB 17990->17991 17992 1000bf41 17991->17992 17992->17985 17994 1000bc31 GetPEB 17993->17994 17995 1000c16d 17994->17995 17995->17982 17997 1000bc31 GetPEB 17996->17997 17998 1000be4c 17997->17998 17998->17977 18000 1000bcbe 17999->18000 18000->17989 18002 1000c740 18001->18002 18008 1000c736 18001->18008 18003 1000c800 18002->18003 18009 1000c74a 18002->18009 18004 1000c80a 18003->18004 18005 1000c84e 18003->18005 18006 1000dbc4 GetPEB 18004->18006 18005->18008 18015 1000e3b2 18005->18015 18006->18008 18008->17952 18011 1000dbc4 18009->18011 18012 1000dbd9 18011->18012 18019 1000dc23 18012->18019 18016 1000e3c7 18015->18016 18024 1000e43f 18016->18024 18018 1000e434 18018->18008 18022 1000dc38 GetPEB 18019->18022 18023 1000dc18 18022->18023 18023->18008 18025 1000ead8 18024->18025 18026 1000eae4 18025->18026 18035 1000e678 18025->18035 18026->18018 18029 1000ec4e 18029->18026 18038 1000e7d8 18029->18038 18030 1000ed12 18044 1000e6e8 18030->18044 18031 1000ed25 18031->18018 18033 1000ecdf 18033->18030 18033->18031 18041 1000ea08 18033->18041 18047 1000e4d8 GetPEB 18035->18047 18037 1000e686 18037->18029 18039 1000e4d8 GetPEB 18038->18039 18040 1000e7e8 18039->18040 18040->18033 18042 1000e4d8 GetPEB 18041->18042 18043 1000ea14 18042->18043 18043->18030 18045 1000e4d8 GetPEB 18044->18045 18046 1000e6f3 18045->18046 18046->18026 18048 1000e565 18047->18048 18048->18037 19317 100b5f8f 19318 100b7b09 65 API calls 19317->19318 19319 100b5f95 19318->19319 19320 100b5fd8 19319->19320 19322 100b5fa2 19319->19322 19321 100aca4e 65 API calls 19320->19321 19323 100b5fdd 19321->19323 19324 100a214e 30 API calls 19322->19324 19325 100b5fa8 19324->19325 19326 100b5fc3 19325->19326 19327 100b5fb4 19325->19327 19331 100a1fea 19326->19331 19328 1009fcee 29 API calls 19327->19328 19330 100b5fbc 19328->19330 19332 100a201c 19331->19332 19343 100a2015 19331->19343 19333 100a2026 19332->19333 19334 100a2085 19332->19334 19335 100a5b60 29 API calls 19333->19335 19336 100a5b60 29 API calls 19334->19336 19342 100a206a 19334->19342 19338 100a202d 19335->19338 19340 100a20a5 19336->19340 19337 100a2127 HeapReAlloc 19337->19343 19344 100a207c 19338->19344 19340->19343 19347 100a2111 19340->19347 19342->19337 19342->19343 19343->19330 19350 100a5bc1 LeaveCriticalSection 19344->19350 19346 100a2083 19346->19342 19351 100a5bc1 LeaveCriticalSection 19347->19351 19349 100a2118 19349->19342 19350->19346 19351->19349 19247 100b7644 19248 100b764e __EH_prolog 19247->19248 19249 100b7e96 65 API calls 19248->19249 19250 100b7659 19249->19250 19281 100a1ef9 19282 100a1f19 32 API calls 19281->19282 19283 100a1f06 19282->19283 18049 10053b70 18050 10053b8f 18049->18050 18051 10053b7e 18049->18051 18054 10053bd7 18050->18054 18055 10053ba6 HeapReAlloc 18050->18055 18059 10053b30 RtlAllocateHeap 18051->18059 18053 10053b87 18057 10053b30 98 API calls 18054->18057 18055->18053 18056 10053bc6 18055->18056 18063 100507d0 wsprintfA 18056->18063 18057->18053 18060 10053b50 18059->18060 18061 10053b59 18059->18061 18062 100507d0 97 API calls 18060->18062 18061->18053 18062->18061 18066 10050810 wsprintfA 18063->18066 18115 100aec8a 18066->18115 18068 100509a9 18069 100aec8a 35 API calls 18068->18069 18070 100509b6 18069->18070 18071 10050a1a 18070->18071 18120 100ae968 18070->18120 18072 100ae968 68 API calls 18071->18072 18105 10050ac1 18071->18105 18073 10050a2f 18072->18073 18086 10050a6a 18073->18086 18136 10057a00 wsprintfA 18073->18136 18075 100509d8 18128 100aecc6 18075->18128 18076 1005087b 18076->18068 18077 100508ad 18076->18077 18078 100aec8a 35 API calls 18076->18078 18081 100aec8a 35 API calls 18077->18081 18101 100508c4 18078->18101 18081->18068 18082 10050a41 18084 100aec8a 35 API calls 18082->18084 18089 10050a51 18084->18089 18085 10050a9d 18088 100aecc6 34 API calls 18085->18088 18086->18085 18087 100aec8a 35 API calls 18086->18087 18090 10050a87 18087->18090 18091 10050aa9 18088->18091 18092 100aec8a 35 API calls 18089->18092 18094 100aec8a 35 API calls 18090->18094 18137 10058c10 MessageBoxA 18091->18137 18096 10050a5d 18092->18096 18097 10050a90 18094->18097 18099 100aec8a 35 API calls 18096->18099 18100 100aec8a 35 API calls 18097->18100 18098 10050ab2 18102 100ae8fa 32 API calls 18098->18102 18099->18086 18100->18085 18103 100aec8a 35 API calls 18101->18103 18102->18105 18104 10050904 18103->18104 18107 100aec8a 35 API calls 18104->18107 18138 10053b10 18105->18138 18111 10050911 18107->18111 18111->18077 18112 100aec8a 35 API calls 18111->18112 18113 10050964 18112->18113 18114 100aec8a 35 API calls 18113->18114 18114->18077 18116 100aec9a lstrlenA 18115->18116 18117 100aec96 18115->18117 18116->18117 18141 100aec2b 18117->18141 18119 100aecaa 18119->18076 18121 100ae97c 18120->18121 18127 100ae98f 18120->18127 18122 100ae991 lstrlenA 18121->18122 18123 100ae986 18121->18123 18124 100ae99e 18122->18124 18122->18127 18279 100b437a 18123->18279 18126 100ae767 31 API calls 18124->18126 18126->18127 18127->18075 18129 100aec2b 34 API calls 18128->18129 18130 100509e8 18129->18130 18131 100ae8fa 18130->18131 18132 100ae90a InterlockedDecrement 18131->18132 18133 100ae922 18131->18133 18132->18133 18134 100ae918 18132->18134 18133->18071 18135 100ae7e9 31 API calls 18134->18135 18135->18133 18136->18082 18137->18098 18440 100511b0 18138->18440 18142 100aec38 18141->18142 18143 100aec4e 18141->18143 18142->18143 18147 100aea9f 18142->18147 18143->18119 18145 100aec7e 18151 100ae862 18145->18151 18148 100aeab3 18147->18148 18149 100aeab9 18147->18149 18156 100ae767 18148->18156 18149->18145 18152 100ae86f InterlockedDecrement 18151->18152 18153 100ae881 18151->18153 18152->18153 18154 100ae87a 18152->18154 18153->18143 18203 100ae7e9 18154->18203 18159 100ae77c 18156->18159 18161 100ae773 18156->18161 18157 100ae784 18163 1009e3e2 18157->18163 18159->18157 18160 100ae7c3 18159->18160 18170 100ae63b 18160->18170 18161->18149 18174 100a1798 18163->18174 18165 1009e3ec EnterCriticalSection 18166 1009e43b LeaveCriticalSection 18165->18166 18167 1009e40a 18165->18167 18166->18161 18175 100ae124 18167->18175 18172 100ae641 18170->18172 18173 100ae65f 18172->18173 18178 1009fdd7 18172->18178 18173->18161 18174->18165 18176 100ae63b 29 API calls 18175->18176 18177 1009e41c 18176->18177 18177->18166 18181 1009fde9 18178->18181 18182 1009fde6 18181->18182 18184 1009fdf0 18181->18184 18182->18172 18184->18182 18185 1009fe15 18184->18185 18186 1009fe42 18185->18186 18190 1009fe85 18185->18190 18187 100a5b60 28 API calls 18186->18187 18192 1009fe70 18186->18192 18188 1009fe58 18187->18188 18191 100a7111 HeapReAlloc HeapAlloc VirtualAlloc HeapFree VirtualAlloc 18188->18191 18189 1009fef4 RtlAllocateHeap 18200 1009fe77 18189->18200 18190->18192 18193 1009fea7 18190->18193 18195 1009fe63 18191->18195 18192->18189 18192->18200 18194 100a5b60 28 API calls 18193->18194 18196 1009feae 18194->18196 18197 1009fe7c LeaveCriticalSection 18195->18197 18198 100a7bb4 6 API calls 18196->18198 18197->18192 18199 1009fec1 18198->18199 18201 1009fedb LeaveCriticalSection 18199->18201 18200->18184 18202 1009fece 18201->18202 18202->18192 18202->18200 18204 100ae7fd 18203->18204 18208 100ae7f1 18203->18208 18207 100ae82a 18204->18207 18204->18208 18214 100ae664 18207->18214 18211 1009e471 18208->18211 18212 1009e498 18211->18212 18213 1009e47d EnterCriticalSection LeaveCriticalSection 18211->18213 18212->18153 18213->18212 18217 1009fcee 18214->18217 18218 1009fdc8 18217->18218 18219 1009fd1c 18217->18219 18218->18153 18220 1009fd26 18219->18220 18222 1009fd61 18219->18222 18234 100a5b60 18220->18234 18224 100a5b60 28 API calls 18222->18224 18233 1009fd52 18222->18233 18223 1009fdba HeapFree 18223->18218 18227 1009fd6d 18224->18227 18225 1009fd47 18255 1009fd58 18225->18255 18226 1009fd2d 18226->18225 18249 100a6de8 18226->18249 18228 1009fd99 18227->18228 18258 100a7b6f 18227->18258 18262 1009fdb0 18228->18262 18233->18218 18233->18223 18235 100a5b78 18234->18235 18236 100a5bb6 EnterCriticalSection 18234->18236 18237 1009fdd7 27 API calls 18235->18237 18236->18226 18238 100a5b80 18237->18238 18239 100a5b8e 18238->18239 18265 1009e613 18238->18265 18241 100a5b60 27 API calls 18239->18241 18242 100a5b96 18241->18242 18243 100a5b9d InitializeCriticalSection 18242->18243 18244 100a5ba7 18242->18244 18246 100a5bac 18243->18246 18245 1009fcee 27 API calls 18244->18245 18245->18246 18271 100a5bc1 LeaveCriticalSection 18246->18271 18248 100a5bb4 18248->18236 18251 100a6e26 18249->18251 18254 100a70dc 18249->18254 18250 100a7022 VirtualFree 18252 100a7086 18250->18252 18251->18250 18251->18254 18253 100a7095 VirtualFree HeapFree 18252->18253 18252->18254 18253->18254 18254->18225 18272 100a5bc1 LeaveCriticalSection 18255->18272 18257 1009fd5f 18257->18233 18259 100a7b9c 18258->18259 18260 100a7bb2 18258->18260 18259->18260 18273 100a7a56 18259->18273 18260->18228 18278 100a5bc1 LeaveCriticalSection 18262->18278 18264 1009fdb7 18264->18233 18266 1009e61d 18265->18266 18267 1009e62f 18266->18267 18268 100a348c 7 API calls 18266->18268 18269 100a34c5 7 API calls 18267->18269 18268->18267 18270 1009e638 18269->18270 18270->18239 18271->18248 18272->18257 18276 100a7a63 18273->18276 18274 100a7b13 18274->18260 18275 100a7a84 VirtualFree 18275->18276 18276->18274 18276->18275 18277 100a7a00 VirtualFree HeapFree 18276->18277 18277->18276 18278->18264 18290 100b43fe 18279->18290 18282 100b43a8 18294 100aea37 18282->18294 18283 100b43c0 18287 100b43fe 66 API calls 18283->18287 18288 100b43e6 18283->18288 18299 100aecde 18283->18299 18286 100b43b7 18286->18127 18287->18283 18305 100aed2d 18288->18305 18310 100b7d40 18290->18310 18293 100b439d 18293->18282 18293->18283 18295 100aea43 18294->18295 18296 100aea47 lstrlenA 18294->18296 18420 100ae9ba 18295->18420 18296->18295 18298 100aea57 18298->18286 18300 100aecf1 18299->18300 18301 100aed25 18300->18301 18302 100ae767 31 API calls 18300->18302 18301->18283 18303 100aed08 18302->18303 18304 100ae862 32 API calls 18303->18304 18304->18301 18434 100ae8a3 18305->18434 18307 100aed35 18308 100aed3e lstrlenA 18307->18308 18309 100aed46 18307->18309 18308->18309 18309->18286 18315 100b8309 18310->18315 18313 100b4404 LoadStringA 18313->18293 18316 100b833f TlsGetValue 18315->18316 18317 100b8312 18315->18317 18318 100b8352 18316->18318 18319 100b832c 18317->18319 18342 100b7ec8 TlsAlloc 18317->18342 18323 100b7d4f 18318->18323 18324 100b8365 18318->18324 18332 100b7f61 EnterCriticalSection 18319->18332 18322 100b833d 18322->18316 18323->18313 18326 100b83cb 18323->18326 18346 100b80d0 TlsGetValue 18324->18346 18327 100b83d5 __EH_prolog 18326->18327 18328 100b8403 18327->18328 18403 100b8e13 18327->18403 18328->18313 18333 100b7f80 18332->18333 18334 100b7fba GlobalAlloc 18333->18334 18335 100b7fcd GlobalHandle GlobalUnlock GlobalReAlloc 18333->18335 18341 100b803c 18333->18341 18337 100b7fef 18334->18337 18335->18337 18336 100b8051 LeaveCriticalSection 18336->18322 18338 100b8018 GlobalLock 18337->18338 18339 100b7ffd GlobalHandle GlobalLock LeaveCriticalSection 18337->18339 18338->18341 18361 100aca4e 18339->18361 18341->18336 18343 100b7efc InitializeCriticalSection 18342->18343 18344 100b7ef7 18342->18344 18343->18319 18345 100aca4e 63 API calls 18344->18345 18345->18343 18347 100b8101 18346->18347 18350 100b80e7 18346->18350 18398 100b7e96 LocalAlloc 18347->18398 18348 100b81a7 18348->18323 18350->18348 18353 100b815b LocalReAlloc 18350->18353 18354 100b814a LocalAlloc 18350->18354 18356 100b816b 18353->18356 18354->18356 18358 100b8177 18356->18358 18359 100aca4e 59 API calls 18356->18359 18357 100b8139 LeaveCriticalSection 18357->18350 18360 100b8196 TlsSetValue 18358->18360 18359->18358 18360->18348 18378 100a1a9c RaiseException 18361->18378 18363 100aca67 18379 100a1a9c RaiseException 18363->18379 18365 100aca80 __EH_prolog 18368 100acb35 18365->18368 18380 100afc08 18365->18380 18367 100b7d40 64 API calls 18369 100acb54 18367->18369 18368->18367 18368->18369 18370 100acb78 18369->18370 18371 100acb69 lstrcpynA 18369->18371 18372 100acbaa 18370->18372 18373 100aea37 35 API calls 18370->18373 18371->18370 18372->18338 18374 100acb8d 18373->18374 18375 100aecde 34 API calls 18374->18375 18377 100acb95 18375->18377 18377->18372 18387 100a17b7 18377->18387 18378->18363 18379->18365 18381 100b7d40 65 API calls 18380->18381 18382 100afc14 18381->18382 18383 100afc1b 18382->18383 18384 1009df4b 65 API calls 18382->18384 18383->18368 18385 100afc24 18384->18385 18385->18383 18386 100b7d40 65 API calls 18385->18386 18386->18383 18388 100a17d4 18387->18388 18389 100a17c5 18387->18389 18390 100a5b60 29 API calls 18388->18390 18389->18377 18394 100a17db 18390->18394 18391 100a1832 18392 100a5bc1 LeaveCriticalSection 18391->18392 18392->18389 18393 100a1819 18396 100a5bc1 LeaveCriticalSection 18393->18396 18394->18391 18394->18393 18395 100a1825 18394->18395 18397 100a5bc1 LeaveCriticalSection 18395->18397 18396->18389 18397->18389 18399 100b7ea9 18398->18399 18400 100b7eae EnterCriticalSection 18398->18400 18401 100aca4e 64 API calls 18399->18401 18402 100b7e3d 18400->18402 18401->18400 18402->18357 18404 100b8e1e 18403->18404 18405 100b8e23 18403->18405 18415 100b8d80 18404->18415 18407 100b83ec 18405->18407 18408 100b8e70 EnterCriticalSection 18405->18408 18409 100b8e47 EnterCriticalSection 18405->18409 18412 100b8e83 18407->18412 18408->18407 18410 100b8e68 LeaveCriticalSection 18409->18410 18411 100b8e55 InitializeCriticalSection 18409->18411 18410->18408 18411->18410 18413 100b8e8c LeaveCriticalSection 18412->18413 18414 100b8ea1 18412->18414 18413->18414 18414->18328 18416 100b8d8a GetVersion 18415->18416 18419 100b8da4 18415->18419 18417 100b8d9d 18416->18417 18418 100b8dac InitializeCriticalSection 18416->18418 18417->18418 18417->18419 18418->18419 18419->18405 18423 100ae8d1 18420->18423 18422 100ae9c8 18422->18298 18424 100ae8e1 18423->18424 18425 100ae8f5 18424->18425 18429 100ae831 18424->18429 18425->18422 18428 100ae767 31 API calls 18428->18425 18430 100ae859 18429->18430 18431 100ae841 InterlockedDecrement 18429->18431 18430->18428 18431->18430 18432 100ae84f 18431->18432 18433 100ae7e9 31 API calls 18432->18433 18433->18430 18435 100ae8af 18434->18435 18439 100ae8be 18434->18439 18436 100ae831 32 API calls 18435->18436 18437 100ae8b4 18436->18437 18438 100ae767 31 API calls 18437->18438 18438->18439 18439->18307 18441 100511d5 GetCurrentThreadId 18440->18441 18448 1005122e 18440->18448 18442 100511e3 18441->18442 18441->18448 18443 10051210 18442->18443 18444 100511f0 IsWindow 18442->18444 18446 10051541 ExitProcess 18443->18446 18447 1005121e ExitProcess 18443->18447 18444->18443 18445 100511fb SendMessageA 18444->18445 18445->18443 18451 10051302 FreeLibrary 18448->18451 18456 1005130e 18448->18456 18450 1005134d FreeLibrary 18450->18450 18453 10051362 18450->18453 18451->18448 18475 10050410 18453->18475 18456->18450 18456->18453 18457 100513a6 DestroyCursor 18458 100513b3 18457->18458 18459 100513bd DestroyCursor 18458->18459 18460 100513ca 18458->18460 18459->18460 18461 100513d4 IsWindow 18460->18461 18462 100513e5 18460->18462 18461->18462 18464 100513df 18461->18464 18491 1004eb80 18462->18491 18483 100b0272 18464->18483 18466 10051405 18496 10053480 18466->18496 18468 10051446 18469 100514bb 18468->18469 18470 10051483 DestroyCursor 18468->18470 18472 100ae664 29 API calls 18468->18472 18471 100514cf WSACleanup 18469->18471 18473 100514db 18469->18473 18470->18468 18471->18473 18472->18468 18473->18446 18474 10051531 OleUninitialize 18473->18474 18474->18446 18476 100ae885 18475->18476 18477 10051383 18476->18477 18478 100aea37 35 API calls 18476->18478 18479 100ae885 18477->18479 18478->18477 18480 100ae88d 18479->18480 18481 1005138e 18479->18481 18482 100aea37 35 API calls 18480->18482 18481->18457 18481->18458 18482->18481 18484 100b027c __EH_prolog 18483->18484 18502 100b7d66 18484->18502 18486 100b0282 18487 100ae63b 29 API calls 18486->18487 18490 100b02c0 18486->18490 18488 100b02a4 18487->18488 18488->18490 18507 100b41f1 18488->18507 18490->18462 18494 1004ebb8 18491->18494 18492 1004ec55 18492->18466 18493 100aeeb6 67 API calls 18493->18494 18494->18492 18494->18493 18495 100aeef4 67 API calls 18494->18495 18495->18494 18497 10053488 18496->18497 18517 10053540 18497->18517 18499 1005348f 18525 10075cf0 18499->18525 18501 10053499 18501->18468 18503 100b7d40 65 API calls 18502->18503 18504 100b7d6b 18503->18504 18505 100b8309 65 API calls 18504->18505 18506 100b7d7c 18505->18506 18506->18486 18508 100b41fb __EH_prolog 18507->18508 18511 100ae403 18508->18511 18510 100b4232 18510->18490 18512 100ae40e 18511->18512 18514 100ae414 18511->18514 18515 100ae664 29 API calls 18512->18515 18513 100ae430 18513->18510 18514->18513 18516 100ae63b 29 API calls 18514->18516 18515->18514 18516->18513 18518 10053553 18517->18518 18519 1005358c 18517->18519 18518->18519 18522 1005357a WaitForSingleObject 18518->18522 18520 100535b5 18519->18520 18521 10053598 CloseHandle 18519->18521 18524 100535d6 18520->18524 18538 10061060 18520->18538 18521->18520 18522->18519 18524->18499 18526 10075d13 18525->18526 18527 10075d28 EnterCriticalSection 18525->18527 18542 10075de0 EnterCriticalSection 18526->18542 18532 10075d4f 18527->18532 18529 10075d18 18529->18501 18530 10075d81 LeaveCriticalSection 18531 10075de0 3 API calls 18530->18531 18533 10075d91 18531->18533 18532->18530 18534 10075db9 18533->18534 18535 10075dae WaitForSingleObject 18533->18535 18536 100ae664 29 API calls 18534->18536 18535->18533 18537 10075dbf 18536->18537 18537->18501 18539 1006106a 18538->18539 18540 100ae664 29 API calls 18539->18540 18541 10061080 18539->18541 18540->18541 18541->18524 18543 10075df5 18542->18543 18544 10075e19 LeaveCriticalSection 18543->18544 18545 10075e0d SetEvent 18543->18545 18544->18529 18545->18543 19135 10053c30 19136 10053c5e 19135->19136 19137 10053c39 19135->19137 19137->19136 19138 10053c4b HeapFree 19137->19138 19138->19136 19139 10053630 19142 10053610 19139->19142 19145 10050430 19142->19145 19144 10053621 19146 100504f5 19145->19146 19147 1005045b 19145->19147 19149 10050523 19146->19149 19151 1009f188 6 API calls 19146->19151 19169 10050796 19146->19169 19148 10050483 GetProcAddress 19147->19148 19203 1009f188 19147->19203 19153 100504a3 19148->19153 19154 100504d8 19148->19154 19156 10050661 19149->19156 19157 1005054e 19149->19157 19151->19149 19206 100587d0 19153->19206 19158 10050410 35 API calls 19154->19158 19161 10050666 LoadLibraryA 19156->19161 19166 100506a8 FreeLibrary 19156->19166 19170 10050649 19156->19170 19165 1005062c LoadLibraryA 19157->19165 19168 10050596 19157->19168 19211 100aeb43 19157->19211 19160 100504df 19158->19160 19160->19144 19161->19156 19162 10050676 GetProcAddress 19161->19162 19162->19156 19163 10050810 96 API calls 19164 100504c7 19163->19164 19167 100ae8fa 32 API calls 19164->19167 19165->19170 19171 10050639 GetProcAddress 19165->19171 19166->19156 19167->19154 19168->19171 19175 100aeb43 35 API calls 19168->19175 19169->19144 19170->19169 19173 100506d1 FreeLibrary 19170->19173 19174 100506d8 19170->19174 19171->19170 19173->19174 19180 10050740 19174->19180 19181 100506e9 19174->19181 19177 100505b8 19175->19177 19179 100aeb43 35 API calls 19177->19179 19178 100ae8fa 32 API calls 19178->19168 19182 100505cc LoadLibraryA 19179->19182 19183 100587d0 44 API calls 19180->19183 19184 100587d0 44 API calls 19181->19184 19185 100ae8fa 32 API calls 19182->19185 19187 10050754 19183->19187 19188 100506fe 19184->19188 19186 100505dc 19185->19186 19189 100ae8fa 32 API calls 19186->19189 19190 10050810 96 API calls 19187->19190 19191 10050810 96 API calls 19188->19191 19193 100505ed 19189->19193 19194 1005076f 19190->19194 19192 10050719 19191->19192 19195 100ae8fa 32 API calls 19192->19195 19193->19171 19198 10050624 19193->19198 19200 100aeb43 35 API calls 19193->19200 19196 100ae8fa 32 API calls 19194->19196 19197 1005072a 19195->19197 19199 10050780 19196->19199 19197->19144 19198->19165 19198->19171 19199->19144 19201 10050614 LoadLibraryA 19200->19201 19202 100ae8fa 32 API calls 19201->19202 19202->19198 19219 1009f0fd 19203->19219 19225 100ac682 19206->19225 19208 10058815 19209 100ae8fa 32 API calls 19208->19209 19210 100504b3 19209->19210 19210->19163 19212 100aeb4d __EH_prolog 19211->19212 19213 100aeb68 19212->19213 19214 100aeb6c lstrlenA 19212->19214 19215 100aea9f 31 API calls 19213->19215 19214->19213 19216 100aeb8a 19215->19216 19217 100ae8fa 32 API calls 19216->19217 19218 10050586 LoadLibraryA 19217->19218 19218->19178 19221 1009f105 19219->19221 19220 100a6962 6 API calls 19220->19221 19221->19220 19222 1009f133 19221->19222 19223 100a6962 6 API calls 19222->19223 19224 1009f17a 19222->19224 19223->19222 19224->19148 19235 100ac69b 19225->19235 19226 100ac99f 19227 100aecde 34 API calls 19226->19227 19228 100ac9ac 19227->19228 19229 100aed2d 35 API calls 19228->19229 19230 100ac9c5 19229->19230 19230->19208 19231 100a195b 6 API calls 19231->19235 19233 1009f188 6 API calls 19233->19235 19234 100ac8c2 lstrlenA 19234->19235 19235->19226 19235->19231 19235->19233 19235->19234 19236 1009faff 19235->19236 19237 1009fb10 19236->19237 19238 1009fb18 19236->19238 19237->19238 19239 100a5b60 29 API calls 19237->19239 19238->19235 19242 1009fb35 19239->19242 19240 1009fbcb 19245 100a5bc1 LeaveCriticalSection 19240->19245 19241 1009fbdf 19246 100a5bc1 LeaveCriticalSection 19241->19246 19242->19240 19242->19241 19245->19238 19246->19238 19358 100539b0 19359 10050810 96 API calls 19358->19359 19360 100539d4 19359->19360 19361 100b79bd 19362 100b7e96 65 API calls 19361->19362 19363 100b79c4 19362->19363 19284 100310fb 19285 10031121 19284->19285 19294 10031213 19285->19294 19287 1003118d 19298 10031359 19287->19298 19289 100311a2 19290 10031195 19290->19289 19302 1003159e 19290->19302 19292 100311d7 19292->19289 19293 10026372 GetPEB 19292->19293 19293->19289 19295 10031229 19294->19295 19297 1003125f 19294->19297 19296 1000b301 GetPEB 19295->19296 19295->19297 19296->19297 19297->19287 19299 10031376 19298->19299 19301 100313ac 19298->19301 19300 1000b301 GetPEB 19299->19300 19299->19301 19300->19301 19301->19290 19303 100315b4 19302->19303 19304 100315ea 19302->19304 19303->19304 19305 1000b301 GetPEB 19303->19305 19304->19292 19305->19304 19270 1000c2d9 19272 1000c2e1 19270->19272 19271 1000c472 19272->19271 19273 1000bdd1 GetPEB 19272->19273 19274 1000c3a7 19273->19274 19274->19271 19275 1000bf31 GetPEB 19274->19275 19279 1000c438 19275->19279 19276 1000c46b 19278 1000be41 GetPEB 19276->19278 19277 1000c47e 19278->19271 19279->19276 19279->19277 19280 1000c161 GetPEB 19279->19280 19280->19276 19352 100a7f94 19353 100a8026 19352->19353 19355 100a7fb2 19352->19355 19355->19353 19356 1009efb8 RtlUnwind 19355->19356 19357 1009efd0 19356->19357 19357->19355 18546 1009e576 18547 1009e589 18546->18547 18550 1009e592 18546->18550 18555 1009e5ba 18547->18555 18556 1009d3b0 18547->18556 18550->18547 18550->18555 18588 1009e49d 18550->18588 18552 1009e5da 18553 1009e49d 105 API calls 18552->18553 18552->18555 18553->18555 18554 1009e49d 105 API calls 18554->18552 18557 1009d3b9 18556->18557 18558 1009d422 18556->18558 18617 100b7b09 18557->18617 18559 1009d458 18558->18559 18560 1009d428 18558->18560 18565 100b40ee 65 API calls 18559->18565 18586 1009d3e3 18559->18586 18562 100b7d40 65 API calls 18560->18562 18566 1009d42d 18562->18566 18568 1009d463 18565->18568 18656 100b40ee 18566->18656 18569 100b40f7 66 API calls 18568->18569 18573 1009d46a 18569->18573 18572 100b7d40 65 API calls 18575 1009d3ea 18572->18575 18692 100b368b 18573->18692 18578 1009d405 18575->18578 18587 100ae767 31 API calls 18575->18587 18652 100b844b 18578->18652 18580 100b92ce 68 API calls 18583 1009d44c 18580->18583 18582 1009d3f8 18582->18578 18584 1009d3de 18582->18584 18688 100b8461 18583->18688 18631 100b92ce 18584->18631 18586->18552 18586->18554 18586->18555 18587->18582 18589 1009e4aa GetVersion 18588->18589 18590 1009e532 18588->18590 18812 100a3387 HeapCreate 18589->18812 18592 1009e538 18590->18592 18593 1009e564 18590->18593 18594 1009e4fd 18592->18594 18597 1009e553 18592->18597 18900 100a1f0a 18592->18900 18593->18594 18913 100a2b2a 18593->18913 18594->18547 18595 1009e4bc 18595->18594 18824 100a2a3e 18595->18824 18903 100a2d86 18597->18903 18601 1009e4f4 18603 1009e4f8 18601->18603 18604 1009e501 GetCommandLineA 18601->18604 18871 100a33e4 18603->18871 18834 100a30e0 18604->18834 18609 100a33e4 6 API calls 18609->18594 18612 1009e51b 18878 100a2e93 18612->18878 18614 1009e520 18887 100a2dda 18614->18887 18616 1009e525 18616->18594 18618 100b8309 65 API calls 18617->18618 18619 1009d3c6 18618->18619 18620 100b8baa SetErrorMode SetErrorMode 18619->18620 18621 100b7d40 65 API calls 18620->18621 18622 100b8bc1 18621->18622 18623 100b7d40 65 API calls 18622->18623 18624 100b8bd0 18623->18624 18625 100b8bf6 18624->18625 18702 100b8c0d 18624->18702 18627 100b7d40 65 API calls 18625->18627 18628 100b8bfb 18627->18628 18629 1009d3da 18628->18629 18721 100b362c 18628->18721 18629->18572 18629->18584 18632 100b7d40 65 API calls 18631->18632 18633 100b92d7 18632->18633 18634 100b8e13 6 API calls 18633->18634 18639 100b92e0 18634->18639 18635 100b930d 18636 100b8e83 LeaveCriticalSection 18635->18636 18638 100b9317 18636->18638 18637 100a17b7 29 API calls 18637->18639 18641 100b7d40 65 API calls 18638->18641 18639->18635 18639->18637 18640 100b7d40 65 API calls 18639->18640 18642 100b92fe UnregisterClassA 18640->18642 18643 100b931c 18641->18643 18642->18639 18644 100b7b09 65 API calls 18643->18644 18647 100b9334 18644->18647 18645 100b7d40 65 API calls 18646 100b9359 18645->18646 18648 100b937e 18646->18648 18649 100b936b UnhookWindowsHookEx 18646->18649 18650 100b9371 18646->18650 18647->18645 18648->18586 18649->18650 18650->18648 18651 100b9378 UnhookWindowsHookEx 18650->18651 18651->18648 18653 100b845e 18652->18653 18654 100b8455 18652->18654 18653->18586 18748 100b81d6 EnterCriticalSection 18654->18748 18657 100b7d66 65 API calls 18656->18657 18658 1009d440 18657->18658 18659 100b40f7 18658->18659 18660 100b7d66 65 API calls 18659->18660 18662 100b4102 18660->18662 18661 1009d447 18661->18580 18662->18661 18663 100b4164 18662->18663 18664 100b412d 18662->18664 18751 100b3617 18662->18751 18665 100b7d40 65 API calls 18663->18665 18756 100b4315 18664->18756 18666 100b4169 18665->18666 18669 100b8309 65 API calls 18666->18669 18671 100b417b 18669->18671 18671->18661 18674 100b418e 18671->18674 18760 100a214e 18671->18760 18672 100b4315 29 API calls 18673 100b414c 18672->18673 18675 100b4315 29 API calls 18673->18675 18674->18661 18678 100b41bc 18674->18678 18680 100a214e 30 API calls 18674->18680 18677 100b4154 18675->18677 18679 100b4315 29 API calls 18677->18679 18682 1009fdd7 29 API calls 18678->18682 18681 100b415c 18679->18681 18684 100b41b1 18680->18684 18685 100b4315 29 API calls 18681->18685 18683 100b41c9 18682->18683 18683->18661 18687 1009fdd7 29 API calls 18683->18687 18686 1009fcee 29 API calls 18684->18686 18685->18663 18686->18678 18687->18661 18689 100b846b 18688->18689 18690 100b8478 18688->18690 18790 100b82b0 EnterCriticalSection 18689->18790 18690->18586 18693 100b3695 __EH_prolog 18692->18693 18694 100b40ee 65 API calls 18693->18694 18695 100b36a7 18694->18695 18696 100b40f7 66 API calls 18695->18696 18697 100b36ae 18696->18697 18699 100b36bd 18697->18699 18808 100b8380 18697->18808 18698 100b36fc 18698->18586 18699->18698 18701 100b82b0 7 API calls 18699->18701 18701->18698 18703 100b7d40 65 API calls 18702->18703 18704 100b8c20 GetModuleFileNameA 18703->18704 18732 100a04c4 18704->18732 18706 100b8c52 18738 100b8d2a 18706->18738 18709 100b8c84 18711 100b43fe 66 API calls 18709->18711 18720 100b8cbe 18709->18720 18718 100b8ca6 18711->18718 18712 100b8cf1 18714 100b8d00 lstrcatA 18712->18714 18715 100b8d1e 18712->18715 18713 100b8cd6 lstrcpyA 18716 100a1ea1 29 API calls 18713->18716 18717 100a1ea1 29 API calls 18714->18717 18715->18625 18716->18712 18717->18715 18719 100a1ea1 29 API calls 18718->18719 18719->18720 18720->18712 18720->18713 18722 100b7d40 65 API calls 18721->18722 18723 100b3631 18722->18723 18724 100b7b09 65 API calls 18723->18724 18731 100b3689 18723->18731 18725 100b363d GetCurrentThreadId SetWindowsHookExA 18724->18725 18726 100b83cb 7 API calls 18725->18726 18727 100b3667 18726->18727 18728 100b3674 18727->18728 18729 100b7d40 65 API calls 18727->18729 18730 100b8309 65 API calls 18728->18730 18729->18728 18730->18731 18731->18629 18733 100a04d2 18732->18733 18734 100a04e1 18732->18734 18733->18706 18735 100a5b60 29 API calls 18734->18735 18736 100a04e9 18735->18736 18747 100a5bc1 LeaveCriticalSection 18736->18747 18739 100b8d32 18738->18739 18740 100b8d6a lstrcpynA 18739->18740 18741 100b8d60 lstrlenA 18739->18741 18742 100b8c6e 18740->18742 18741->18742 18742->18709 18743 100a1ea1 18742->18743 18744 100a1eaa 18743->18744 18746 100a1eb7 18743->18746 18745 1009fdd7 29 API calls 18744->18745 18745->18746 18746->18709 18747->18733 18749 100b820b LeaveCriticalSection 18748->18749 18750 100b81ec 18748->18750 18749->18653 18750->18749 18752 100b7d66 65 API calls 18751->18752 18753 100b361c 18752->18753 18754 100b3628 18753->18754 18755 100b7d40 65 API calls 18753->18755 18754->18664 18755->18754 18757 100b4144 18756->18757 18759 100b4322 18756->18759 18757->18672 18772 100ae19d 18759->18772 18761 100a217b 18760->18761 18762 100a21c1 18760->18762 18764 100a5b60 29 API calls 18761->18764 18763 100a220c HeapSize 18762->18763 18765 100a5b60 29 API calls 18762->18765 18766 100a221f 18763->18766 18767 100a2182 18764->18767 18768 100a21cd 18765->18768 18766->18674 18782 100a21b8 18767->18782 18785 100a2233 18768->18785 18771 100a21af 18771->18763 18771->18766 18773 100ae1ad 18772->18773 18774 100ae1a7 18772->18774 18778 100ae144 18773->18778 18775 100ae664 29 API calls 18774->18775 18775->18773 18780 100ae148 18778->18780 18781 100ae158 18778->18781 18779 100ae664 29 API calls 18779->18780 18780->18779 18780->18781 18781->18757 18788 100a5bc1 LeaveCriticalSection 18782->18788 18784 100a21bf 18784->18771 18789 100a5bc1 LeaveCriticalSection 18785->18789 18787 100a223a 18787->18771 18788->18784 18789->18787 18791 100b82df 18790->18791 18792 100b82c5 TlsGetValue 18790->18792 18793 100b82fd LeaveCriticalSection 18791->18793 18796 100b8217 4 API calls 18791->18796 18797 100b82dd 18791->18797 18792->18793 18794 100b82d1 18792->18794 18793->18690 18798 100b8217 18794->18798 18796->18791 18797->18793 18799 100b8270 EnterCriticalSection 18798->18799 18804 100b822e 18798->18804 18806 100b7e50 18799->18806 18802 100b829f TlsSetValue 18805 100b82a9 18802->18805 18803 100b8297 18803->18802 18804->18799 18804->18805 18805->18797 18807 100b7e56 LeaveCriticalSection LocalFree 18806->18807 18807->18802 18807->18803 18809 100b8387 18808->18809 18811 100b839c 18808->18811 18810 100b8390 TlsGetValue 18809->18810 18809->18811 18810->18811 18811->18699 18813 100a33dd 18812->18813 18814 100a33a7 18812->18814 18813->18595 18935 100a323f 18814->18935 18817 100a33c3 18820 100a33e0 18817->18820 18949 100a78bc 18817->18949 18818 100a33b6 18947 100a6d75 HeapAlloc 18818->18947 18820->18595 18821 100a33c0 18821->18820 18823 100a33d1 HeapDestroy 18821->18823 18823->18813 19081 100a5acb InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 18824->19081 18826 100a2a44 TlsAlloc 18827 100a2a8e 18826->18827 18828 100a2a54 18826->18828 18827->18601 18829 100a0c42 30 API calls 18828->18829 18830 100a2a5d 18829->18830 18830->18827 18831 100a2a65 TlsSetValue 18830->18831 18831->18827 18832 100a2a76 18831->18832 18833 100a2a7c GetCurrentThreadId 18832->18833 18833->18601 18835 100a30fb GetEnvironmentStringsW 18834->18835 18836 100a312e 18834->18836 18837 100a310f GetEnvironmentStrings 18835->18837 18838 100a3103 18835->18838 18836->18838 18839 100a311f 18836->18839 18837->18839 18840 1009e511 18837->18840 18841 100a313b GetEnvironmentStringsW 18838->18841 18847 100a3147 WideCharToMultiByte 18838->18847 18839->18840 18842 100a31c1 GetEnvironmentStrings 18839->18842 18846 100a31cd 18839->18846 18857 100a2bca 18840->18857 18841->18840 18841->18847 18842->18840 18842->18846 18844 100a317b 18849 1009fdd7 29 API calls 18844->18849 18845 100a31ad FreeEnvironmentStringsW 18845->18840 18848 1009fdd7 29 API calls 18846->18848 18847->18844 18847->18845 18855 100a31e8 18848->18855 18850 100a3181 18849->18850 18850->18845 18851 100a318a WideCharToMultiByte 18850->18851 18853 100a319b 18851->18853 18854 100a31a4 18851->18854 18852 100a31fe FreeEnvironmentStringsA 18852->18840 18856 1009fcee 29 API calls 18853->18856 18854->18845 18855->18852 18856->18854 18858 1009fdd7 29 API calls 18857->18858 18859 100a2bdd 18858->18859 18860 100a2beb GetStartupInfoA 18859->18860 18861 1009e613 7 API calls 18859->18861 18863 100a2c39 18860->18863 18864 100a2d0a 18860->18864 18861->18860 18863->18864 18867 100a2cb0 18863->18867 18868 1009fdd7 29 API calls 18863->18868 18865 100a2d75 SetHandleCount 18864->18865 18866 100a2d35 GetStdHandle 18864->18866 18865->18612 18866->18864 18869 100a2d43 GetFileType 18866->18869 18867->18864 18870 100a2cd2 GetFileType 18867->18870 18868->18863 18869->18864 18870->18867 18872 100a33f0 18871->18872 18876 100a3456 18871->18876 18873 100a3442 HeapFree 18872->18873 18875 100a3410 VirtualFree VirtualFree HeapFree 18872->18875 18874 100a347d HeapDestroy 18873->18874 18874->18594 18875->18873 18875->18875 18876->18874 18877 100a3469 VirtualFree 18876->18877 18877->18876 18879 100a2eaa GetModuleFileNameA 18878->18879 18880 100a2ea5 18878->18880 18882 100a2ecd 18879->18882 19082 100a2a22 18880->19082 18883 1009fdd7 29 API calls 18882->18883 18884 100a2eee 18883->18884 18885 100a2efe 18884->18885 18886 1009e613 7 API calls 18884->18886 18885->18614 18886->18885 18888 100a2de7 18887->18888 18891 100a2dec 18887->18891 18889 100a2a22 48 API calls 18888->18889 18889->18891 18890 1009fdd7 29 API calls 18892 100a2e19 18890->18892 18891->18890 18893 1009e613 7 API calls 18892->18893 18899 100a2e2d 18892->18899 18893->18899 18894 100a2e70 18895 1009fcee 29 API calls 18894->18895 18896 100a2e7c 18895->18896 18896->18616 18897 1009fdd7 29 API calls 18897->18899 18898 1009e613 7 API calls 18898->18899 18899->18894 18899->18897 18899->18898 19111 100a1f19 18900->19111 18905 100a2d8e 18903->18905 18904 1009e558 18908 100a2a92 18904->18908 18905->18904 18906 1009fcee 29 API calls 18905->18906 18907 100a2da8 DeleteCriticalSection 18905->18907 18906->18905 18907->18905 19127 100a5af4 18908->19127 18910 100a2a97 18911 1009e55d 18910->18911 18912 100a2aa1 TlsFree 18910->18912 18911->18609 18912->18911 18914 100a2b38 18913->18914 18915 100a2bc9 18913->18915 18916 100a2b4e 18914->18916 18917 100a2b41 TlsGetValue 18914->18917 18915->18594 18918 100a2b5b 18916->18918 18920 1009fcee 29 API calls 18916->18920 18917->18916 18919 100a2bba TlsSetValue 18917->18919 18921 100a2b69 18918->18921 18922 1009fcee 29 API calls 18918->18922 18919->18915 18920->18918 18923 100a2b77 18921->18923 18924 1009fcee 29 API calls 18921->18924 18922->18921 18925 100a2b85 18923->18925 18927 1009fcee 29 API calls 18923->18927 18924->18923 18926 100a2b93 18925->18926 18928 1009fcee 29 API calls 18925->18928 18929 100a2ba1 18926->18929 18930 1009fcee 29 API calls 18926->18930 18927->18925 18928->18926 18931 100a2bb2 18929->18931 18932 1009fcee 29 API calls 18929->18932 18930->18929 18933 1009fcee 29 API calls 18931->18933 18932->18931 18934 100a2bb9 18933->18934 18934->18919 18958 1009fad0 18935->18958 18937 100a324c GetVersionExA 18938 100a3268 18937->18938 18939 100a3282 GetEnvironmentVariableA 18937->18939 18938->18939 18941 100a327a 18938->18941 18940 100a335f 18939->18940 18943 100a32a1 18939->18943 18940->18941 18963 100a3212 GetModuleHandleA 18940->18963 18941->18817 18941->18818 18944 100a32e6 GetModuleFileNameA 18943->18944 18945 100a32de 18943->18945 18944->18945 18945->18940 18960 100a223c 18945->18960 18948 100a6d91 18947->18948 18948->18821 18950 100a78c9 18949->18950 18951 100a78d0 HeapAlloc 18949->18951 18952 100a78ed VirtualAlloc 18950->18952 18951->18952 18953 100a7925 18951->18953 18954 100a790d VirtualAlloc 18952->18954 18955 100a79e2 18952->18955 18953->18821 18954->18953 18956 100a79d4 VirtualFree 18954->18956 18955->18953 18957 100a79ea HeapFree 18955->18957 18956->18955 18957->18953 18959 1009fadc 18958->18959 18959->18937 18959->18959 18965 100a2253 18960->18965 18964 100a3229 18963->18964 18964->18941 18967 100a226b 18965->18967 18968 100a229b 18967->18968 18974 100a6962 18967->18974 18969 100a6962 6 API calls 18968->18969 18972 100a23c4 18968->18972 18973 100a224f 18968->18973 18978 100a023c 18968->18978 18969->18968 18972->18973 18989 100a088d 18972->18989 18973->18940 18975 100a6980 18974->18975 18977 100a6974 18974->18977 18992 100aa1be 18975->18992 18977->18967 18979 100a025a InterlockedIncrement 18978->18979 18981 100a0247 18978->18981 18980 100a0276 InterlockedDecrement 18979->18980 18984 100a0280 18979->18984 18982 100a5b60 29 API calls 18980->18982 18981->18968 18982->18984 19004 100a02ab 18984->19004 18986 100a02a0 InterlockedDecrement 18986->18981 18987 100a0296 19010 100a5bc1 LeaveCriticalSection 18987->19010 19029 100a2ac3 GetLastError TlsGetValue 18989->19029 18991 100a0892 18991->18973 18993 100aa1ef GetStringTypeW 18992->18993 18994 100aa207 18992->18994 18993->18994 18995 100aa20b GetStringTypeA 18993->18995 18996 100aa232 GetStringTypeA 18994->18996 18997 100aa256 18994->18997 18995->18994 18998 100aa2f3 18995->18998 18996->18998 18997->18998 19000 100aa26c MultiByteToWideChar 18997->19000 18998->18977 19000->18998 19001 100aa290 19000->19001 19001->18998 19002 100aa2ca MultiByteToWideChar 19001->19002 19002->18998 19003 100aa2e3 GetStringTypeW 19002->19003 19003->18998 19005 100a02d6 19004->19005 19009 100a028d 19004->19009 19006 100a02f2 19005->19006 19007 100a6962 6 API calls 19005->19007 19006->19009 19011 100a6a64 19006->19011 19007->19006 19009->18986 19009->18987 19010->18981 19012 100a6a94 LCMapStringW 19011->19012 19015 100a6ab0 19011->19015 19013 100a6ab8 LCMapStringA 19012->19013 19012->19015 19014 100a6bf2 19013->19014 19013->19015 19014->19009 19016 100a6af9 LCMapStringA 19015->19016 19017 100a6b16 19015->19017 19016->19014 19017->19014 19018 100a6b2c MultiByteToWideChar 19017->19018 19018->19014 19019 100a6b56 19018->19019 19019->19014 19020 100a6b8c MultiByteToWideChar 19019->19020 19020->19014 19021 100a6ba5 LCMapStringW 19020->19021 19021->19014 19022 100a6bc0 19021->19022 19023 100a6bc6 19022->19023 19025 100a6c06 19022->19025 19023->19014 19024 100a6bd4 LCMapStringW 19023->19024 19024->19014 19025->19014 19026 100a6c3e LCMapStringW 19025->19026 19026->19014 19027 100a6c56 WideCharToMultiByte 19026->19027 19027->19014 19030 100a2b1e SetLastError 19029->19030 19031 100a2adf 19029->19031 19030->18991 19040 100a0c42 19031->19040 19034 100a2af0 TlsSetValue 19035 100a2b16 19034->19035 19036 100a2b01 19034->19036 19037 1009e613 7 API calls 19035->19037 19039 100a2b07 GetCurrentThreadId 19036->19039 19038 100a2b1d 19037->19038 19038->19030 19039->19030 19044 100a0c77 19040->19044 19041 100a0d5d 19041->19034 19041->19035 19042 100a0d2f HeapAlloc 19042->19044 19043 100a5b60 29 API calls 19043->19044 19044->19041 19044->19042 19044->19043 19049 100a7111 19044->19049 19055 100a0cdb 19044->19055 19058 100a7bb4 19044->19058 19065 100a0d64 19044->19065 19052 100a7143 19049->19052 19050 100a71e2 19054 100a71f1 19050->19054 19075 100a74cb 19050->19075 19052->19050 19052->19054 19068 100a741a 19052->19068 19054->19044 19079 100a5bc1 LeaveCriticalSection 19055->19079 19057 100a0ce2 19057->19044 19059 100a7bc2 19058->19059 19060 100a7d83 19059->19060 19062 100a7cae VirtualAlloc 19059->19062 19064 100a7c7f 19059->19064 19061 100a78bc 5 API calls 19060->19061 19061->19064 19062->19064 19064->19044 19080 100a5bc1 LeaveCriticalSection 19065->19080 19067 100a0d6b 19067->19044 19069 100a745d HeapAlloc 19068->19069 19070 100a742d HeapReAlloc 19068->19070 19072 100a7483 VirtualAlloc 19069->19072 19074 100a74ad 19069->19074 19071 100a744c 19070->19071 19070->19074 19071->19069 19073 100a749d HeapFree 19072->19073 19072->19074 19073->19074 19074->19050 19076 100a74dd VirtualAlloc 19075->19076 19078 100a7526 19076->19078 19078->19054 19079->19057 19080->19067 19081->18826 19083 100a2a2b 19082->19083 19084 100a2a32 19082->19084 19086 100a264a 19083->19086 19084->18879 19087 100a5b60 29 API calls 19086->19087 19088 100a265a 19087->19088 19097 100a27f7 19088->19097 19092 100a27ef 19092->19084 19094 100a2696 GetCPInfo 19096 100a26ac 19094->19096 19095 100a2671 19110 100a5bc1 LeaveCriticalSection 19095->19110 19096->19095 19102 100a289d GetCPInfo 19096->19102 19098 100a2817 19097->19098 19099 100a2807 GetOEMCP 19097->19099 19100 100a2662 19098->19100 19101 100a281c GetACP 19098->19101 19099->19098 19100->19094 19100->19095 19100->19096 19101->19100 19104 100a28c0 19102->19104 19109 100a2988 19102->19109 19103 100aa1be 6 API calls 19105 100a293c 19103->19105 19104->19103 19106 100a6a64 9 API calls 19105->19106 19107 100a2960 19106->19107 19108 100a6a64 9 API calls 19107->19108 19108->19109 19109->19095 19110->19092 19120 100a1fbe 19111->19120 19114 100a1f2a GetCurrentProcess TerminateProcess 19115 100a1f3b 19114->19115 19116 100a1fac ExitProcess 19115->19116 19117 100a1fa5 19115->19117 19123 100a1fc7 19117->19123 19121 100a5b60 29 API calls 19120->19121 19122 100a1f1f 19121->19122 19122->19114 19122->19115 19126 100a5bc1 LeaveCriticalSection 19123->19126 19125 100a1f15 19125->18597 19126->19125 19128 100a5b01 19127->19128 19129 100a5b3d DeleteCriticalSection DeleteCriticalSection DeleteCriticalSection DeleteCriticalSection 19128->19129 19130 100a5b27 DeleteCriticalSection 19128->19130 19129->18910 19131 1009fcee 29 API calls 19130->19131 19131->19128 19251 1002607d 19258 100260ba 19251->19258 19253 10026095 19262 10026200 19253->19262 19255 100260a4 19266 10026372 19255->19266 19257 100260ac 19259 100260d0 19258->19259 19261 10026106 19258->19261 19260 1000b301 GetPEB 19259->19260 19259->19261 19260->19261 19261->19253 19263 10026216 19262->19263 19265 1002624c 19262->19265 19264 1000b301 GetPEB 19263->19264 19263->19265 19264->19265 19265->19255 19267 10026388 19266->19267 19269 100263be 19266->19269 19268 1000b301 GetPEB 19267->19268 19267->19269 19268->19269 19269->19257

    Executed Functions

    Function 1009E49D Relevance: 3.1, APIs: 2, Instructions: 57COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetVersion.KERNEL32(1009E5B6,?,?,?), ref: 1009E4AA
      • Part of subcall function 100A3387: HeapCreate.KERNELBASE(00000000,00001000,00000000,1009E4BC,00000001), ref: 100A3398
      • Part of subcall function 100A3387: HeapDestroy.KERNEL32 ref: 100A33D7
      • Part of subcall function 100A2A3E: TlsAlloc.KERNEL32(?,1009E4F4), ref: 100A2A44
      • Part of subcall function 100A2A3E: TlsSetValue.KERNEL32(00000000), ref: 100A2A6C
      • Part of subcall function 100A2A3E: GetCurrentThreadId.KERNEL32 ref: 100A2A7D
    • GetCommandLineA.KERNEL32 ref: 1009E501
      • Part of subcall function 100A33E4: VirtualFree.KERNEL32(0000000C,00100000,00004000,?,?,?,?,1009E562,1009E5B6,?,?,?), ref: 100A341C
      • Part of subcall function 100A33E4: VirtualFree.KERNEL32(0000000C,00000000,00008000,?,?,?,?,1009E562,1009E5B6,?,?,?), ref: 100A3427
      • Part of subcall function 100A33E4: HeapFree.KERNEL32(00000000,?,?,?,?,?,1009E562,1009E5B6,?,?,?), ref: 100A3434
      • Part of subcall function 100A33E4: HeapFree.KERNEL32(00000000,?,?,?,?,1009E562,1009E5B6,?,?,?), ref: 100A3450
      • Part of subcall function 100A33E4: HeapDestroy.KERNEL32(?,?,1009E562,1009E5B6,?,?,?), ref: 100A3483
      • Part of subcall function 100A2B2A: TlsGetValue.KERNEL32(00000017,?,1009E56F,00000000,1009E5B6,?,?,?), ref: 100A2B42
      • Part of subcall function 100A2B2A: TlsSetValue.KERNEL32(00000000,?,1009E56F,00000000,1009E5B6,?,?,?), ref: 100A2BC2
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: Heap$Free$Value$DestroyVirtual$AllocCommandCreateCurrentLineThreadVersion
    • String ID:
    • API String ID: 1348591257-0
    • Opcode ID: b62ed5e9b170dc615ee856b52960cc7ab2e07d0f34fed048d9349b4bef9ece36
    • Instruction ID: 856035bf9b8e1d64d5efb4ff41082b77b2ecb92965152f642118a98844d452bf
    • Opcode Fuzzy Hash: b62ed5e9b170dc615ee856b52960cc7ab2e07d0f34fed048d9349b4bef9ece36
    • Instruction Fuzzy Hash: 15114F79514BA2DBDF28DBB88D9B60937E4FB18345B12482AF405CA153EB71AD80EE11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100B7F61 Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • EnterCriticalSection.KERNEL32(102372C8,1023729C,?,?,102372AC,102372AC,100B833D,?,?,100B7D4F,100B7644,100B7D6B,100B40F3,1009D463,?,1009E5C6), ref: 100B7F70
    • GlobalAlloc.KERNELBASE(00002002,00000000,?,?,102372AC,102372AC,100B833D,?,?,100B7D4F,100B7644,100B7D6B,100B40F3,1009D463,?,1009E5C6), ref: 100B7FC5
    • GlobalHandle.KERNEL32(013C97C8), ref: 100B7FCE
    • GlobalUnlock.KERNEL32(00000000,?,102372AC,102372AC,100B833D,?,?,100B7D4F,100B7644,100B7D6B,100B40F3,1009D463,?,1009E5C6,?,?), ref: 100B7FD7
    • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 100B7FE9
    • GlobalHandle.KERNEL32(013C97C8), ref: 100B8000
    • GlobalLock.KERNEL32(00000000,?,102372AC,102372AC,100B833D,?,?,100B7D4F,100B7644,100B7D6B,100B40F3,1009D463,?,1009E5C6,?,?), ref: 100B8007
    • LeaveCriticalSection.KERNEL32(?,?,102372AC,102372AC,100B833D,?,?,100B7D4F,100B7644,100B7D6B,100B40F3,1009D463,?,1009E5C6,?,?), ref: 100B800D
    • GlobalLock.KERNEL32(?,?,102372AC,102372AC,100B833D,?,?,100B7D4F,100B7644,100B7D6B,100B40F3,1009D463,?,1009E5C6,?,?), ref: 100B801C
    • LeaveCriticalSection.KERNEL32(?), ref: 100B8065
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
    • String ID:
    • API String ID: 2667261700-0
    • Opcode ID: 816c57c658faaec40744c78e48b38dfd795ba1b4105b7cc5cddf4eb03449103e
    • Instruction ID: 498a4d4b33ea80642452fd91aee4d4dcedf663756efad2e5077c2c69e86dd376
    • Opcode Fuzzy Hash: 816c57c658faaec40744c78e48b38dfd795ba1b4105b7cc5cddf4eb03449103e
    • Instruction Fuzzy Hash: E2318C7920030A9FE720DF28CC89A6AB7E9FB44351B054A3DF9A6C3661E775ED04CB10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A2BCA Relevance: 7.6, APIs: 5, Instructions: 150COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 19 100a2bca-100a2be2 call 1009fdd7 22 100a2bec-100a2bfc 19->22 23 100a2be4-100a2beb call 1009e613 19->23 24 100a2c02-100a2c04 22->24 23->22 26 100a2c06-100a2c22 24->26 27 100a2c24-100a2c33 GetStartupInfoA 24->27 26->24 29 100a2d0a 27->29 30 100a2c39-100a2c3e 27->30 32 100a2d0c-100a2d1c 29->32 30->29 31 100a2c44-100a2c56 30->31 33 100a2c5a-100a2c60 31->33 34 100a2c58 31->34 35 100a2d6b 32->35 36 100a2d1e-100a2d24 32->36 38 100a2cb8-100a2cbc 33->38 39 100a2c62 33->39 34->33 37 100a2d6f-100a2d73 35->37 40 100a2d2b-100a2d32 36->40 41 100a2d26-100a2d29 36->41 37->32 43 100a2d75-100a2d85 SetHandleCount 37->43 38->29 42 100a2cbe-100a2cc6 38->42 44 100a2c67-100a2c74 call 1009fdd7 39->44 45 100a2d35-100a2d41 GetStdHandle 40->45 41->45 46 100a2cc8-100a2ccc 42->46 47 100a2d00-100a2d08 42->47 57 100a2cb2 44->57 58 100a2c76-100a2c7f 44->58 49 100a2d5a-100a2d5e 45->49 50 100a2d43-100a2d4c GetFileType 45->50 46->47 52 100a2cce-100a2cd0 46->52 47->29 47->42 49->37 50->49 51 100a2d4e-100a2d58 50->51 51->49 54 100a2d60-100a2d63 51->54 55 100a2cdd-100a2cfd 52->55 56 100a2cd2-100a2cdb GetFileType 52->56 54->37 59 100a2d65-100a2d69 54->59 55->47 56->47 56->55 57->38 60 100a2c85-100a2c87 58->60 59->37 61 100a2c89-100a2ca3 60->61 62 100a2ca5-100a2cae 60->62 61->60 62->44 63 100a2cb0 62->63 63->38
    APIs
    • GetStartupInfoA.KERNEL32(?), ref: 100A2C28
    • GetFileType.KERNEL32(00000480), ref: 100A2CD3
    • GetStdHandle.KERNEL32(-000000F6), ref: 100A2D36
    • GetFileType.KERNELBASE(00000000), ref: 100A2D44
    • SetHandleCount.KERNEL32 ref: 100A2D7B
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: FileHandleType$CountInfoStartup
    • String ID:
    • API String ID: 1710529072-0
    • Opcode ID: 0e924dc1c542710af7069442172a20ff571d159eb0aded0f43bbca21da910724
    • Instruction ID: a57c1ff5f4c9d2183571c2b3e2f5e9ee1434f23135dc258d1b4e813c33f5582b
    • Opcode Fuzzy Hash: 0e924dc1c542710af7069442172a20ff571d159eb0aded0f43bbca21da910724
    • Instruction Fuzzy Hash: 64510131914265CFD720CBACC8987597BE0FB19378F268678C5A39B2E2D7309906C751
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100B8BAA Relevance: 3.0, APIs: 2, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 241 100b8baa-100b8bd5 SetErrorMode * 2 call 100b7d40 * 2 246 100b8bd7-100b8bf1 call 100b8c0d 241->246 247 100b8bf6-100b8c00 call 100b7d40 241->247 246->247 251 100b8c02 call 100b362c 247->251 252 100b8c07-100b8c0a 247->252 251->252
    APIs
    • SetErrorMode.KERNELBASE(00000000,00000000,1009D3DA,?,00000000,102024D8,00000000,?,?,?,?,1009E5C6,?,?,?,?), ref: 100B8BB3
    • SetErrorMode.KERNELBASE(00000000,?,1009E5C6,?,?,?,?,?,?), ref: 100B8BBA
      • Part of subcall function 100B8C0D: GetModuleFileNameA.KERNEL32(?,?,00000104,?,?,00000000), ref: 100B8C3E
      • Part of subcall function 100B8C0D: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 100B8CDF
      • Part of subcall function 100B8C0D: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 100B8D0C
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
    • String ID:
    • API String ID: 3389432936-0
    • Opcode ID: 15b3d953bc19076414d90048a8f5b616186e41622a36a53b224c1c9f87799652
    • Instruction ID: 087b8daccc1f6c15232af1c7bc50bfed5f7c389513a8762a668d1110a768dc41
    • Opcode Fuzzy Hash: 15b3d953bc19076414d90048a8f5b616186e41622a36a53b224c1c9f87799652
    • Instruction Fuzzy Hash: 6AF0F9BD9142509FD704EF24D445B1A7BE5EF48750F06888EF4489B3A3CB74E940CBA6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A3387 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 254 100a3387-100a33a5 HeapCreate 255 100a33dd-100a33df 254->255 256 100a33a7-100a33b4 call 100a323f 254->256 259 100a33c3-100a33c6 256->259 260 100a33b6-100a33c1 call 100a6d75 256->260 262 100a33c8 call 100a78bc 259->262 263 100a33e0-100a33e3 259->263 266 100a33cd-100a33cf 260->266 262->266 266->263 267 100a33d1-100a33d7 HeapDestroy 266->267 267->255
    APIs
    • HeapCreate.KERNELBASE(00000000,00001000,00000000,1009E4BC,00000001), ref: 100A3398
      • Part of subcall function 100A323F: GetVersionExA.KERNEL32 ref: 100A325E
    • HeapDestroy.KERNEL32 ref: 100A33D7
      • Part of subcall function 100A6D75: HeapAlloc.KERNEL32(00000000,00000140,100A33C0,000003F8), ref: 100A6D82
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: Heap$AllocCreateDestroyVersion
    • String ID:
    • API String ID: 2507506473-0
    • Opcode ID: f07123f8dac605b98cec2a6f8b1d4210e4128eb9820a7e61b3c40568f6776003
    • Instruction ID: afadf4824ae4ff731c78a4d48753470203b12de417edcdbfda830e2e05446c17
    • Opcode Fuzzy Hash: f07123f8dac605b98cec2a6f8b1d4210e4128eb9820a7e61b3c40568f6776003
    • Instruction Fuzzy Hash: F7F06536648352EAFF10D7B44C8A75D37D4EB447D2F208C25F401D80A1EEF48781D652
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1009FE15 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 268 1009fe15-1009fe40 269 1009fe42-1009fe4b 268->269 270 1009fe85-1009fe88 268->270 271 1009fe51-1009fe75 call 100a5b60 call 100a7111 call 1009fe7c 269->271 272 1009fee4-1009fee9 269->272 270->272 273 1009fe8a-1009fe8f 270->273 271->272 293 1009fe77 271->293 275 1009feeb-1009feed 272->275 276 1009feee-1009fef3 272->276 277 1009fe99-1009fe9b 273->277 278 1009fe91-1009fe97 273->278 275->276 280 1009fef4-1009fefc RtlAllocateHeap 276->280 281 1009fe9c-1009fea5 277->281 278->281 283 1009ff02-1009ff10 280->283 284 1009fed5-1009fed6 281->284 285 1009fea7-1009fed3 call 100a5b60 call 100a7bb4 call 1009fedb 281->285 284->280 285->283 285->284 293->283
    APIs
    • RtlAllocateHeap.NTDLL(00000000,?,?,?,?,?,?), ref: 1009FEFC
      • Part of subcall function 100A5B60: InitializeCriticalSection.KERNEL32(00000000,?,?,?,1009FD6D,00000009,?,?,?), ref: 100A5B9D
      • Part of subcall function 100A5B60: EnterCriticalSection.KERNEL32(?,?,?,1009FD6D,00000009,?,?,?), ref: 100A5BB8
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: CriticalSection$AllocateEnterHeapInitialize
    • String ID:
    • API String ID: 1616793339-0
    • Opcode ID: 5576f0b4b5dd33d69d6b247caf3936a612d61cb94d29ddb3121c0dbe64597b0b
    • Instruction ID: bb554ffa4fab1a68767529a3e5eef4976a3ac405748671115ccdc5b027cee7f2
    • Opcode Fuzzy Hash: 5576f0b4b5dd33d69d6b247caf3936a612d61cb94d29ddb3121c0dbe64597b0b
    • Instruction Fuzzy Hash: F6212835A00219EBDB10DFA9DC42BEEB7A4FB00760F21451AF818EB5E2C774AD41E664
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10053B30 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 296 10053b30-10053b4e RtlAllocateHeap 297 10053b50-10053b59 call 100507d0 296->297 298 10053b5c-10053b62 296->298 297->298
    APIs
    • RtlAllocateHeap.NTDLL(013A0000,00000000,?), ref: 10053B41
      • Part of subcall function 100507D0: wsprintfA.USER32 ref: 100507E2
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: AllocateHeapwsprintf
    • String ID:
    • API String ID: 1352872168-0
    • Opcode ID: 8f4a746dc0311a72110d9e9e0d91b23e593a354499c0ef69cf1bc2cb8c0bafbd
    • Instruction ID: 6d07ddb9d044c094a66013f31d76628e75d4fba66ab6e66e8110b09e59daf6fa
    • Opcode Fuzzy Hash: 8f4a746dc0311a72110d9e9e0d91b23e593a354499c0ef69cf1bc2cb8c0bafbd
    • Instruction Fuzzy Hash: C3E046B9900208EBEB00CBA0D985A9A77B8EB08300F008258FA094B200D632EE009B91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100B43FE Relevance: 1.5, APIs: 1, Instructions: 14COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 301 100b43fe-100b441d call 100b7d40 LoadStringA 304 100b441f 301->304 305 100b4421-100b4422 301->305 304->305
    APIs
    • LoadStringA.USER32(?,00000100,00000100,00000100), ref: 100B4415
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: LoadString
    • String ID:
    • API String ID: 2948472770-0
    • Opcode ID: 9b75291d1cc68b3889218e39b470f55b1b3f212765dcf4c0af887729f4fae742
    • Instruction ID: 8359965a88f82c01c0158bd845a499ad04138399ba43e1135119a8c9ab86c759
    • Opcode Fuzzy Hash: 9b75291d1cc68b3889218e39b470f55b1b3f212765dcf4c0af887729f4fae742
    • Instruction Fuzzy Hash: 4ED09E7A5193A29BC611DF61C804D9FBBA8BF55250B054C49F49453111C720D8548666
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 100511B0 Relevance: 18.3, APIs: 12, Instructions: 273threadwindownetworkCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 100511D5
    • IsWindow.USER32(00020464), ref: 100511F1
    • SendMessageA.USER32(00020464,000083E7,?,00000000), ref: 1005120A
    • ExitProcess.KERNEL32 ref: 1005121F
    • FreeLibrary.KERNEL32(?), ref: 10051303
    • FreeLibrary.KERNEL32 ref: 10051357
    • DestroyCursor.USER32(00000000), ref: 100513A7
    • DestroyCursor.USER32(00000000), ref: 100513BE
    • IsWindow.USER32(00020464), ref: 100513D5
    • DestroyCursor.USER32(?), ref: 10051484
    • WSACleanup.WS2_32 ref: 100514CF
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: CursorDestroy$FreeLibraryWindow$CleanupCurrentExitMessageProcessSendThread
    • String ID:
    • API String ID: 2560087610-0
    • Opcode ID: 707b8f6f0e4e0ea7670fbf31e7e102d33ce47446a8d090316e7ce72e96af57c6
    • Instruction ID: 469d989f5cfea75ff7cb4fb78b9694011f68c50ed32e348f67c6d81aea70ebb5
    • Opcode Fuzzy Hash: 707b8f6f0e4e0ea7670fbf31e7e102d33ce47446a8d090316e7ce72e96af57c6
    • Instruction Fuzzy Hash: D7B157B46007029BD724DF64C8D5BDAB7E9FF48340F51492DE9AAC7281DB30B989CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10050430 Relevance: 15.3, APIs: 10, Instructions: 287libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(00000000,1021B674), ref: 10050497
    • LoadLibraryA.KERNEL32(?,?,1022BC38), ref: 10050589
    • LoadLibraryA.KERNEL32(?,?), ref: 100505CF
    • LoadLibraryA.KERNEL32(?,?,1022BB40,00000001), ref: 10050617
    • LoadLibraryA.KERNEL32(00000001), ref: 1005062D
    • GetProcAddress.KERNEL32(00000000,?), ref: 1005063F
    • FreeLibrary.KERNEL32(00000000), ref: 100506D2
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: Library$Load$AddressProc$Free
    • String ID:
    • API String ID: 3120990465-0
    • Opcode ID: 75f8b8f97f2a34dd914fdd3f315ff725e8f10e0936d79b99ee6fa344b573f52f
    • Instruction ID: 05b09a8fc11e86cb4538e7611abaae9387d229b962f2f119f66d44664a6082ad
    • Opcode Fuzzy Hash: 75f8b8f97f2a34dd914fdd3f315ff725e8f10e0936d79b99ee6fa344b573f52f
    • Instruction Fuzzy Hash: D4A19EB5A04752ABD314DF64C881B9BB3E8FF89310F044A2DF95597281EB34AD19CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000DC38 Relevance: 13.1, Strings: 10, Instructions: 581COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID:
    • String ID: GetM$GetP$Load$RtlM$Virt$eFil$eNam$odul$ualA$ualF
    • API String ID: 0-2330598228
    • Opcode ID: e95b2be4774fe56dce19853926b31ae9608be0e86b70fc2631ec137b1f0567bd
    • Instruction ID: 3f8558a2541e45efa72f5b4ea6ff21bd80ef3481b67304b042cdcb36b97d6d8b
    • Opcode Fuzzy Hash: e95b2be4774fe56dce19853926b31ae9608be0e86b70fc2631ec137b1f0567bd
    • Instruction Fuzzy Hash: 0A327D70A002869FEB54DF58C884B9DBBF1FF44394F16816AE854AB399D7B0DD80CB94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000B391 Relevance: 13.1, Strings: 10, Instructions: 581COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID:
    • String ID: GetM$GetP$Load$RtlM$Virt$eFil$eNam$odul$ualA$ualF
    • API String ID: 0-2330598228
    • Opcode ID: e95b2be4774fe56dce19853926b31ae9608be0e86b70fc2631ec137b1f0567bd
    • Instruction ID: d2a28ff6a50f632bb3572c5c41ab9e449cdfeca98239b3fecef99f91761cde9a
    • Opcode Fuzzy Hash: e95b2be4774fe56dce19853926b31ae9608be0e86b70fc2631ec137b1f0567bd
    • Instruction Fuzzy Hash: 91329E70A00A06DFEB24CF58C880B99B7F1FF44395F1681AAE955AB399D770DD80CB85
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A75C6 Relevance: .3, Instructions: 259COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
    • Instruction ID: 2e70ce2c9f22321860c42d5244e68513028ae2390af2eec8113b033fec0f6edb
    • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
    • Instruction Fuzzy Hash: 46B15975A0424ADFDB15CF44C9D0AA8BBE1FF48358F25C1ADD81A5B382C731EA46CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1002F8C8 Relevance: .2, Instructions: 171COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 056a4eb8a90d97f007b015fba570332645c5903c738d8b8e17427a0223d64916
    • Instruction ID: be240a574cd6c0a663734a8f5f1201e3ab864da3c6c584b283b6f2e4c7219627
    • Opcode Fuzzy Hash: 056a4eb8a90d97f007b015fba570332645c5903c738d8b8e17427a0223d64916
    • Instruction Fuzzy Hash: E85188B1E00345EFEB01CFE498467AEBB74EF18310F54416DE518BB282D6716A54CB92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000BC31 Relevance: .1, Instructions: 54COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
    • Instruction ID: 3b95a3801ed842e95b57732c3bb335540bb9858d0a048c30426e45c69e30bfce
    • Opcode Fuzzy Hash: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
    • Instruction Fuzzy Hash: 1D112B64A10609C7EB00CFA4D480BAEB3B5FF1C700F105069D508EB395E77A9E10C7AA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000E4D8 Relevance: .1, Instructions: 54COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
    • Instruction ID: b80e278ba4c6a1cff5842473d39247c98dcd9125a09afdc6cc5c560dcf043612
    • Opcode Fuzzy Hash: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
    • Instruction Fuzzy Hash: 3D112B64A10248C7EB00CFA4D580BAEB3B5FF1C700F105469D508EB395E77A9E10C7AA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100060FC Relevance: .0, Instructions: 24COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 668ced5cacfd4194cfd49e06589f7fa115bc68af22e0a86f89cc01be1e0e93bc
    • Instruction ID: d9338f4b4855b6357680b1363d73f70f08ba4e2496a1850d1e1eed54151e7907
    • Opcode Fuzzy Hash: 668ced5cacfd4194cfd49e06589f7fa115bc68af22e0a86f89cc01be1e0e93bc
    • Instruction Fuzzy Hash: 57E0867375410A5BA70CCC15DD15975374BD7C0370B14C33EF85686285DD68E9618150
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100AA9EF Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,100A35E9,?,Microsoft Visual C++ Runtime Library,00012010,?,1020493C,?,1020498C,?,?,?,Runtime Error!Program: ), ref: 100AAA01
    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 100AAA19
    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 100AAA2A
    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 100AAA37
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
    • API String ID: 2238633743-4044615076
    • Opcode ID: a74306af38e9c4c1ad1bdd7639b7635a187d018bb3919e0ac27513e2504a79e1
    • Instruction ID: e8165724b945ed01e0431c187fec83e22f06b7cef257cb198dd2aeaf103b0a81
    • Opcode Fuzzy Hash: a74306af38e9c4c1ad1bdd7639b7635a187d018bb3919e0ac27513e2504a79e1
    • Instruction Fuzzy Hash: 44012131601373DBDB50DFF58DC8A6B7BE9EB9E6907010529E501C6162DB348844DB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A6A64 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
    Download Yara Rule
    APIs
    • LCMapStringW.KERNEL32(00000000,00000100,10204BCC,00000001,00000000,00000000,74DEE860,102379F4,?,00000003,00000000,00000001,00000000,?,?,100A028D), ref: 100A6AA6
    • LCMapStringA.KERNEL32(00000000,00000100,10204BC8,00000001,00000000,00000000,?,?,100A028D,?), ref: 100A6AC2
    • LCMapStringA.KERNEL32(?,?,00000000,00000001,00000000,00000003,74DEE860,102379F4,?,00000003,00000000,00000001,00000000,?,?,100A028D), ref: 100A6B0B
    • MultiByteToWideChar.KERNEL32(?,102379F5,00000000,00000001,00000000,00000000,74DEE860,102379F4,?,00000003,00000000,00000001,00000000,?,?,100A028D), ref: 100A6B43
    • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,?,00000000), ref: 100A6B9B
    • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 100A6BB1
    • LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 100A6BE4
    • LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 100A6C4C
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: String$ByteCharMultiWide
    • String ID:
    • API String ID: 352835431-0
    • Opcode ID: 2eb373ebfc1d7118cb6b1b919dbfd7a6d673843321a28c43fb8b50629bc801ef
    • Instruction ID: 4b4af60aba4e7cb564ae3ff0afe7de9f29bdb185e78238d85ae9a8b434eff6c1
    • Opcode Fuzzy Hash: 2eb373ebfc1d7118cb6b1b919dbfd7a6d673843321a28c43fb8b50629bc801ef
    • Instruction Fuzzy Hash: D6515A71900259EFDF22CF94CC85ADE3FB9FB89794F208629F955A2160D3318D60EB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A34C5 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 100A3532
    • GetStdHandle.KERNEL32(000000F4,1020493C,00000000,?,00000000,?), ref: 100A3608
    • WriteFile.KERNEL32(00000000), ref: 100A360F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: File$HandleModuleNameWrite
    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
    • API String ID: 3784150691-4022980321
    • Opcode ID: cf1c400a80d1d6f8f519c7d20f52625956d6cac42374561a115919b0d26c4895
    • Instruction ID: 75d7edd16df77553bd8204fdcf0ca45fb0a31db4b3d302c0142d5476c8e90829
    • Opcode Fuzzy Hash: cf1c400a80d1d6f8f519c7d20f52625956d6cac42374561a115919b0d26c4895
    • Instruction Fuzzy Hash: 7031B076A0021CEFDF20DAE4CC86FEA73ADEB45380F608566F545A7141EB70AA80CA51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A30E0 Relevance: 12.1, APIs: 8, Instructions: 132COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,1009E511), ref: 100A30FB
    • GetEnvironmentStrings.KERNEL32(?,?,?,?,1009E511), ref: 100A310F
    • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,1009E511), ref: 100A313B
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,1009E511), ref: 100A3173
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,1009E511), ref: 100A3195
    • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,1009E511), ref: 100A31AE
    • GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,1009E511), ref: 100A31C1
    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 100A31FF
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: EnvironmentStrings$ByteCharFreeMultiWide
    • String ID:
    • API String ID: 1823725401-0
    • Opcode ID: 4433bf0067b83a4e270eb803c1c9dab745779409026a448051f151cc50177b59
    • Instruction ID: cfb908c35fc159720ef29b2f4a78f0df2796ecd962675dfef85bfa5d948f7730
    • Opcode Fuzzy Hash: 4433bf0067b83a4e270eb803c1c9dab745779409026a448051f151cc50177b59
    • Instruction Fuzzy Hash: 9E310A765043A6EFE320FFF94CC882B7BDCF64A6D47124929F952C3111E6A09C40C7A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100AA1BE Relevance: 9.1, APIs: 6, Instructions: 117COMMON
    Download Yara Rule
    APIs
    • GetStringTypeW.KERNEL32(00000001,10204BCC,00000001,?,74DEE860,102379F4,?,?,00000002,00000000,?,?,100A028D,?), ref: 100AA1FD
    • GetStringTypeA.KERNEL32(00000000,00000001,10204BC8,00000001,?,?,?,100A028D,?), ref: 100AA217
    • GetStringTypeA.KERNEL32(?,?,?,00000000,00000002,74DEE860,102379F4,?,?,00000002,00000000,?,?,100A028D,?), ref: 100AA24B
    • MultiByteToWideChar.KERNEL32(?,102379F5,?,00000000,00000000,00000000,74DEE860,102379F4,?,?,00000002,00000000,?,?,100A028D,?), ref: 100AA283
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 100AA2D9
    • GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 100AA2EB
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: StringType$ByteCharMultiWide
    • String ID:
    • API String ID: 3852931651-0
    • Opcode ID: d6005f5fd8e7dc4fcddc91b1c410834bfd2c5813bb1634ad19983f3edefd3277
    • Instruction ID: dc7f85178876988037882e2667c7c8db75f15d7d67f101b0e09ba79dbe70e586
    • Opcode Fuzzy Hash: d6005f5fd8e7dc4fcddc91b1c410834bfd2c5813bb1634ad19983f3edefd3277
    • Instruction Fuzzy Hash: F7416B7690025AEFCF20DF98CC89AEE7FB9FB0A290F104525F915D6190C73289A0DB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100B80D0 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMON
    Download Yara Rule
    APIs
    • TlsGetValue.KERNEL32(102372AC,1023729C,00000000,?,102372AC,?,100B8379,1023729C,00000000,?,1009E5C6,?,?,?,?,?), ref: 100B80DB
    • EnterCriticalSection.KERNEL32(102372C8,00000010,?,100B8379,1023729C,00000000,?,1009E5C6,?,?,?,?,?,?), ref: 100B812A
    • LeaveCriticalSection.KERNEL32(102372C8,00000000,?,100B8379,1023729C,00000000,?,1009E5C6,?,?,?,?,?,?), ref: 100B813D
    • LocalAlloc.KERNEL32(00000000,00000003,?,100B8379,1023729C,00000000,?,1009E5C6,?,?,?,?,?,?), ref: 100B8153
    • LocalReAlloc.KERNEL32(?,00000003,00000002,?,100B8379,1023729C,00000000,?,1009E5C6,?,?,?,?,?,?), ref: 100B8165
    • TlsSetValue.KERNEL32(102372AC,00000000), ref: 100B81A1
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: AllocCriticalLocalSectionValue$EnterLeave
    • String ID:
    • API String ID: 4117633390-0
    • Opcode ID: f5c7ee422b9b62af0218e44f22bcecb7798588a3e08037c1fcf44bd7f7dfd589
    • Instruction ID: 1f78184cf6855ae451c4be3816702cafbf4a8a272def4790b2df67d60753a780
    • Opcode Fuzzy Hash: f5c7ee422b9b62af0218e44f22bcecb7798588a3e08037c1fcf44bd7f7dfd589
    • Instruction Fuzzy Hash: D0314F79100605EFE714CF59C889E96B7E8FF44750F10CA19E56687650E770EE06CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A33E4 Relevance: 9.1, APIs: 6, Instructions: 56memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualFree.KERNEL32(0000000C,00100000,00004000,?,?,?,?,1009E562,1009E5B6,?,?,?), ref: 100A341C
    • VirtualFree.KERNEL32(0000000C,00000000,00008000,?,?,?,?,1009E562,1009E5B6,?,?,?), ref: 100A3427
    • HeapFree.KERNEL32(00000000,?,?,?,?,?,1009E562,1009E5B6,?,?,?), ref: 100A3434
    • HeapFree.KERNEL32(00000000,?,?,?,?,1009E562,1009E5B6,?,?,?), ref: 100A3450
    • VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000,?,?,1009E562,1009E5B6,?,?,?), ref: 100A3471
    • HeapDestroy.KERNEL32(?,?,1009E562,1009E5B6,?,?,?), ref: 100A3483
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: Free$HeapVirtual$Destroy
    • String ID:
    • API String ID: 716807051-0
    • Opcode ID: 9907b2dbabc6b22c07ae2e13deedde6ce08470b4c1765e03c905028d89642275
    • Instruction ID: 921bf33908d7db1bb4f467f63baf701047519ebc96a747b42b8b88cbf22fbdcb
    • Opcode Fuzzy Hash: 9907b2dbabc6b22c07ae2e13deedde6ce08470b4c1765e03c905028d89642275
    • Instruction Fuzzy Hash: 82117C3A240265EBEA32CB54DCC9F49B7A5F748750F228920F6806A4A1C6B1BD41DB58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A323F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
    Download Yara Rule
    APIs
    • GetVersionExA.KERNEL32 ref: 100A325E
    • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 100A3293
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 100A32F3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: EnvironmentFileModuleNameVariableVersion
    • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
    • API String ID: 1385375860-4131005785
    • Opcode ID: b0fc5c1220a8d89f4271bdd84652c32ab713099f1f215e31a0b58349a27fde11
    • Instruction ID: 64265b808d29a985652b266f1d5153974a033dd7018804ba12ce5284c4d75aa8
    • Opcode Fuzzy Hash: b0fc5c1220a8d89f4271bdd84652c32ab713099f1f215e31a0b58349a27fde11
    • Instruction Fuzzy Hash: 7031D276809298EDEF61C6F05C92BDD7BACDB12384F24C4E9F145D6042EAB19F89CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100B8C0D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(?,?,00000104,?,?,00000000), ref: 100B8C3E
      • Part of subcall function 100B8D2A: lstrlenA.KERNEL32(?,00000000,?), ref: 100B8D61
    • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 100B8CDF
    • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 100B8D0C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: FileModuleNamelstrcatlstrcpylstrlen
    • String ID: .HLP$.INI
    • API String ID: 2421895198-3011182340
    • Opcode ID: 215b2dbbfd57f928c0a465aa8ae17e0194eb6833960b13584e80889fe829a9ba
    • Instruction ID: a6b310693537a418bf49237501887c8a255ee275912405b3828120ee16d60506
    • Opcode Fuzzy Hash: 215b2dbbfd57f928c0a465aa8ae17e0194eb6833960b13584e80889fe829a9ba
    • Instruction Fuzzy Hash: 3D3170B9800719DFD720DFB0C885BCAB7FCEF04350F10496AE589D2151EB70AA84CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A2AC3 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(00000103,7FFFFFFF,100A0892,100A240A,00000000,?,?,00000000,00000001), ref: 100A2AC5
    • TlsGetValue.KERNEL32 ref: 100A2AD3
    • SetLastError.KERNEL32(00000000), ref: 100A2B1F
      • Part of subcall function 100A0C42: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,100A7F94,10204500,000000FF,?,100A2AE8,00000001,00000074), ref: 100A0D38
    • TlsSetValue.KERNEL32(00000000), ref: 100A2AF7
    • GetCurrentThreadId.KERNEL32 ref: 100A2B08
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: ErrorLastValue$AllocCurrentHeapThread
    • String ID:
    • API String ID: 2020098873-0
    • Opcode ID: 84d35f0546d9f5a6aaf9d057484cbaa8b6fc2a4440836c52497e07e6645ad6e5
    • Instruction ID: 30303a567b2660ae9c6e8a5ee3af6970a8f412036590442b6ba16ce2a8e49bf2
    • Opcode Fuzzy Hash: 84d35f0546d9f5a6aaf9d057484cbaa8b6fc2a4440836c52497e07e6645ad6e5
    • Instruction Fuzzy Hash: 8AF0BB3D6002719BE2355FB89C4DA893B94EF00BB17210728F546E71E1DF308C41D6A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A5AF4 Relevance: 7.5, APIs: 5, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • DeleteCriticalSection.KERNEL32(00000000,?,?,100A2A97,1009E55D,1009E5B6,?,?,?), ref: 100A5B28
      • Part of subcall function 1009FCEE: HeapFree.KERNEL32(00000000,?,?,?,?), ref: 1009FDC2
    • DeleteCriticalSection.KERNEL32(?,?,100A2A97,1009E55D,1009E5B6,?,?,?), ref: 100A5B43
    • DeleteCriticalSection.KERNEL32 ref: 100A5B4B
    • DeleteCriticalSection.KERNEL32 ref: 100A5B53
    • DeleteCriticalSection.KERNEL32 ref: 100A5B5B
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: CriticalDeleteSection$FreeHeap
    • String ID:
    • API String ID: 447823528-0
    • Opcode ID: 80839d8ce2d3efbf508084d642a8e5c906a0010bae696f60ecfb8db0e32d920c
    • Instruction ID: c8a102261e4439f78ff6b81f4ec57b3b509e4cb3a60c0317ba03094adb996b3b
    • Opcode Fuzzy Hash: 80839d8ce2d3efbf508084d642a8e5c906a0010bae696f60ecfb8db0e32d920c
    • Instruction Fuzzy Hash: 60F05B2D85012CE6DA65BB59DD49C55FA95EA802623660072E8967B130CB334CA0C5E0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A78BC Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
    Download Yara Rule
    APIs
    • HeapAlloc.KERNEL32(00000000,00002020,1021CFC0,?,?,?,100A7D88,?,00000010,?,00000009,00000009,?,1009FEC1,00000010,?), ref: 100A78DD
    • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,100A7D88,?,00000010,?,00000009,00000009,?,1009FEC1,00000010,?), ref: 100A7901
    • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,100A7D88,?,00000010,?,00000009,00000009,?,1009FEC1,00000010,?), ref: 100A791B
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,100A7D88,?,00000010,?,00000009,00000009,?,1009FEC1,00000010,?,?), ref: 100A79DC
    • HeapFree.KERNEL32(00000000,00000000,?,?,100A7D88,?,00000010,?,00000009,00000009,?,1009FEC1,00000010,?,?,?), ref: 100A79F3
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: AllocVirtual$FreeHeap
    • String ID:
    • API String ID: 714016831-0
    • Opcode ID: a5e1a649ebce402a5b434beaf74f24afdac75aa47d117765f0271bb3c3eb6095
    • Instruction ID: fc3b1f2f16ac1edc27d23eacd074c2d4b113a642641c364ce0c648309d99aa48
    • Opcode Fuzzy Hash: a5e1a649ebce402a5b434beaf74f24afdac75aa47d117765f0271bb3c3eb6095
    • Instruction Fuzzy Hash: 1631267664071ADFD320CF28CC84B2677E5FB45790F20862BE59A9B6D0DB70A841C758
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A289D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: Info
    • String ID: $
    • API String ID: 1807457897-3032137957
    • Opcode ID: 773b63946a54e029279f74e363202ac7e46494e809db1a43909fca302e94e3e1
    • Instruction ID: 1c73a3fad27fc45726235786101f17ef1dd38906a74bbd67e98ce6f7336eb253
    • Opcode Fuzzy Hash: 773b63946a54e029279f74e363202ac7e46494e809db1a43909fca302e94e3e1
    • Instruction Fuzzy Hash: 664147311042B89BEB36CA98CD99FEBBFA9EB09B04F1010F5D585DB193C3214944DBB2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100B362C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27threadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 100B363F
    • SetWindowsHookExA.USER32(000000FF,V&C,00000000,00000000), ref: 100B364F
      • Part of subcall function 100B83CB: __EH_prolog.LIBCMT ref: 100B83D0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: CurrentH_prologHookThreadWindows
    • String ID: V&C
    • API String ID: 2183259885-1695398598
    • Opcode ID: 4a0c23395f836818af9c28b16c4f11915896402e82734140c132ba99e29c509b
    • Instruction ID: 78048515fd0e9a15a43ecb7b518d2917f0918a3669aac28163517432cd1fc61c
    • Opcode Fuzzy Hash: 4a0c23395f836818af9c28b16c4f11915896402e82734140c132ba99e29c509b
    • Instruction Fuzzy Hash: 79F0A03D4006506FD7209B70ED08B9936A0FF04761F650744F953AA2A1DB30AD80CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100B8217 Relevance: 5.1, APIs: 4, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(102372C8,?,102372AC,102372C8,102372AC,?,100B82F6,013C1248,00000000,00000000,?,?,1009D472,?,000000FF), ref: 100B8274
    • LeaveCriticalSection.KERNEL32(102372C8,?,?,100B82F6,013C1248,00000000,00000000,?,?,1009D472,?,000000FF,?,1009E5C6,?,?), ref: 100B8284
    • LocalFree.KERNEL32(00000003,?,100B82F6,013C1248,00000000,00000000,?,?,1009D472,?,000000FF,?,1009E5C6,?,?,?), ref: 100B828D
    • TlsSetValue.KERNEL32(102372AC,00000000,?,100B82F6,013C1248,00000000,00000000,?,?,1009D472,?,000000FF,?,1009E5C6,?,?), ref: 100B82A3
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterFreeLeaveLocalValue
    • String ID:
    • API String ID: 2949335588-0
    • Opcode ID: ff663e0cca6a86ed0dadfcb778f9189d686d9368ccdec6cb3665bc74eaabb359
    • Instruction ID: ed143d64073d0a1e94eaf9b39500f5f4128a1b4499ab4b215e09bcaa61158b4e
    • Opcode Fuzzy Hash: ff663e0cca6a86ed0dadfcb778f9189d686d9368ccdec6cb3665bc74eaabb359
    • Instruction Fuzzy Hash: 11217939601610EFEB14CF84C885BAA77E5FF45751F108469EA529B1A1C771FE41CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A741A Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
    Download Yara Rule
    APIs
    • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,100A71E2,?,?,?,1009FE63,?,?,?,?,?,?), ref: 100A7442
    • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,100A71E2,?,?,?,1009FE63,?,?,?,?,?,?), ref: 100A7476
    • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 100A7490
    • HeapFree.KERNEL32(00000000,?), ref: 100A74A7
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: AllocHeap$FreeVirtual
    • String ID:
    • API String ID: 3499195154-0
    • Opcode ID: c1ea4dfeddbe9e6ed8214b2c14d7306fbc4eade8343a3f74ef79499c1336384a
    • Instruction ID: 2c20319bad1c28ef711661fa7fbd9028b6d979ea8596f2957e05b0d7aaae370e
    • Opcode Fuzzy Hash: c1ea4dfeddbe9e6ed8214b2c14d7306fbc4eade8343a3f74ef79499c1336384a
    • Instruction Fuzzy Hash: 871158702006619FEB31CF58CCC9D5A7BB6FB8D3607108A29E1A6CA5B2C3309942DF10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100B8E13 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(102373A0,?,00000000,?,?,100B83EC,00000010,?,?,?,?,?,100B7D65,100B7DC8,100B7644,100B7D6B), ref: 100B8E4E
    • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,100B83EC,00000010,?,?,?,?,?,100B7D65,100B7DC8,100B7644,100B7D6B), ref: 100B8E60
    • LeaveCriticalSection.KERNEL32(102373A0,?,00000000,?,?,100B83EC,00000010,?,?,?,?,?,100B7D65,100B7DC8,100B7644,100B7D6B), ref: 100B8E69
    • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,100B83EC,00000010,?,?,?,?,?,100B7D65,100B7DC8,100B7644,100B7D6B,100B40F3), ref: 100B8E7B
      • Part of subcall function 100B8D80: GetVersion.KERNEL32(?,100B8E23,?,100B83EC,00000010,?,?,?,?,?,100B7D65,100B7DC8,100B7644,100B7D6B,100B40F3,1009D463), ref: 100B8D93
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: CriticalSection$Enter$InitializeLeaveVersion
    • String ID:
    • API String ID: 1193629340-0
    • Opcode ID: e531bb49b0eba0f39f75e835d722d6ac0fe849d55abdcbee5780fa29f2afd9b5
    • Instruction ID: d995fcdc5bfdd8422e1df45e00fb7c6f237e9ea7424d40d11a5b460f46ec3cfe
    • Opcode Fuzzy Hash: e531bb49b0eba0f39f75e835d722d6ac0fe849d55abdcbee5780fa29f2afd9b5
    • Instruction Fuzzy Hash: D3F04F3900126BDFDB10EFA8CCC8996B3ADFB58326B400436EA1586032D735F959DBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A5ACB Relevance: 5.0, APIs: 4, Instructions: 12COMMON
    Download Yara Rule
    APIs
    • InitializeCriticalSection.KERNEL32(?,100A2A44,?,1009E4F4), ref: 100A5AD8
    • InitializeCriticalSection.KERNEL32 ref: 100A5AE0
    • InitializeCriticalSection.KERNEL32 ref: 100A5AE8
    • InitializeCriticalSection.KERNEL32 ref: 100A5AF0
    Memory Dump Source
    • Source File: 00000000.00000002.4066811340.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000000.00000002.4066790968.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4066903929.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067077680.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067103438.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067126691.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067154895.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067180288.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067201577.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067225750.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4067288229.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: CriticalInitializeSection
    • String ID:
    • API String ID: 32694325-0
    • Opcode ID: a3dbd360746503a390bcc2d4b67aa406925a366b79a2ef3cc35c529021e603d2
    • Instruction ID: 29c78103e5d665d90befb387c0a0bcd68c9463bf0efcf30c9ccee5b762416334
    • Opcode Fuzzy Hash: a3dbd360746503a390bcc2d4b67aa406925a366b79a2ef3cc35c529021e603d2
    • Instruction Fuzzy Hash: 13C0023980103CAADE126B75EE8E88A7F26EB082A13218073E50853134CE321C20EFD0
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:1.3%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:1164
    Total number of Limit Nodes:5
    execution_graph 17939 100018c0 17940 100018c6 17939->17940 17945 1000aa4c 17940->17945 17942 10001a33 17949 1000c6c6 17942->17949 17944 10001a48 17946 1000aa62 17945->17946 17948 1000aa6a 17945->17948 17953 1000aaf2 17946->17953 17948->17942 17950 1000c6dc 17949->17950 17952 1000c6e4 17949->17952 18001 1000c704 17950->18001 17952->17944 17954 1000ab2e 17953->17954 17960 1000ab24 17953->17960 17955 1000aca4 17954->17955 17961 1000ab38 17954->17961 17956 1000ad09 17955->17956 17957 1000acae 17955->17957 17956->17960 17967 1000bb0b 17956->17967 17958 1000b301 GetPEB 17957->17958 17958->17960 17960->17948 17963 1000b301 17961->17963 17964 1000b312 17963->17964 17971 1000b37c 17964->17971 17968 1000bb20 17967->17968 17976 1000bb98 17968->17976 17970 1000bb8d 17970->17960 17974 1000b391 GetPEB 17971->17974 17975 1000b327 17974->17975 17975->17960 17978 1000c231 17976->17978 17977 1000c23d 17977->17970 17978->17977 17987 1000bdd1 17978->17987 17980 1000c3a7 17980->17977 17990 1000bf31 17980->17990 17982 1000c46b 17996 1000be41 17982->17996 17983 1000c47e 17983->17970 17985 1000c438 17985->17982 17985->17983 17993 1000c161 17985->17993 17999 1000bc31 GetPEB 17987->17999 17989 1000bddf 17989->17980 17991 1000bc31 GetPEB 17990->17991 17992 1000bf41 17991->17992 17992->17985 17994 1000bc31 GetPEB 17993->17994 17995 1000c16d 17994->17995 17995->17982 17997 1000bc31 GetPEB 17996->17997 17998 1000be4c 17997->17998 17998->17977 18000 1000bcbe 17999->18000 18000->17989 18002 1000c740 18001->18002 18008 1000c736 18001->18008 18003 1000c800 18002->18003 18009 1000c74a 18002->18009 18004 1000c80a 18003->18004 18005 1000c84e 18003->18005 18006 1000dbc4 GetPEB 18004->18006 18005->18008 18015 1000e3b2 18005->18015 18006->18008 18008->17952 18011 1000dbc4 18009->18011 18012 1000dbd9 18011->18012 18019 1000dc23 18012->18019 18016 1000e3c7 18015->18016 18024 1000e43f 18016->18024 18018 1000e434 18018->18008 18022 1000dc38 GetPEB 18019->18022 18023 1000dc18 18022->18023 18023->18008 18025 1000ead8 18024->18025 18026 1000eae4 18025->18026 18035 1000e678 18025->18035 18026->18018 18029 1000ec4e 18029->18026 18038 1000e7d8 18029->18038 18030 1000ed12 18044 1000e6e8 18030->18044 18031 1000ed25 18031->18018 18033 1000ecdf 18033->18030 18033->18031 18041 1000ea08 18033->18041 18047 1000e4d8 GetPEB 18035->18047 18037 1000e686 18037->18029 18039 1000e4d8 GetPEB 18038->18039 18040 1000e7e8 18039->18040 18040->18033 18042 1000e4d8 GetPEB 18041->18042 18043 1000ea14 18042->18043 18043->18030 18045 1000e4d8 GetPEB 18044->18045 18046 1000e6f3 18045->18046 18046->18026 18048 1000e565 18047->18048 18048->18037 19320 100b5f8f 19321 100b7b09 65 API calls 19320->19321 19322 100b5f95 19321->19322 19323 100b5fd8 19322->19323 19325 100b5fa2 19322->19325 19324 100aca4e 65 API calls 19323->19324 19326 100b5fdd 19324->19326 19327 100a214e 30 API calls 19325->19327 19328 100b5fa8 19327->19328 19329 100b5fc3 19328->19329 19330 100b5fb4 19328->19330 19334 100a1fea 19329->19334 19331 1009fcee 29 API calls 19330->19331 19333 100b5fbc 19331->19333 19335 100a201c 19334->19335 19346 100a2015 19334->19346 19336 100a2026 19335->19336 19337 100a2085 19335->19337 19338 100a5b60 29 API calls 19336->19338 19339 100a5b60 29 API calls 19337->19339 19345 100a206a 19337->19345 19341 100a202d 19338->19341 19343 100a20a5 19339->19343 19340 100a2127 HeapReAlloc 19340->19346 19347 100a207c 19341->19347 19343->19346 19350 100a2111 19343->19350 19345->19340 19345->19346 19346->19333 19353 100a5bc1 LeaveCriticalSection 19347->19353 19349 100a2083 19349->19345 19354 100a5bc1 LeaveCriticalSection 19350->19354 19352 100a2118 19352->19345 19353->19349 19354->19352 19250 100b7644 19251 100b764e __EH_prolog 19250->19251 19252 100b7e96 65 API calls 19251->19252 19253 100b7659 19252->19253 19284 100a1ef9 19285 100a1f19 32 API calls 19284->19285 19286 100a1f06 19285->19286 18049 10053b70 18050 10053b8f 18049->18050 18051 10053b7e 18049->18051 18054 10053bd7 18050->18054 18055 10053ba6 HeapReAlloc 18050->18055 18059 10053b30 RtlAllocateHeap 18051->18059 18053 10053b87 18057 10053b30 98 API calls 18054->18057 18055->18053 18056 10053bc6 18055->18056 18063 100507d0 wsprintfA 18056->18063 18057->18053 18060 10053b50 18059->18060 18061 10053b59 18059->18061 18062 100507d0 97 API calls 18060->18062 18061->18053 18062->18061 18066 10050810 wsprintfA 18063->18066 18115 100aec8a 18066->18115 18068 100509a9 18069 100aec8a 35 API calls 18068->18069 18070 100509b6 18069->18070 18071 10050a1a 18070->18071 18120 100ae968 18070->18120 18072 100ae968 68 API calls 18071->18072 18105 10050ac1 18071->18105 18073 10050a2f 18072->18073 18086 10050a6a 18073->18086 18136 10057a00 wsprintfA 18073->18136 18075 100509d8 18128 100aecc6 18075->18128 18076 1005087b 18076->18068 18077 100508ad 18076->18077 18078 100aec8a 35 API calls 18076->18078 18081 100aec8a 35 API calls 18077->18081 18101 100508c4 18078->18101 18081->18068 18082 10050a41 18084 100aec8a 35 API calls 18082->18084 18089 10050a51 18084->18089 18085 10050a9d 18088 100aecc6 34 API calls 18085->18088 18086->18085 18087 100aec8a 35 API calls 18086->18087 18090 10050a87 18087->18090 18091 10050aa9 18088->18091 18092 100aec8a 35 API calls 18089->18092 18094 100aec8a 35 API calls 18090->18094 18137 10058c10 MessageBoxA 18091->18137 18096 10050a5d 18092->18096 18097 10050a90 18094->18097 18099 100aec8a 35 API calls 18096->18099 18100 100aec8a 35 API calls 18097->18100 18098 10050ab2 18102 100ae8fa 32 API calls 18098->18102 18099->18086 18100->18085 18103 100aec8a 35 API calls 18101->18103 18102->18105 18104 10050904 18103->18104 18107 100aec8a 35 API calls 18104->18107 18138 10053b10 18105->18138 18111 10050911 18107->18111 18111->18077 18112 100aec8a 35 API calls 18111->18112 18113 10050964 18112->18113 18114 100aec8a 35 API calls 18113->18114 18114->18077 18116 100aec9a lstrlenA 18115->18116 18117 100aec96 18115->18117 18116->18117 18141 100aec2b 18117->18141 18119 100aecaa 18119->18076 18121 100ae97c 18120->18121 18127 100ae98f 18120->18127 18122 100ae991 lstrlenA 18121->18122 18123 100ae986 18121->18123 18124 100ae99e 18122->18124 18122->18127 18279 100b437a 18123->18279 18126 100ae767 31 API calls 18124->18126 18126->18127 18127->18075 18129 100aec2b 34 API calls 18128->18129 18130 100509e8 18129->18130 18131 100ae8fa 18130->18131 18132 100ae90a InterlockedDecrement 18131->18132 18133 100ae922 18131->18133 18132->18133 18134 100ae918 18132->18134 18133->18071 18135 100ae7e9 31 API calls 18134->18135 18135->18133 18136->18082 18137->18098 18440 100511b0 18138->18440 18142 100aec38 18141->18142 18143 100aec4e 18141->18143 18142->18143 18147 100aea9f 18142->18147 18143->18119 18145 100aec7e 18151 100ae862 18145->18151 18148 100aeab3 18147->18148 18149 100aeab9 18147->18149 18156 100ae767 18148->18156 18149->18145 18152 100ae86f InterlockedDecrement 18151->18152 18153 100ae881 18151->18153 18152->18153 18154 100ae87a 18152->18154 18153->18143 18203 100ae7e9 18154->18203 18159 100ae77c 18156->18159 18161 100ae773 18156->18161 18157 100ae784 18163 1009e3e2 18157->18163 18159->18157 18160 100ae7c3 18159->18160 18170 100ae63b 18160->18170 18161->18149 18174 100a1798 18163->18174 18165 1009e3ec EnterCriticalSection 18166 1009e43b LeaveCriticalSection 18165->18166 18167 1009e40a 18165->18167 18166->18161 18175 100ae124 18167->18175 18172 100ae641 18170->18172 18173 100ae65f 18172->18173 18178 1009fdd7 18172->18178 18173->18161 18174->18165 18176 100ae63b 29 API calls 18175->18176 18177 1009e41c 18176->18177 18177->18166 18181 1009fde9 18178->18181 18182 1009fde6 18181->18182 18184 1009fdf0 18181->18184 18182->18172 18184->18182 18185 1009fe15 18184->18185 18186 1009fe42 18185->18186 18190 1009fe85 18185->18190 18187 100a5b60 28 API calls 18186->18187 18192 1009fe70 18186->18192 18188 1009fe58 18187->18188 18191 100a7111 HeapReAlloc HeapAlloc VirtualAlloc HeapFree VirtualAlloc 18188->18191 18189 1009fef4 RtlAllocateHeap 18200 1009fe77 18189->18200 18190->18192 18193 1009fea7 18190->18193 18195 1009fe63 18191->18195 18192->18189 18192->18200 18194 100a5b60 28 API calls 18193->18194 18196 1009feae 18194->18196 18197 1009fe7c LeaveCriticalSection 18195->18197 18198 100a7bb4 6 API calls 18196->18198 18197->18192 18199 1009fec1 18198->18199 18201 1009fedb LeaveCriticalSection 18199->18201 18200->18184 18202 1009fece 18201->18202 18202->18192 18202->18200 18204 100ae7fd 18203->18204 18208 100ae7f1 18203->18208 18207 100ae82a 18204->18207 18204->18208 18214 100ae664 18207->18214 18211 1009e471 18208->18211 18212 1009e498 18211->18212 18213 1009e47d EnterCriticalSection LeaveCriticalSection 18211->18213 18212->18153 18213->18212 18217 1009fcee 18214->18217 18218 1009fdc8 18217->18218 18219 1009fd1c 18217->18219 18218->18153 18220 1009fd26 18219->18220 18222 1009fd61 18219->18222 18234 100a5b60 18220->18234 18224 100a5b60 28 API calls 18222->18224 18233 1009fd52 18222->18233 18223 1009fdba HeapFree 18223->18218 18227 1009fd6d 18224->18227 18225 1009fd47 18255 1009fd58 18225->18255 18226 1009fd2d 18226->18225 18249 100a6de8 18226->18249 18228 1009fd99 18227->18228 18258 100a7b6f 18227->18258 18262 1009fdb0 18228->18262 18233->18218 18233->18223 18235 100a5b78 18234->18235 18236 100a5bb6 EnterCriticalSection 18234->18236 18237 1009fdd7 27 API calls 18235->18237 18236->18226 18238 100a5b80 18237->18238 18239 100a5b8e 18238->18239 18265 1009e613 18238->18265 18241 100a5b60 27 API calls 18239->18241 18242 100a5b96 18241->18242 18243 100a5b9d InitializeCriticalSection 18242->18243 18244 100a5ba7 18242->18244 18246 100a5bac 18243->18246 18245 1009fcee 27 API calls 18244->18245 18245->18246 18271 100a5bc1 LeaveCriticalSection 18246->18271 18248 100a5bb4 18248->18236 18251 100a6e26 18249->18251 18254 100a70dc 18249->18254 18250 100a7022 VirtualFree 18252 100a7086 18250->18252 18251->18250 18251->18254 18253 100a7095 VirtualFree HeapFree 18252->18253 18252->18254 18253->18254 18254->18225 18272 100a5bc1 LeaveCriticalSection 18255->18272 18257 1009fd5f 18257->18233 18259 100a7b9c 18258->18259 18260 100a7bb2 18258->18260 18259->18260 18273 100a7a56 18259->18273 18260->18228 18278 100a5bc1 LeaveCriticalSection 18262->18278 18264 1009fdb7 18264->18233 18266 1009e61d 18265->18266 18267 1009e62f 18266->18267 18268 100a348c 7 API calls 18266->18268 18269 100a34c5 7 API calls 18267->18269 18268->18267 18270 1009e638 18269->18270 18270->18239 18271->18248 18272->18257 18276 100a7a63 18273->18276 18274 100a7b13 18274->18260 18275 100a7a84 VirtualFree 18275->18276 18276->18274 18276->18275 18277 100a7a00 VirtualFree HeapFree 18276->18277 18277->18276 18278->18264 18290 100b43fe 18279->18290 18282 100b43a8 18294 100aea37 18282->18294 18283 100b43c0 18287 100b43fe 66 API calls 18283->18287 18288 100b43e6 18283->18288 18299 100aecde 18283->18299 18286 100b43b7 18286->18127 18287->18283 18305 100aed2d 18288->18305 18310 100b7d40 18290->18310 18293 100b439d 18293->18282 18293->18283 18295 100aea43 18294->18295 18296 100aea47 lstrlenA 18294->18296 18420 100ae9ba 18295->18420 18296->18295 18298 100aea57 18298->18286 18300 100aecf1 18299->18300 18301 100aed25 18300->18301 18302 100ae767 31 API calls 18300->18302 18301->18283 18303 100aed08 18302->18303 18304 100ae862 32 API calls 18303->18304 18304->18301 18434 100ae8a3 18305->18434 18307 100aed35 18308 100aed3e lstrlenA 18307->18308 18309 100aed46 18307->18309 18308->18309 18309->18286 18315 100b8309 18310->18315 18313 100b4404 LoadStringA 18313->18293 18316 100b833f TlsGetValue 18315->18316 18317 100b8312 18315->18317 18318 100b8352 18316->18318 18319 100b832c 18317->18319 18342 100b7ec8 TlsAlloc 18317->18342 18323 100b7d4f 18318->18323 18324 100b8365 18318->18324 18332 100b7f61 EnterCriticalSection 18319->18332 18322 100b833d 18322->18316 18323->18313 18326 100b83cb 18323->18326 18346 100b80d0 TlsGetValue 18324->18346 18327 100b83d5 __EH_prolog 18326->18327 18328 100b8403 18327->18328 18403 100b8e13 18327->18403 18328->18313 18333 100b7f80 18332->18333 18334 100b7fba GlobalAlloc 18333->18334 18335 100b7fcd GlobalHandle GlobalUnlock GlobalReAlloc 18333->18335 18341 100b803c 18333->18341 18337 100b7fef 18334->18337 18335->18337 18336 100b8051 LeaveCriticalSection 18336->18322 18338 100b8018 GlobalLock 18337->18338 18339 100b7ffd GlobalHandle GlobalLock LeaveCriticalSection 18337->18339 18338->18341 18361 100aca4e 18339->18361 18341->18336 18343 100b7efc InitializeCriticalSection 18342->18343 18344 100b7ef7 18342->18344 18343->18319 18345 100aca4e 63 API calls 18344->18345 18345->18343 18347 100b8101 18346->18347 18350 100b80e7 18346->18350 18398 100b7e96 LocalAlloc 18347->18398 18348 100b81a7 18348->18323 18350->18348 18353 100b815b LocalReAlloc 18350->18353 18354 100b814a LocalAlloc 18350->18354 18356 100b816b 18353->18356 18354->18356 18358 100b8177 18356->18358 18359 100aca4e 59 API calls 18356->18359 18357 100b8139 LeaveCriticalSection 18357->18350 18360 100b8196 TlsSetValue 18358->18360 18359->18358 18360->18348 18378 100a1a9c RaiseException 18361->18378 18363 100aca67 18379 100a1a9c RaiseException 18363->18379 18365 100aca80 __EH_prolog 18368 100acb35 18365->18368 18380 100afc08 18365->18380 18367 100b7d40 64 API calls 18369 100acb54 18367->18369 18368->18367 18368->18369 18370 100acb78 18369->18370 18371 100acb69 lstrcpynA 18369->18371 18372 100acbaa 18370->18372 18373 100aea37 35 API calls 18370->18373 18371->18370 18372->18338 18374 100acb8d 18373->18374 18375 100aecde 34 API calls 18374->18375 18377 100acb95 18375->18377 18377->18372 18387 100a17b7 18377->18387 18378->18363 18379->18365 18381 100b7d40 65 API calls 18380->18381 18382 100afc14 18381->18382 18383 100afc1b 18382->18383 18384 1009df4b 65 API calls 18382->18384 18383->18368 18385 100afc24 18384->18385 18385->18383 18386 100b7d40 65 API calls 18385->18386 18386->18383 18388 100a17d4 18387->18388 18389 100a17c5 18387->18389 18390 100a5b60 29 API calls 18388->18390 18389->18377 18394 100a17db 18390->18394 18391 100a1832 18392 100a5bc1 LeaveCriticalSection 18391->18392 18392->18389 18393 100a1819 18396 100a5bc1 LeaveCriticalSection 18393->18396 18394->18391 18394->18393 18395 100a1825 18394->18395 18397 100a5bc1 LeaveCriticalSection 18395->18397 18396->18389 18397->18389 18399 100b7ea9 18398->18399 18400 100b7eae EnterCriticalSection 18398->18400 18401 100aca4e 64 API calls 18399->18401 18402 100b7e3d 18400->18402 18401->18400 18402->18357 18404 100b8e1e 18403->18404 18405 100b8e23 18403->18405 18415 100b8d80 18404->18415 18407 100b83ec 18405->18407 18408 100b8e70 EnterCriticalSection 18405->18408 18409 100b8e47 EnterCriticalSection 18405->18409 18412 100b8e83 18407->18412 18408->18407 18410 100b8e68 LeaveCriticalSection 18409->18410 18411 100b8e55 InitializeCriticalSection 18409->18411 18410->18408 18411->18410 18413 100b8e8c LeaveCriticalSection 18412->18413 18414 100b8ea1 18412->18414 18413->18414 18414->18328 18416 100b8d8a GetVersion 18415->18416 18419 100b8da4 18415->18419 18417 100b8d9d 18416->18417 18418 100b8dac InitializeCriticalSection 18416->18418 18417->18418 18417->18419 18418->18419 18419->18405 18423 100ae8d1 18420->18423 18422 100ae9c8 18422->18298 18424 100ae8e1 18423->18424 18425 100ae8f5 18424->18425 18429 100ae831 18424->18429 18425->18422 18428 100ae767 31 API calls 18428->18425 18430 100ae859 18429->18430 18431 100ae841 InterlockedDecrement 18429->18431 18430->18428 18431->18430 18432 100ae84f 18431->18432 18433 100ae7e9 31 API calls 18432->18433 18433->18430 18435 100ae8af 18434->18435 18439 100ae8be 18434->18439 18436 100ae831 32 API calls 18435->18436 18437 100ae8b4 18436->18437 18438 100ae767 31 API calls 18437->18438 18438->18439 18439->18307 18441 100511d5 GetCurrentThreadId 18440->18441 18448 1005122e 18440->18448 18442 100511e3 18441->18442 18441->18448 18443 10051210 18442->18443 18444 100511f0 IsWindow 18442->18444 18446 10051541 ExitProcess 18443->18446 18447 1005121e ExitProcess 18443->18447 18444->18443 18445 100511fb SendMessageA 18444->18445 18445->18443 18451 10051302 FreeLibrary 18448->18451 18456 1005130e 18448->18456 18450 1005134d FreeLibrary 18450->18450 18453 10051362 18450->18453 18451->18448 18475 10050410 18453->18475 18456->18450 18456->18453 18457 100513a6 DestroyCursor 18458 100513b3 18457->18458 18459 100513bd DestroyCursor 18458->18459 18460 100513ca 18458->18460 18459->18460 18461 100513d4 IsWindow 18460->18461 18462 100513e5 18460->18462 18461->18462 18464 100513df 18461->18464 18491 1004eb80 18462->18491 18483 100b0272 18464->18483 18466 10051405 18496 10053480 18466->18496 18468 10051446 18469 100514bb 18468->18469 18470 10051483 DestroyCursor 18468->18470 18472 100ae664 29 API calls 18468->18472 18471 100514cf WSACleanup 18469->18471 18473 100514db 18469->18473 18470->18468 18471->18473 18472->18468 18473->18446 18474 10051531 OleUninitialize 18473->18474 18474->18446 18476 100ae885 18475->18476 18477 10051383 18476->18477 18478 100aea37 35 API calls 18476->18478 18479 100ae885 18477->18479 18478->18477 18480 100ae88d 18479->18480 18481 1005138e 18479->18481 18482 100aea37 35 API calls 18480->18482 18481->18457 18481->18458 18482->18481 18484 100b027c __EH_prolog 18483->18484 18502 100b7d66 18484->18502 18486 100b0282 18487 100ae63b 29 API calls 18486->18487 18490 100b02c0 18486->18490 18488 100b02a4 18487->18488 18488->18490 18507 100b41f1 18488->18507 18490->18462 18494 1004ebb8 18491->18494 18492 1004ec55 18492->18466 18493 100aeeb6 67 API calls 18493->18494 18494->18492 18494->18493 18495 100aeef4 67 API calls 18494->18495 18495->18494 18497 10053488 18496->18497 18517 10053540 18497->18517 18499 1005348f 18525 10075cf0 18499->18525 18501 10053499 18501->18468 18503 100b7d40 65 API calls 18502->18503 18504 100b7d6b 18503->18504 18505 100b8309 65 API calls 18504->18505 18506 100b7d7c 18505->18506 18506->18486 18508 100b41fb __EH_prolog 18507->18508 18511 100ae403 18508->18511 18510 100b4232 18510->18490 18512 100ae40e 18511->18512 18514 100ae414 18511->18514 18515 100ae664 29 API calls 18512->18515 18513 100ae430 18513->18510 18514->18513 18516 100ae63b 29 API calls 18514->18516 18515->18514 18516->18513 18518 10053553 18517->18518 18519 1005358c 18517->18519 18518->18519 18522 1005357a WaitForSingleObject 18518->18522 18520 100535b5 18519->18520 18521 10053598 CloseHandle 18519->18521 18524 100535d6 18520->18524 18538 10061060 18520->18538 18521->18520 18522->18519 18524->18499 18526 10075d13 18525->18526 18527 10075d28 EnterCriticalSection 18525->18527 18542 10075de0 EnterCriticalSection 18526->18542 18532 10075d4f 18527->18532 18529 10075d18 18529->18501 18530 10075d81 LeaveCriticalSection 18531 10075de0 3 API calls 18530->18531 18533 10075d91 18531->18533 18532->18530 18534 10075db9 18533->18534 18535 10075dae WaitForSingleObject 18533->18535 18536 100ae664 29 API calls 18534->18536 18535->18533 18537 10075dbf 18536->18537 18537->18501 18539 1006106a 18538->18539 18540 100ae664 29 API calls 18539->18540 18541 10061080 18539->18541 18540->18541 18541->18524 18543 10075df5 18542->18543 18544 10075e19 LeaveCriticalSection 18543->18544 18545 10075e0d SetEvent 18543->18545 18544->18529 18545->18543 19138 10053c30 19139 10053c5e 19138->19139 19140 10053c39 19138->19140 19140->19139 19141 10053c4b HeapFree 19140->19141 19141->19139 19142 10053630 19145 10053610 19142->19145 19148 10050430 19145->19148 19147 10053621 19149 100504f5 19148->19149 19150 1005045b 19148->19150 19152 10050523 19149->19152 19154 1009f188 6 API calls 19149->19154 19172 10050796 19149->19172 19151 10050483 GetProcAddress 19150->19151 19206 1009f188 19150->19206 19156 100504a3 19151->19156 19157 100504d8 19151->19157 19159 10050661 19152->19159 19160 1005054e 19152->19160 19154->19152 19209 100587d0 19156->19209 19161 10050410 35 API calls 19157->19161 19164 10050666 LoadLibraryA 19159->19164 19169 100506a8 FreeLibrary 19159->19169 19173 10050649 19159->19173 19168 1005062c LoadLibraryA 19160->19168 19171 10050596 19160->19171 19214 100aeb43 19160->19214 19163 100504df 19161->19163 19163->19147 19164->19159 19165 10050676 GetProcAddress 19164->19165 19165->19159 19166 10050810 96 API calls 19167 100504c7 19166->19167 19170 100ae8fa 32 API calls 19167->19170 19168->19173 19174 10050639 GetProcAddress 19168->19174 19169->19159 19170->19157 19171->19174 19178 100aeb43 35 API calls 19171->19178 19172->19147 19173->19172 19176 100506d1 FreeLibrary 19173->19176 19177 100506d8 19173->19177 19174->19173 19176->19177 19183 10050740 19177->19183 19184 100506e9 19177->19184 19180 100505b8 19178->19180 19182 100aeb43 35 API calls 19180->19182 19181 100ae8fa 32 API calls 19181->19171 19185 100505cc LoadLibraryA 19182->19185 19186 100587d0 44 API calls 19183->19186 19187 100587d0 44 API calls 19184->19187 19188 100ae8fa 32 API calls 19185->19188 19190 10050754 19186->19190 19191 100506fe 19187->19191 19189 100505dc 19188->19189 19192 100ae8fa 32 API calls 19189->19192 19193 10050810 96 API calls 19190->19193 19194 10050810 96 API calls 19191->19194 19196 100505ed 19192->19196 19197 1005076f 19193->19197 19195 10050719 19194->19195 19198 100ae8fa 32 API calls 19195->19198 19196->19174 19201 10050624 19196->19201 19203 100aeb43 35 API calls 19196->19203 19199 100ae8fa 32 API calls 19197->19199 19200 1005072a 19198->19200 19202 10050780 19199->19202 19200->19147 19201->19168 19201->19174 19202->19147 19204 10050614 LoadLibraryA 19203->19204 19205 100ae8fa 32 API calls 19204->19205 19205->19201 19222 1009f0fd 19206->19222 19228 100ac682 19209->19228 19211 10058815 19212 100ae8fa 32 API calls 19211->19212 19213 100504b3 19212->19213 19213->19166 19215 100aeb4d __EH_prolog 19214->19215 19216 100aeb68 19215->19216 19217 100aeb6c lstrlenA 19215->19217 19218 100aea9f 31 API calls 19216->19218 19217->19216 19219 100aeb8a 19218->19219 19220 100ae8fa 32 API calls 19219->19220 19221 10050586 LoadLibraryA 19220->19221 19221->19181 19224 1009f105 19222->19224 19223 100a6962 6 API calls 19223->19224 19224->19223 19225 1009f133 19224->19225 19226 100a6962 6 API calls 19225->19226 19227 1009f17a 19225->19227 19226->19225 19227->19151 19238 100ac69b 19228->19238 19229 100ac99f 19230 100aecde 34 API calls 19229->19230 19231 100ac9ac 19230->19231 19232 100aed2d 35 API calls 19231->19232 19233 100ac9c5 19232->19233 19233->19211 19234 100a195b 6 API calls 19234->19238 19236 1009f188 6 API calls 19236->19238 19237 100ac8c2 lstrlenA 19237->19238 19238->19229 19238->19234 19238->19236 19238->19237 19239 1009faff 19238->19239 19240 1009fb10 19239->19240 19241 1009fb18 19239->19241 19240->19241 19242 100a5b60 29 API calls 19240->19242 19241->19238 19245 1009fb35 19242->19245 19243 1009fbcb 19248 100a5bc1 LeaveCriticalSection 19243->19248 19244 1009fbdf 19249 100a5bc1 LeaveCriticalSection 19244->19249 19245->19243 19245->19244 19248->19241 19249->19241 19361 100539b0 19362 10050810 96 API calls 19361->19362 19363 100539d4 19362->19363 19364 100b79bd 19365 100b7e96 65 API calls 19364->19365 19366 100b79c4 19365->19366 19287 100310fb 19288 10031121 19287->19288 19297 10031213 19288->19297 19290 1003118d 19301 10031359 19290->19301 19292 100311a2 19293 10031195 19293->19292 19305 1003159e 19293->19305 19295 100311d7 19295->19292 19296 10026372 GetPEB 19295->19296 19296->19292 19298 10031229 19297->19298 19300 1003125f 19297->19300 19299 1000b301 GetPEB 19298->19299 19298->19300 19299->19300 19300->19290 19302 10031376 19301->19302 19304 100313ac 19301->19304 19303 1000b301 GetPEB 19302->19303 19302->19304 19303->19304 19304->19293 19306 100315b4 19305->19306 19307 100315ea 19305->19307 19306->19307 19308 1000b301 GetPEB 19306->19308 19307->19295 19308->19307 19273 1000c2d9 19275 1000c2e1 19273->19275 19274 1000c472 19275->19274 19276 1000bdd1 GetPEB 19275->19276 19277 1000c3a7 19276->19277 19277->19274 19278 1000bf31 GetPEB 19277->19278 19282 1000c438 19278->19282 19279 1000c46b 19281 1000be41 GetPEB 19279->19281 19280 1000c47e 19281->19274 19282->19279 19282->19280 19283 1000c161 GetPEB 19282->19283 19283->19279 18546 1009fdd7 18547 1009fde9 29 API calls 18546->18547 18548 1009fde6 18547->18548 19355 100a7f94 19356 100a8026 19355->19356 19358 100a7fb2 19355->19358 19358->19356 19359 1009efb8 RtlUnwind 19358->19359 19360 1009efd0 19359->19360 19360->19358 18549 1009e576 18550 1009e589 18549->18550 18553 1009e592 18549->18553 18558 1009e5ba 18550->18558 18559 1009d3b0 18550->18559 18553->18550 18553->18558 18591 1009e49d 18553->18591 18555 1009e5da 18556 1009e49d 105 API calls 18555->18556 18555->18558 18556->18558 18557 1009e49d 105 API calls 18557->18555 18560 1009d3b9 18559->18560 18561 1009d422 18559->18561 18620 100b7b09 18560->18620 18562 1009d458 18561->18562 18563 1009d428 18561->18563 18568 100b40ee 65 API calls 18562->18568 18589 1009d3e3 18562->18589 18565 100b7d40 65 API calls 18563->18565 18569 1009d42d 18565->18569 18571 1009d463 18568->18571 18659 100b40ee 18569->18659 18572 100b40f7 66 API calls 18571->18572 18576 1009d46a 18572->18576 18575 100b7d40 65 API calls 18578 1009d3ea 18575->18578 18695 100b368b 18576->18695 18581 1009d405 18578->18581 18590 100ae767 31 API calls 18578->18590 18655 100b844b 18581->18655 18583 100b92ce 68 API calls 18586 1009d44c 18583->18586 18585 1009d3f8 18585->18581 18587 1009d3de 18585->18587 18691 100b8461 18586->18691 18634 100b92ce 18587->18634 18589->18555 18589->18557 18589->18558 18590->18585 18592 1009e4aa GetVersion 18591->18592 18593 1009e532 18591->18593 18815 100a3387 HeapCreate 18592->18815 18595 1009e538 18593->18595 18596 1009e564 18593->18596 18597 1009e4fd 18595->18597 18599 1009e553 18595->18599 18903 100a1f0a 18595->18903 18596->18597 18916 100a2b2a 18596->18916 18597->18550 18598 1009e4bc 18598->18597 18827 100a2a3e 18598->18827 18906 100a2d86 18599->18906 18605 1009e4f4 18606 1009e4f8 18605->18606 18607 1009e501 GetCommandLineA 18605->18607 18837 100a33e4 18606->18837 18844 100a30e0 18607->18844 18613 100a33e4 6 API calls 18613->18597 18615 1009e51b 18881 100a2e93 18615->18881 18617 1009e520 18890 100a2dda 18617->18890 18619 1009e525 18619->18597 18621 100b8309 65 API calls 18620->18621 18622 1009d3c6 18621->18622 18623 100b8baa SetErrorMode SetErrorMode 18622->18623 18624 100b7d40 65 API calls 18623->18624 18625 100b8bc1 18624->18625 18626 100b7d40 65 API calls 18625->18626 18627 100b8bd0 18626->18627 18628 100b8bf6 18627->18628 18705 100b8c0d 18627->18705 18630 100b7d40 65 API calls 18628->18630 18631 100b8bfb 18630->18631 18632 1009d3da 18631->18632 18724 100b362c 18631->18724 18632->18575 18632->18587 18635 100b7d40 65 API calls 18634->18635 18636 100b92d7 18635->18636 18637 100b8e13 6 API calls 18636->18637 18642 100b92e0 18637->18642 18638 100b930d 18639 100b8e83 LeaveCriticalSection 18638->18639 18641 100b9317 18639->18641 18640 100a17b7 29 API calls 18640->18642 18644 100b7d40 65 API calls 18641->18644 18642->18638 18642->18640 18643 100b7d40 65 API calls 18642->18643 18645 100b92fe UnregisterClassA 18643->18645 18646 100b931c 18644->18646 18645->18642 18647 100b7b09 65 API calls 18646->18647 18650 100b9334 18647->18650 18648 100b7d40 65 API calls 18649 100b9359 18648->18649 18651 100b937e 18649->18651 18652 100b936b UnhookWindowsHookEx 18649->18652 18653 100b9371 18649->18653 18650->18648 18651->18589 18652->18653 18653->18651 18654 100b9378 UnhookWindowsHookEx 18653->18654 18654->18651 18656 100b845e 18655->18656 18657 100b8455 18655->18657 18656->18589 18751 100b81d6 EnterCriticalSection 18657->18751 18660 100b7d66 65 API calls 18659->18660 18661 1009d440 18660->18661 18662 100b40f7 18661->18662 18663 100b7d66 65 API calls 18662->18663 18665 100b4102 18663->18665 18664 1009d447 18664->18583 18665->18664 18666 100b4164 18665->18666 18667 100b412d 18665->18667 18754 100b3617 18665->18754 18668 100b7d40 65 API calls 18666->18668 18759 100b4315 18667->18759 18669 100b4169 18668->18669 18672 100b8309 65 API calls 18669->18672 18674 100b417b 18672->18674 18674->18664 18677 100b418e 18674->18677 18763 100a214e 18674->18763 18675 100b4315 29 API calls 18676 100b414c 18675->18676 18678 100b4315 29 API calls 18676->18678 18677->18664 18681 100b41bc 18677->18681 18683 100a214e 30 API calls 18677->18683 18680 100b4154 18678->18680 18682 100b4315 29 API calls 18680->18682 18685 1009fdd7 29 API calls 18681->18685 18684 100b415c 18682->18684 18687 100b41b1 18683->18687 18688 100b4315 29 API calls 18684->18688 18686 100b41c9 18685->18686 18686->18664 18690 1009fdd7 29 API calls 18686->18690 18689 1009fcee 29 API calls 18687->18689 18688->18666 18689->18681 18690->18664 18692 100b846b 18691->18692 18693 100b8478 18691->18693 18793 100b82b0 EnterCriticalSection 18692->18793 18693->18589 18696 100b3695 __EH_prolog 18695->18696 18697 100b40ee 65 API calls 18696->18697 18698 100b36a7 18697->18698 18699 100b40f7 66 API calls 18698->18699 18700 100b36ae 18699->18700 18702 100b36bd 18700->18702 18811 100b8380 18700->18811 18701 100b36fc 18701->18589 18702->18701 18704 100b82b0 7 API calls 18702->18704 18704->18701 18706 100b7d40 65 API calls 18705->18706 18707 100b8c20 GetModuleFileNameA 18706->18707 18735 100a04c4 18707->18735 18709 100b8c52 18741 100b8d2a 18709->18741 18712 100b8c84 18714 100b43fe 66 API calls 18712->18714 18723 100b8cbe 18712->18723 18721 100b8ca6 18714->18721 18715 100b8cf1 18717 100b8d00 lstrcatA 18715->18717 18718 100b8d1e 18715->18718 18716 100b8cd6 lstrcpyA 18719 100a1ea1 29 API calls 18716->18719 18720 100a1ea1 29 API calls 18717->18720 18718->18628 18719->18715 18720->18718 18722 100a1ea1 29 API calls 18721->18722 18722->18723 18723->18715 18723->18716 18725 100b7d40 65 API calls 18724->18725 18726 100b3631 18725->18726 18727 100b7b09 65 API calls 18726->18727 18734 100b3689 18726->18734 18728 100b363d GetCurrentThreadId SetWindowsHookExA 18727->18728 18729 100b83cb 7 API calls 18728->18729 18730 100b3667 18729->18730 18731 100b3674 18730->18731 18732 100b7d40 65 API calls 18730->18732 18733 100b8309 65 API calls 18731->18733 18732->18731 18733->18734 18734->18632 18736 100a04d2 18735->18736 18737 100a04e1 18735->18737 18736->18709 18738 100a5b60 29 API calls 18737->18738 18739 100a04e9 18738->18739 18750 100a5bc1 LeaveCriticalSection 18739->18750 18742 100b8d32 18741->18742 18743 100b8d6a lstrcpynA 18742->18743 18744 100b8d60 lstrlenA 18742->18744 18745 100b8c6e 18743->18745 18744->18745 18745->18712 18746 100a1ea1 18745->18746 18747 100a1eaa 18746->18747 18749 100a1eb7 18746->18749 18748 1009fdd7 29 API calls 18747->18748 18748->18749 18749->18712 18750->18736 18752 100b820b LeaveCriticalSection 18751->18752 18753 100b81ec 18751->18753 18752->18656 18753->18752 18755 100b7d66 65 API calls 18754->18755 18756 100b361c 18755->18756 18757 100b3628 18756->18757 18758 100b7d40 65 API calls 18756->18758 18757->18667 18758->18757 18760 100b4144 18759->18760 18762 100b4322 18759->18762 18760->18675 18775 100ae19d 18762->18775 18764 100a217b 18763->18764 18765 100a21c1 18763->18765 18767 100a5b60 29 API calls 18764->18767 18766 100a220c HeapSize 18765->18766 18768 100a5b60 29 API calls 18765->18768 18769 100a221f 18766->18769 18770 100a2182 18767->18770 18771 100a21cd 18768->18771 18769->18677 18785 100a21b8 18770->18785 18788 100a2233 18771->18788 18774 100a21af 18774->18766 18774->18769 18776 100ae1ad 18775->18776 18777 100ae1a7 18775->18777 18781 100ae144 18776->18781 18778 100ae664 29 API calls 18777->18778 18778->18776 18783 100ae148 18781->18783 18784 100ae158 18781->18784 18782 100ae664 29 API calls 18782->18783 18783->18782 18783->18784 18784->18760 18791 100a5bc1 LeaveCriticalSection 18785->18791 18787 100a21bf 18787->18774 18792 100a5bc1 LeaveCriticalSection 18788->18792 18790 100a223a 18790->18774 18791->18787 18792->18790 18794 100b82df 18793->18794 18795 100b82c5 TlsGetValue 18793->18795 18796 100b82fd LeaveCriticalSection 18794->18796 18799 100b8217 4 API calls 18794->18799 18800 100b82dd 18794->18800 18795->18796 18797 100b82d1 18795->18797 18796->18693 18801 100b8217 18797->18801 18799->18794 18800->18796 18802 100b8270 EnterCriticalSection 18801->18802 18807 100b822e 18801->18807 18809 100b7e50 18802->18809 18805 100b829f TlsSetValue 18808 100b82a9 18805->18808 18806 100b8297 18806->18805 18807->18802 18807->18808 18808->18800 18810 100b7e56 LeaveCriticalSection LocalFree 18809->18810 18810->18805 18810->18806 18812 100b8387 18811->18812 18814 100b839c 18811->18814 18813 100b8390 TlsGetValue 18812->18813 18812->18814 18813->18814 18814->18702 18816 100a33dd 18815->18816 18817 100a33a7 18815->18817 18816->18598 18938 100a323f 18817->18938 18820 100a33c3 18823 100a33e0 18820->18823 18952 100a78bc 18820->18952 18821 100a33b6 18950 100a6d75 HeapAlloc 18821->18950 18823->18598 18824 100a33c0 18824->18823 18826 100a33d1 HeapDestroy 18824->18826 18826->18816 19084 100a5acb InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 18827->19084 18829 100a2a44 TlsAlloc 18830 100a2a8e 18829->18830 18831 100a2a54 18829->18831 18830->18605 18832 100a0c42 30 API calls 18831->18832 18833 100a2a5d 18832->18833 18833->18830 18834 100a2a65 TlsSetValue 18833->18834 18834->18830 18835 100a2a76 18834->18835 18836 100a2a7c GetCurrentThreadId 18835->18836 18836->18605 18838 100a33f0 18837->18838 18842 100a3456 18837->18842 18839 100a3442 HeapFree 18838->18839 18841 100a3410 VirtualFree VirtualFree HeapFree 18838->18841 18840 100a347d HeapDestroy 18839->18840 18840->18597 18841->18839 18841->18841 18842->18840 18843 100a3469 VirtualFree 18842->18843 18843->18842 18845 100a30fb GetEnvironmentStringsW 18844->18845 18846 100a312e 18844->18846 18847 100a310f GetEnvironmentStrings 18845->18847 18848 100a3103 18845->18848 18846->18848 18849 100a311f 18846->18849 18847->18849 18850 1009e511 18847->18850 18851 100a313b GetEnvironmentStringsW 18848->18851 18857 100a3147 WideCharToMultiByte 18848->18857 18849->18850 18852 100a31c1 GetEnvironmentStrings 18849->18852 18856 100a31cd 18849->18856 18867 100a2bca 18850->18867 18851->18850 18851->18857 18852->18850 18852->18856 18854 100a317b 18859 1009fdd7 29 API calls 18854->18859 18855 100a31ad FreeEnvironmentStringsW 18855->18850 18858 1009fdd7 29 API calls 18856->18858 18857->18854 18857->18855 18865 100a31e8 18858->18865 18860 100a3181 18859->18860 18860->18855 18861 100a318a WideCharToMultiByte 18860->18861 18863 100a319b 18861->18863 18864 100a31a4 18861->18864 18862 100a31fe FreeEnvironmentStringsA 18862->18850 18866 1009fcee 29 API calls 18863->18866 18864->18855 18865->18862 18866->18864 18868 1009fdd7 29 API calls 18867->18868 18869 100a2bdd 18868->18869 18870 100a2beb GetStartupInfoA 18869->18870 18871 1009e613 7 API calls 18869->18871 18873 100a2d0a 18870->18873 18880 100a2c39 18870->18880 18871->18870 18874 100a2d75 SetHandleCount 18873->18874 18875 100a2d35 GetStdHandle 18873->18875 18874->18615 18875->18873 18877 100a2d43 GetFileType 18875->18877 18876 1009fdd7 29 API calls 18876->18880 18877->18873 18878 100a2cb0 18878->18873 18879 100a2cd2 GetFileType 18878->18879 18879->18878 18880->18873 18880->18876 18880->18878 18882 100a2eaa GetModuleFileNameA 18881->18882 18883 100a2ea5 18881->18883 18885 100a2ecd 18882->18885 19085 100a2a22 18883->19085 18886 1009fdd7 29 API calls 18885->18886 18887 100a2eee 18886->18887 18888 100a2efe 18887->18888 18889 1009e613 7 API calls 18887->18889 18888->18617 18889->18888 18891 100a2de7 18890->18891 18894 100a2dec 18890->18894 18892 100a2a22 48 API calls 18891->18892 18892->18894 18893 1009fdd7 29 API calls 18895 100a2e19 18893->18895 18894->18893 18896 1009e613 7 API calls 18895->18896 18902 100a2e2d 18895->18902 18896->18902 18897 100a2e70 18898 1009fcee 29 API calls 18897->18898 18899 100a2e7c 18898->18899 18899->18619 18900 1009fdd7 29 API calls 18900->18902 18901 1009e613 7 API calls 18901->18902 18902->18897 18902->18900 18902->18901 19114 100a1f19 18903->19114 18908 100a2d8e 18906->18908 18907 1009e558 18911 100a2a92 18907->18911 18908->18907 18909 1009fcee 29 API calls 18908->18909 18910 100a2da8 DeleteCriticalSection 18908->18910 18909->18908 18910->18908 19130 100a5af4 18911->19130 18913 100a2a97 18914 1009e55d 18913->18914 18915 100a2aa1 TlsFree 18913->18915 18914->18613 18915->18914 18917 100a2b38 18916->18917 18918 100a2bc9 18916->18918 18919 100a2b4e 18917->18919 18920 100a2b41 TlsGetValue 18917->18920 18918->18597 18921 100a2b5b 18919->18921 18923 1009fcee 29 API calls 18919->18923 18920->18919 18922 100a2bba TlsSetValue 18920->18922 18924 100a2b69 18921->18924 18925 1009fcee 29 API calls 18921->18925 18922->18918 18923->18921 18926 100a2b77 18924->18926 18927 1009fcee 29 API calls 18924->18927 18925->18924 18928 100a2b85 18926->18928 18930 1009fcee 29 API calls 18926->18930 18927->18926 18929 100a2b93 18928->18929 18931 1009fcee 29 API calls 18928->18931 18932 100a2ba1 18929->18932 18933 1009fcee 29 API calls 18929->18933 18930->18928 18931->18929 18934 100a2bb2 18932->18934 18935 1009fcee 29 API calls 18932->18935 18933->18932 18936 1009fcee 29 API calls 18934->18936 18935->18934 18937 100a2bb9 18936->18937 18937->18922 18961 1009fad0 18938->18961 18940 100a324c GetVersionExA 18941 100a3268 18940->18941 18942 100a3282 GetEnvironmentVariableA 18940->18942 18941->18942 18944 100a327a 18941->18944 18943 100a335f 18942->18943 18946 100a32a1 18942->18946 18943->18944 18966 100a3212 GetModuleHandleA 18943->18966 18944->18820 18944->18821 18947 100a32e6 GetModuleFileNameA 18946->18947 18948 100a32de 18946->18948 18947->18948 18948->18943 18963 100a223c 18948->18963 18951 100a6d91 18950->18951 18951->18824 18953 100a78c9 18952->18953 18954 100a78d0 HeapAlloc 18952->18954 18955 100a78ed VirtualAlloc 18953->18955 18954->18955 18956 100a7925 18954->18956 18957 100a790d VirtualAlloc 18955->18957 18958 100a79e2 18955->18958 18956->18824 18957->18956 18959 100a79d4 VirtualFree 18957->18959 18958->18956 18960 100a79ea HeapFree 18958->18960 18959->18958 18960->18956 18962 1009fadc 18961->18962 18962->18940 18962->18962 18968 100a2253 18963->18968 18967 100a3229 18966->18967 18967->18944 18970 100a226b 18968->18970 18971 100a229b 18970->18971 18977 100a6962 18970->18977 18972 100a6962 6 API calls 18971->18972 18975 100a23c4 18971->18975 18976 100a224f 18971->18976 18981 100a023c 18971->18981 18972->18971 18975->18976 18992 100a088d 18975->18992 18976->18943 18978 100a6980 18977->18978 18980 100a6974 18977->18980 18995 100aa1be 18978->18995 18980->18970 18982 100a025a InterlockedIncrement 18981->18982 18984 100a0247 18981->18984 18983 100a0276 InterlockedDecrement 18982->18983 18987 100a0280 18982->18987 18985 100a5b60 29 API calls 18983->18985 18984->18971 18985->18987 19007 100a02ab 18987->19007 18989 100a02a0 InterlockedDecrement 18989->18984 18990 100a0296 19013 100a5bc1 LeaveCriticalSection 18990->19013 19032 100a2ac3 GetLastError TlsGetValue 18992->19032 18994 100a0892 18994->18976 18996 100aa1ef GetStringTypeW 18995->18996 18997 100aa207 18995->18997 18996->18997 18998 100aa20b GetStringTypeA 18996->18998 18999 100aa232 GetStringTypeA 18997->18999 19000 100aa256 18997->19000 18998->18997 19001 100aa2f3 18998->19001 18999->19001 19000->19001 19003 100aa26c MultiByteToWideChar 19000->19003 19001->18980 19003->19001 19004 100aa290 19003->19004 19004->19001 19005 100aa2ca MultiByteToWideChar 19004->19005 19005->19001 19006 100aa2e3 GetStringTypeW 19005->19006 19006->19001 19008 100a02d6 19007->19008 19012 100a028d 19007->19012 19009 100a02f2 19008->19009 19010 100a6962 6 API calls 19008->19010 19009->19012 19014 100a6a64 19009->19014 19010->19009 19012->18989 19012->18990 19013->18984 19015 100a6a94 LCMapStringW 19014->19015 19018 100a6ab0 19014->19018 19016 100a6ab8 LCMapStringA 19015->19016 19015->19018 19017 100a6bf2 19016->19017 19016->19018 19017->19012 19019 100a6af9 LCMapStringA 19018->19019 19020 100a6b16 19018->19020 19019->19017 19020->19017 19021 100a6b2c MultiByteToWideChar 19020->19021 19021->19017 19022 100a6b56 19021->19022 19022->19017 19023 100a6b8c MultiByteToWideChar 19022->19023 19023->19017 19024 100a6ba5 LCMapStringW 19023->19024 19024->19017 19025 100a6bc0 19024->19025 19026 100a6bc6 19025->19026 19028 100a6c06 19025->19028 19026->19017 19027 100a6bd4 LCMapStringW 19026->19027 19027->19017 19028->19017 19029 100a6c3e LCMapStringW 19028->19029 19029->19017 19030 100a6c56 WideCharToMultiByte 19029->19030 19030->19017 19033 100a2b1e SetLastError 19032->19033 19034 100a2adf 19032->19034 19033->18994 19043 100a0c42 19034->19043 19037 100a2af0 TlsSetValue 19038 100a2b16 19037->19038 19039 100a2b01 19037->19039 19040 1009e613 7 API calls 19038->19040 19042 100a2b07 GetCurrentThreadId 19039->19042 19041 100a2b1d 19040->19041 19041->19033 19042->19033 19047 100a0c77 19043->19047 19044 100a0d5d 19044->19037 19044->19038 19045 100a0d2f HeapAlloc 19045->19047 19046 100a5b60 29 API calls 19046->19047 19047->19044 19047->19045 19047->19046 19052 100a7111 19047->19052 19058 100a0cdb 19047->19058 19061 100a7bb4 19047->19061 19068 100a0d64 19047->19068 19055 100a7143 19052->19055 19053 100a71e2 19057 100a71f1 19053->19057 19078 100a74cb 19053->19078 19055->19053 19055->19057 19071 100a741a 19055->19071 19057->19047 19082 100a5bc1 LeaveCriticalSection 19058->19082 19060 100a0ce2 19060->19047 19062 100a7bc2 19061->19062 19063 100a7d83 19062->19063 19065 100a7cae VirtualAlloc 19062->19065 19067 100a7c7f 19062->19067 19064 100a78bc 5 API calls 19063->19064 19064->19067 19065->19067 19067->19047 19083 100a5bc1 LeaveCriticalSection 19068->19083 19070 100a0d6b 19070->19047 19072 100a745d HeapAlloc 19071->19072 19073 100a742d HeapReAlloc 19071->19073 19075 100a7483 VirtualAlloc 19072->19075 19077 100a74ad 19072->19077 19074 100a744c 19073->19074 19073->19077 19074->19072 19076 100a749d HeapFree 19075->19076 19075->19077 19076->19077 19077->19053 19079 100a74dd VirtualAlloc 19078->19079 19081 100a7526 19079->19081 19081->19057 19082->19060 19083->19070 19084->18829 19086 100a2a2b 19085->19086 19087 100a2a32 19085->19087 19089 100a264a 19086->19089 19087->18882 19090 100a5b60 29 API calls 19089->19090 19091 100a265a 19090->19091 19100 100a27f7 19091->19100 19095 100a27ef 19095->19087 19097 100a2696 GetCPInfo 19099 100a26ac 19097->19099 19098 100a2671 19113 100a5bc1 LeaveCriticalSection 19098->19113 19099->19098 19105 100a289d GetCPInfo 19099->19105 19101 100a2817 19100->19101 19102 100a2807 GetOEMCP 19100->19102 19103 100a2662 19101->19103 19104 100a281c GetACP 19101->19104 19102->19101 19103->19097 19103->19098 19103->19099 19104->19103 19107 100a28c0 19105->19107 19112 100a2988 19105->19112 19106 100aa1be 6 API calls 19108 100a293c 19106->19108 19107->19106 19109 100a6a64 9 API calls 19108->19109 19110 100a2960 19109->19110 19111 100a6a64 9 API calls 19110->19111 19111->19112 19112->19098 19113->19095 19123 100a1fbe 19114->19123 19117 100a1f2a GetCurrentProcess TerminateProcess 19118 100a1f3b 19117->19118 19119 100a1fac ExitProcess 19118->19119 19120 100a1fa5 19118->19120 19126 100a1fc7 19120->19126 19124 100a5b60 29 API calls 19123->19124 19125 100a1f1f 19124->19125 19125->19117 19125->19118 19129 100a5bc1 LeaveCriticalSection 19126->19129 19128 100a1f15 19128->18599 19129->19128 19131 100a5b01 19130->19131 19132 100a5b3d DeleteCriticalSection DeleteCriticalSection DeleteCriticalSection DeleteCriticalSection 19131->19132 19133 100a5b27 DeleteCriticalSection 19131->19133 19132->18913 19134 1009fcee 29 API calls 19133->19134 19134->19131 19254 1002607d 19261 100260ba 19254->19261 19256 10026095 19265 10026200 19256->19265 19258 100260a4 19269 10026372 19258->19269 19260 100260ac 19262 100260d0 19261->19262 19264 10026106 19261->19264 19263 1000b301 GetPEB 19262->19263 19262->19264 19263->19264 19264->19256 19266 10026216 19265->19266 19268 1002624c 19265->19268 19267 1000b301 GetPEB 19266->19267 19266->19268 19267->19268 19268->19258 19270 10026388 19269->19270 19272 100263be 19269->19272 19271 1000b301 GetPEB 19270->19271 19270->19272 19271->19272 19272->19260

    Executed Functions

    Function 100B7F61 Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • EnterCriticalSection.KERNEL32(102372C8,1023729C,?,?,102372AC,102372AC,100B833D,?,?,100B7D4F,100B7644,100B7D6B,100B40F3,1009D463,?,1009E5C6), ref: 100B7F70
    • GlobalAlloc.KERNELBASE(00002002,00000000,?,?,102372AC,102372AC,100B833D,?,?,100B7D4F,100B7644,100B7D6B,100B40F3,1009D463,?,1009E5C6), ref: 100B7FC5
    • GlobalHandle.KERNEL32(009A0988), ref: 100B7FCE
    • GlobalUnlock.KERNEL32(00000000,?,102372AC,102372AC,100B833D,?,?,100B7D4F,100B7644,100B7D6B,100B40F3,1009D463,?,1009E5C6,?,?), ref: 100B7FD7
    • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 100B7FE9
    • GlobalHandle.KERNEL32(009A0988), ref: 100B8000
    • GlobalLock.KERNEL32(00000000,?,102372AC,102372AC,100B833D,?,?,100B7D4F,100B7644,100B7D6B,100B40F3,1009D463,?,1009E5C6,?,?), ref: 100B8007
    • LeaveCriticalSection.KERNEL32(?,?,102372AC,102372AC,100B833D,?,?,100B7D4F,100B7644,100B7D6B,100B40F3,1009D463,?,1009E5C6,?,?), ref: 100B800D
    • GlobalLock.KERNEL32(?,?,102372AC,102372AC,100B833D,?,?,100B7D4F,100B7644,100B7D6B,100B40F3,1009D463,?,1009E5C6,?,?), ref: 100B801C
    • LeaveCriticalSection.KERNEL32(?), ref: 100B8065
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
    • String ID:
    • API String ID: 2667261700-0
    • Opcode ID: 816c57c658faaec40744c78e48b38dfd795ba1b4105b7cc5cddf4eb03449103e
    • Instruction ID: 498a4d4b33ea80642452fd91aee4d4dcedf663756efad2e5077c2c69e86dd376
    • Opcode Fuzzy Hash: 816c57c658faaec40744c78e48b38dfd795ba1b4105b7cc5cddf4eb03449103e
    • Instruction Fuzzy Hash: E2318C7920030A9FE720DF28CC89A6AB7E9FB44351B054A3DF9A6C3661E775ED04CB10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100B8BAA Relevance: 3.0, APIs: 2, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 157 100b8baa-100b8bd5 SetErrorMode * 2 call 100b7d40 * 2 162 100b8bd7-100b8bf1 call 100b8c0d 157->162 163 100b8bf6-100b8c00 call 100b7d40 157->163 162->163 167 100b8c02 call 100b362c 163->167 168 100b8c07-100b8c0a 163->168 167->168
    APIs
    • SetErrorMode.KERNELBASE(00000000,00000000,1009D3DA,?,00000000,102024D8,00000000,?,?,?,?,1009E5C6,?,?,?,?), ref: 100B8BB3
    • SetErrorMode.KERNELBASE(00000000,?,1009E5C6,?,?,?,?,?,?), ref: 100B8BBA
      • Part of subcall function 100B8C0D: GetModuleFileNameA.KERNEL32(?,?,00000104,?,?,00000000), ref: 100B8C3E
      • Part of subcall function 100B8C0D: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 100B8CDF
      • Part of subcall function 100B8C0D: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 100B8D0C
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
    • String ID:
    • API String ID: 3389432936-0
    • Opcode ID: 15b3d953bc19076414d90048a8f5b616186e41622a36a53b224c1c9f87799652
    • Instruction ID: 087b8daccc1f6c15232af1c7bc50bfed5f7c389513a8762a668d1110a768dc41
    • Opcode Fuzzy Hash: 15b3d953bc19076414d90048a8f5b616186e41622a36a53b224c1c9f87799652
    • Instruction Fuzzy Hash: 6AF0F9BD9142509FD704EF24D445B1A7BE5EF48750F06888EF4489B3A3CB74E940CBA6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A3387 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 170 100a3387-100a33a5 HeapCreate 171 100a33dd-100a33df 170->171 172 100a33a7-100a33b4 call 100a323f 170->172 175 100a33c3-100a33c6 172->175 176 100a33b6-100a33c1 call 100a6d75 172->176 178 100a33c8 call 100a78bc 175->178 179 100a33e0-100a33e3 175->179 182 100a33cd-100a33cf 176->182 178->182 182->179 183 100a33d1-100a33d7 HeapDestroy 182->183 183->171
    APIs
    • HeapCreate.KERNELBASE(00000000,00001000,00000000,1009E4BC,00000001), ref: 100A3398
      • Part of subcall function 100A323F: GetVersionExA.KERNEL32 ref: 100A325E
    • HeapDestroy.KERNEL32 ref: 100A33D7
      • Part of subcall function 100A6D75: HeapAlloc.KERNEL32(00000000,00000140,100A33C0,000003F8), ref: 100A6D82
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: Heap$AllocCreateDestroyVersion
    • String ID:
    • API String ID: 2507506473-0
    • Opcode ID: f07123f8dac605b98cec2a6f8b1d4210e4128eb9820a7e61b3c40568f6776003
    • Instruction ID: afadf4824ae4ff731c78a4d48753470203b12de417edcdbfda830e2e05446c17
    • Opcode Fuzzy Hash: f07123f8dac605b98cec2a6f8b1d4210e4128eb9820a7e61b3c40568f6776003
    • Instruction Fuzzy Hash: F7F06536648352EAFF10D7B44C8A75D37D4EB447D2F208C25F401D80A1EEF48781D652
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1009FE15 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 184 1009fe15-1009fe40 185 1009fe42-1009fe4b 184->185 186 1009fe85-1009fe88 184->186 187 1009fe51-1009fe75 call 100a5b60 call 100a7111 call 1009fe7c 185->187 188 1009fee4-1009fee9 185->188 186->188 189 1009fe8a-1009fe8f 186->189 187->188 209 1009fe77 187->209 191 1009feeb-1009feed 188->191 192 1009feee-1009fef3 188->192 193 1009fe99-1009fe9b 189->193 194 1009fe91-1009fe97 189->194 191->192 196 1009fef4-1009fefc RtlAllocateHeap 192->196 197 1009fe9c-1009fea5 193->197 194->197 199 1009ff02-1009ff10 196->199 200 1009fed5-1009fed6 197->200 201 1009fea7-1009fed3 call 100a5b60 call 100a7bb4 call 1009fedb 197->201 200->196 201->199 201->200 209->199
    APIs
    • RtlAllocateHeap.NTDLL(00000000,?,?,?,?,?,?), ref: 1009FEFC
      • Part of subcall function 100A5B60: InitializeCriticalSection.KERNEL32(00000000,?,?,?,1009FD6D,00000009,?,?,?), ref: 100A5B9D
      • Part of subcall function 100A5B60: EnterCriticalSection.KERNEL32(?,?,?,1009FD6D,00000009,?,?,?), ref: 100A5BB8
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$AllocateEnterHeapInitialize
    • String ID:
    • API String ID: 1616793339-0
    • Opcode ID: 5576f0b4b5dd33d69d6b247caf3936a612d61cb94d29ddb3121c0dbe64597b0b
    • Instruction ID: bb554ffa4fab1a68767529a3e5eef4976a3ac405748671115ccdc5b027cee7f2
    • Opcode Fuzzy Hash: 5576f0b4b5dd33d69d6b247caf3936a612d61cb94d29ddb3121c0dbe64597b0b
    • Instruction Fuzzy Hash: F6212835A00219EBDB10DFA9DC42BEEB7A4FB00760F21451AF818EB5E2C774AD41E664
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10053B30 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 212 10053b30-10053b4e RtlAllocateHeap 213 10053b50-10053b59 call 100507d0 212->213 214 10053b5c-10053b62 212->214 213->214
    APIs
    • RtlAllocateHeap.NTDLL(00980000,00000000,?), ref: 10053B41
      • Part of subcall function 100507D0: wsprintfA.USER32 ref: 100507E2
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: AllocateHeapwsprintf
    • String ID:
    • API String ID: 1352872168-0
    • Opcode ID: 8f4a746dc0311a72110d9e9e0d91b23e593a354499c0ef69cf1bc2cb8c0bafbd
    • Instruction ID: 6d07ddb9d044c094a66013f31d76628e75d4fba66ab6e66e8110b09e59daf6fa
    • Opcode Fuzzy Hash: 8f4a746dc0311a72110d9e9e0d91b23e593a354499c0ef69cf1bc2cb8c0bafbd
    • Instruction Fuzzy Hash: C3E046B9900208EBEB00CBA0D985A9A77B8EB08300F008258FA094B200D632EE009B91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100B43FE Relevance: 1.5, APIs: 1, Instructions: 14COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 217 100b43fe-100b441d call 100b7d40 LoadStringA 220 100b441f 217->220 221 100b4421-100b4422 217->221 220->221
    APIs
    • LoadStringA.USER32(?,00000100,00000100,00000100), ref: 100B4415
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: LoadString
    • String ID:
    • API String ID: 2948472770-0
    • Opcode ID: 9b75291d1cc68b3889218e39b470f55b1b3f212765dcf4c0af887729f4fae742
    • Instruction ID: 8359965a88f82c01c0158bd845a499ad04138399ba43e1135119a8c9ab86c759
    • Opcode Fuzzy Hash: 9b75291d1cc68b3889218e39b470f55b1b3f212765dcf4c0af887729f4fae742
    • Instruction Fuzzy Hash: 4ED09E7A5193A29BC611DF61C804D9FBBA8BF55250B054C49F49453111C720D8548666
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 100511B0 Relevance: 18.3, APIs: 12, Instructions: 273threadwindownetworkCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 100511D5
    • IsWindow.USER32(0001044C), ref: 100511F1
    • SendMessageA.USER32(0001044C,000083E7,?,00000000), ref: 1005120A
    • ExitProcess.KERNEL32 ref: 1005121F
    • FreeLibrary.KERNEL32(?), ref: 10051303
    • FreeLibrary.KERNEL32 ref: 10051357
    • DestroyCursor.USER32(00000000), ref: 100513A7
    • DestroyCursor.USER32(00000000), ref: 100513BE
    • IsWindow.USER32(0001044C), ref: 100513D5
    • DestroyCursor.USER32(?), ref: 10051484
    • WSACleanup.WS2_32 ref: 100514CF
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: CursorDestroy$FreeLibraryWindow$CleanupCurrentExitMessageProcessSendThread
    • String ID:
    • API String ID: 2560087610-0
    • Opcode ID: 707b8f6f0e4e0ea7670fbf31e7e102d33ce47446a8d090316e7ce72e96af57c6
    • Instruction ID: 469d989f5cfea75ff7cb4fb78b9694011f68c50ed32e348f67c6d81aea70ebb5
    • Opcode Fuzzy Hash: 707b8f6f0e4e0ea7670fbf31e7e102d33ce47446a8d090316e7ce72e96af57c6
    • Instruction Fuzzy Hash: D7B157B46007029BD724DF64C8D5BDAB7E9FF48340F51492DE9AAC7281DB30B989CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10050430 Relevance: 15.3, APIs: 10, Instructions: 287libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(00000000,1021B674), ref: 10050497
    • LoadLibraryA.KERNEL32(?,?,1022BC38), ref: 10050589
    • LoadLibraryA.KERNEL32(?,?), ref: 100505CF
    • LoadLibraryA.KERNEL32(?,?,1022BB40,00000001), ref: 10050617
    • LoadLibraryA.KERNEL32(00000001), ref: 1005062D
    • GetProcAddress.KERNEL32(00000000,?), ref: 1005063F
    • FreeLibrary.KERNEL32(00000000), ref: 100506D2
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: Library$Load$AddressProc$Free
    • String ID:
    • API String ID: 3120990465-0
    • Opcode ID: 75f8b8f97f2a34dd914fdd3f315ff725e8f10e0936d79b99ee6fa344b573f52f
    • Instruction ID: 05b09a8fc11e86cb4538e7611abaae9387d229b962f2f119f66d44664a6082ad
    • Opcode Fuzzy Hash: 75f8b8f97f2a34dd914fdd3f315ff725e8f10e0936d79b99ee6fa344b573f52f
    • Instruction Fuzzy Hash: D4A19EB5A04752ABD314DF64C881B9BB3E8FF89310F044A2DF95597281EB34AD19CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100AA9EF Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,100A35E9,?,Microsoft Visual C++ Runtime Library,00012010,?,1020493C,?,1020498C,?,?,?,Runtime Error!Program: ), ref: 100AAA01
    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 100AAA19
    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 100AAA2A
    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 100AAA37
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
    • API String ID: 2238633743-4044615076
    • Opcode ID: a74306af38e9c4c1ad1bdd7639b7635a187d018bb3919e0ac27513e2504a79e1
    • Instruction ID: e8165724b945ed01e0431c187fec83e22f06b7cef257cb198dd2aeaf103b0a81
    • Opcode Fuzzy Hash: a74306af38e9c4c1ad1bdd7639b7635a187d018bb3919e0ac27513e2504a79e1
    • Instruction Fuzzy Hash: 44012131601373DBDB50DFF58DC8A6B7BE9EB9E6907010529E501C6162DB348844DB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A6A64 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
    Download Yara Rule
    APIs
    • LCMapStringW.KERNEL32(00000000,00000100,10204BCC,00000001,00000000,00000000,74DEE860,102379F4,?,00000003,00000000,00000001,00000000,?,?,100A028D), ref: 100A6AA6
    • LCMapStringA.KERNEL32(00000000,00000100,10204BC8,00000001,00000000,00000000,?,?,100A028D,?), ref: 100A6AC2
    • LCMapStringA.KERNEL32(?,?,00000000,00000001,00000000,00000003,74DEE860,102379F4,?,00000003,00000000,00000001,00000000,?,?,100A028D), ref: 100A6B0B
    • MultiByteToWideChar.KERNEL32(?,102379F5,00000000,00000001,00000000,00000000,74DEE860,102379F4,?,00000003,00000000,00000001,00000000,?,?,100A028D), ref: 100A6B43
    • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,?,00000000), ref: 100A6B9B
    • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 100A6BB1
    • LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 100A6BE4
    • LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 100A6C4C
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: String$ByteCharMultiWide
    • String ID:
    • API String ID: 352835431-0
    • Opcode ID: 2eb373ebfc1d7118cb6b1b919dbfd7a6d673843321a28c43fb8b50629bc801ef
    • Instruction ID: 4b4af60aba4e7cb564ae3ff0afe7de9f29bdb185e78238d85ae9a8b434eff6c1
    • Opcode Fuzzy Hash: 2eb373ebfc1d7118cb6b1b919dbfd7a6d673843321a28c43fb8b50629bc801ef
    • Instruction Fuzzy Hash: D6515A71900259EFDF22CF94CC85ADE3FB9FB89794F208629F955A2160D3318D60EB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A34C5 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 100A3532
    • GetStdHandle.KERNEL32(000000F4,1020493C,00000000,?,00000000,?), ref: 100A3608
    • WriteFile.KERNEL32(00000000), ref: 100A360F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: File$HandleModuleNameWrite
    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
    • API String ID: 3784150691-4022980321
    • Opcode ID: cf1c400a80d1d6f8f519c7d20f52625956d6cac42374561a115919b0d26c4895
    • Instruction ID: 75d7edd16df77553bd8204fdcf0ca45fb0a31db4b3d302c0142d5476c8e90829
    • Opcode Fuzzy Hash: cf1c400a80d1d6f8f519c7d20f52625956d6cac42374561a115919b0d26c4895
    • Instruction Fuzzy Hash: 7031B076A0021CEFDF20DAE4CC86FEA73ADEB45380F608566F545A7141EB70AA80CA51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A30E0 Relevance: 12.1, APIs: 8, Instructions: 132COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,1009E511), ref: 100A30FB
    • GetEnvironmentStrings.KERNEL32(?,?,?,?,1009E511), ref: 100A310F
    • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,1009E511), ref: 100A313B
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,1009E511), ref: 100A3173
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,1009E511), ref: 100A3195
    • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,1009E511), ref: 100A31AE
    • GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,1009E511), ref: 100A31C1
    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 100A31FF
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: EnvironmentStrings$ByteCharFreeMultiWide
    • String ID:
    • API String ID: 1823725401-0
    • Opcode ID: 4433bf0067b83a4e270eb803c1c9dab745779409026a448051f151cc50177b59
    • Instruction ID: cfb908c35fc159720ef29b2f4a78f0df2796ecd962675dfef85bfa5d948f7730
    • Opcode Fuzzy Hash: 4433bf0067b83a4e270eb803c1c9dab745779409026a448051f151cc50177b59
    • Instruction Fuzzy Hash: 9E310A765043A6EFE320FFF94CC882B7BDCF64A6D47124929F952C3111E6A09C40C7A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100AA1BE Relevance: 9.1, APIs: 6, Instructions: 117COMMON
    Download Yara Rule
    APIs
    • GetStringTypeW.KERNEL32(00000001,10204BCC,00000001,?,74DEE860,102379F4,?,?,00000002,00000000,?,?,100A028D,?), ref: 100AA1FD
    • GetStringTypeA.KERNEL32(00000000,00000001,10204BC8,00000001,?,?,?,100A028D,?), ref: 100AA217
    • GetStringTypeA.KERNEL32(?,?,?,00000000,00000002,74DEE860,102379F4,?,?,00000002,00000000,?,?,100A028D,?), ref: 100AA24B
    • MultiByteToWideChar.KERNEL32(?,102379F5,?,00000000,00000000,00000000,74DEE860,102379F4,?,?,00000002,00000000,?,?,100A028D,?), ref: 100AA283
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 100AA2D9
    • GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 100AA2EB
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: StringType$ByteCharMultiWide
    • String ID:
    • API String ID: 3852931651-0
    • Opcode ID: d6005f5fd8e7dc4fcddc91b1c410834bfd2c5813bb1634ad19983f3edefd3277
    • Instruction ID: dc7f85178876988037882e2667c7c8db75f15d7d67f101b0e09ba79dbe70e586
    • Opcode Fuzzy Hash: d6005f5fd8e7dc4fcddc91b1c410834bfd2c5813bb1634ad19983f3edefd3277
    • Instruction Fuzzy Hash: F7416B7690025AEFCF20DF98CC89AEE7FB9FB0A290F104525F915D6190C73289A0DB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100B80D0 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMON
    Download Yara Rule
    APIs
    • TlsGetValue.KERNEL32(102372AC,1023729C,00000000,?,102372AC,?,100B8379,1023729C,00000000,?,1009E5C6,?,?,?,?,?), ref: 100B80DB
    • EnterCriticalSection.KERNEL32(102372C8,00000010,?,100B8379,1023729C,00000000,?,1009E5C6,?,?,?,?,?,?), ref: 100B812A
    • LeaveCriticalSection.KERNEL32(102372C8,00000000,?,100B8379,1023729C,00000000,?,1009E5C6,?,?,?,?,?,?), ref: 100B813D
    • LocalAlloc.KERNEL32(00000000,00000003,?,100B8379,1023729C,00000000,?,1009E5C6,?,?,?,?,?,?), ref: 100B8153
    • LocalReAlloc.KERNEL32(?,00000003,00000002,?,100B8379,1023729C,00000000,?,1009E5C6,?,?,?,?,?,?), ref: 100B8165
    • TlsSetValue.KERNEL32(102372AC,00000000), ref: 100B81A1
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: AllocCriticalLocalSectionValue$EnterLeave
    • String ID:
    • API String ID: 4117633390-0
    • Opcode ID: f5c7ee422b9b62af0218e44f22bcecb7798588a3e08037c1fcf44bd7f7dfd589
    • Instruction ID: 1f78184cf6855ae451c4be3816702cafbf4a8a272def4790b2df67d60753a780
    • Opcode Fuzzy Hash: f5c7ee422b9b62af0218e44f22bcecb7798588a3e08037c1fcf44bd7f7dfd589
    • Instruction Fuzzy Hash: D0314F79100605EFE714CF59C889E96B7E8FF44750F10CA19E56687650E770EE06CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A33E4 Relevance: 9.1, APIs: 6, Instructions: 56memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualFree.KERNEL32(0000000C,00100000,00004000,?,?,?,?,1009E562,1009E5B6,?,?,?), ref: 100A341C
    • VirtualFree.KERNEL32(0000000C,00000000,00008000,?,?,?,?,1009E562,1009E5B6,?,?,?), ref: 100A3427
    • HeapFree.KERNEL32(00000000,?,?,?,?,?,1009E562,1009E5B6,?,?,?), ref: 100A3434
    • HeapFree.KERNEL32(00000000,?,?,?,?,1009E562,1009E5B6,?,?,?), ref: 100A3450
    • VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000,?,?,1009E562,1009E5B6,?,?,?), ref: 100A3471
    • HeapDestroy.KERNEL32(?,?,1009E562,1009E5B6,?,?,?), ref: 100A3483
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: Free$HeapVirtual$Destroy
    • String ID:
    • API String ID: 716807051-0
    • Opcode ID: 9907b2dbabc6b22c07ae2e13deedde6ce08470b4c1765e03c905028d89642275
    • Instruction ID: 921bf33908d7db1bb4f467f63baf701047519ebc96a747b42b8b88cbf22fbdcb
    • Opcode Fuzzy Hash: 9907b2dbabc6b22c07ae2e13deedde6ce08470b4c1765e03c905028d89642275
    • Instruction Fuzzy Hash: 82117C3A240265EBEA32CB54DCC9F49B7A5F748750F228920F6806A4A1C6B1BD41DB58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A323F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
    Download Yara Rule
    APIs
    • GetVersionExA.KERNEL32 ref: 100A325E
    • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 100A3293
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 100A32F3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: EnvironmentFileModuleNameVariableVersion
    • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
    • API String ID: 1385375860-4131005785
    • Opcode ID: b0fc5c1220a8d89f4271bdd84652c32ab713099f1f215e31a0b58349a27fde11
    • Instruction ID: 64265b808d29a985652b266f1d5153974a033dd7018804ba12ce5284c4d75aa8
    • Opcode Fuzzy Hash: b0fc5c1220a8d89f4271bdd84652c32ab713099f1f215e31a0b58349a27fde11
    • Instruction Fuzzy Hash: 7031D276809298EDEF61C6F05C92BDD7BACDB12384F24C4E9F145D6042EAB19F89CB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100B8C0D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(?,?,00000104,?,?,00000000), ref: 100B8C3E
      • Part of subcall function 100B8D2A: lstrlenA.KERNEL32(?,00000000,?), ref: 100B8D61
    • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 100B8CDF
    • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 100B8D0C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: FileModuleNamelstrcatlstrcpylstrlen
    • String ID: .HLP$.INI
    • API String ID: 2421895198-3011182340
    • Opcode ID: 215b2dbbfd57f928c0a465aa8ae17e0194eb6833960b13584e80889fe829a9ba
    • Instruction ID: a6b310693537a418bf49237501887c8a255ee275912405b3828120ee16d60506
    • Opcode Fuzzy Hash: 215b2dbbfd57f928c0a465aa8ae17e0194eb6833960b13584e80889fe829a9ba
    • Instruction Fuzzy Hash: 3D3170B9800719DFD720DFB0C885BCAB7FCEF04350F10496AE589D2151EB70AA84CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A2BCA Relevance: 7.6, APIs: 5, Instructions: 150COMMON
    Download Yara Rule
    APIs
    • GetStartupInfoA.KERNEL32(?), ref: 100A2C28
    • GetFileType.KERNEL32(00000480), ref: 100A2CD3
    • GetStdHandle.KERNEL32(-000000F6), ref: 100A2D36
    • GetFileType.KERNEL32(00000000), ref: 100A2D44
    • SetHandleCount.KERNEL32 ref: 100A2D7B
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: FileHandleType$CountInfoStartup
    • String ID:
    • API String ID: 1710529072-0
    • Opcode ID: 0e924dc1c542710af7069442172a20ff571d159eb0aded0f43bbca21da910724
    • Instruction ID: a57c1ff5f4c9d2183571c2b3e2f5e9ee1434f23135dc258d1b4e813c33f5582b
    • Opcode Fuzzy Hash: 0e924dc1c542710af7069442172a20ff571d159eb0aded0f43bbca21da910724
    • Instruction Fuzzy Hash: 64510131914265CFD720CBACC8987597BE0FB19378F268678C5A39B2E2D7309906C751
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A2AC3 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(00000103,7FFFFFFF,100A0892,100A240A,00000000,?,?,00000000,00000001), ref: 100A2AC5
    • TlsGetValue.KERNEL32 ref: 100A2AD3
    • SetLastError.KERNEL32(00000000), ref: 100A2B1F
      • Part of subcall function 100A0C42: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,100A7F94,10204500,000000FF,?,100A2AE8,00000001,00000074), ref: 100A0D38
    • TlsSetValue.KERNEL32(00000000), ref: 100A2AF7
    • GetCurrentThreadId.KERNEL32 ref: 100A2B08
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastValue$AllocCurrentHeapThread
    • String ID:
    • API String ID: 2020098873-0
    • Opcode ID: 84d35f0546d9f5a6aaf9d057484cbaa8b6fc2a4440836c52497e07e6645ad6e5
    • Instruction ID: 30303a567b2660ae9c6e8a5ee3af6970a8f412036590442b6ba16ce2a8e49bf2
    • Opcode Fuzzy Hash: 84d35f0546d9f5a6aaf9d057484cbaa8b6fc2a4440836c52497e07e6645ad6e5
    • Instruction Fuzzy Hash: 8AF0BB3D6002719BE2355FB89C4DA893B94EF00BB17210728F546E71E1DF308C41D6A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A5AF4 Relevance: 7.5, APIs: 5, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • DeleteCriticalSection.KERNEL32(00000000,?,?,100A2A97,1009E55D,1009E5B6,?,?,?), ref: 100A5B28
      • Part of subcall function 1009FCEE: HeapFree.KERNEL32(00000000,?,?,?,?), ref: 1009FDC2
    • DeleteCriticalSection.KERNEL32(?,?,100A2A97,1009E55D,1009E5B6,?,?,?), ref: 100A5B43
    • DeleteCriticalSection.KERNEL32 ref: 100A5B4B
    • DeleteCriticalSection.KERNEL32 ref: 100A5B53
    • DeleteCriticalSection.KERNEL32 ref: 100A5B5B
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: CriticalDeleteSection$FreeHeap
    • String ID:
    • API String ID: 447823528-0
    • Opcode ID: 80839d8ce2d3efbf508084d642a8e5c906a0010bae696f60ecfb8db0e32d920c
    • Instruction ID: c8a102261e4439f78ff6b81f4ec57b3b509e4cb3a60c0317ba03094adb996b3b
    • Opcode Fuzzy Hash: 80839d8ce2d3efbf508084d642a8e5c906a0010bae696f60ecfb8db0e32d920c
    • Instruction Fuzzy Hash: 60F05B2D85012CE6DA65BB59DD49C55FA95EA802623660072E8967B130CB334CA0C5E0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A78BC Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
    Download Yara Rule
    APIs
    • HeapAlloc.KERNEL32(00000000,00002020,1021CFC0,?,?,?,100A7D88,?,00000010,?,00000009,00000009,?,1009FEC1,00000010,?), ref: 100A78DD
    • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,100A7D88,?,00000010,?,00000009,00000009,?,1009FEC1,00000010,?), ref: 100A7901
    • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,100A7D88,?,00000010,?,00000009,00000009,?,1009FEC1,00000010,?), ref: 100A791B
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,100A7D88,?,00000010,?,00000009,00000009,?,1009FEC1,00000010,?,?), ref: 100A79DC
    • HeapFree.KERNEL32(00000000,00000000,?,?,100A7D88,?,00000010,?,00000009,00000009,?,1009FEC1,00000010,?,?,?), ref: 100A79F3
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual$FreeHeap
    • String ID:
    • API String ID: 714016831-0
    • Opcode ID: a5e1a649ebce402a5b434beaf74f24afdac75aa47d117765f0271bb3c3eb6095
    • Instruction ID: fc3b1f2f16ac1edc27d23eacd074c2d4b113a642641c364ce0c648309d99aa48
    • Opcode Fuzzy Hash: a5e1a649ebce402a5b434beaf74f24afdac75aa47d117765f0271bb3c3eb6095
    • Instruction Fuzzy Hash: 1631267664071ADFD320CF28CC84B2677E5FB45790F20862BE59A9B6D0DB70A841C758
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A289D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: Info
    • String ID: $
    • API String ID: 1807457897-3032137957
    • Opcode ID: 773b63946a54e029279f74e363202ac7e46494e809db1a43909fca302e94e3e1
    • Instruction ID: 1c73a3fad27fc45726235786101f17ef1dd38906a74bbd67e98ce6f7336eb253
    • Opcode Fuzzy Hash: 773b63946a54e029279f74e363202ac7e46494e809db1a43909fca302e94e3e1
    • Instruction Fuzzy Hash: 664147311042B89BEB36CA98CD99FEBBFA9EB09B04F1010F5D585DB193C3214944DBB2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100B362C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27threadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 100B363F
    • SetWindowsHookExA.USER32(000000FF,V&C,00000000,00000000), ref: 100B364F
      • Part of subcall function 100B83CB: __EH_prolog.LIBCMT ref: 100B83D0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: CurrentH_prologHookThreadWindows
    • String ID: V&C
    • API String ID: 2183259885-1695398598
    • Opcode ID: 4a0c23395f836818af9c28b16c4f11915896402e82734140c132ba99e29c509b
    • Instruction ID: 78048515fd0e9a15a43ecb7b518d2917f0918a3669aac28163517432cd1fc61c
    • Opcode Fuzzy Hash: 4a0c23395f836818af9c28b16c4f11915896402e82734140c132ba99e29c509b
    • Instruction Fuzzy Hash: 79F0A03D4006506FD7209B70ED08B9936A0FF04761F650744F953AA2A1DB30AD80CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100B8217 Relevance: 5.1, APIs: 4, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(102372C8,?,102372AC,102372C8,102372AC,?,100B82F6,0098EB38,00000000,00000000,?,?,1009D472,?,000000FF), ref: 100B8274
    • LeaveCriticalSection.KERNEL32(102372C8,?,?,100B82F6,0098EB38,00000000,00000000,?,?,1009D472,?,000000FF,?,1009E5C6,?,?), ref: 100B8284
    • LocalFree.KERNEL32(00000003,?,100B82F6,0098EB38,00000000,00000000,?,?,1009D472,?,000000FF,?,1009E5C6,?,?,?), ref: 100B828D
    • TlsSetValue.KERNEL32(102372AC,00000000,?,100B82F6,0098EB38,00000000,00000000,?,?,1009D472,?,000000FF,?,1009E5C6,?,?), ref: 100B82A3
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterFreeLeaveLocalValue
    • String ID:
    • API String ID: 2949335588-0
    • Opcode ID: ff663e0cca6a86ed0dadfcb778f9189d686d9368ccdec6cb3665bc74eaabb359
    • Instruction ID: ed143d64073d0a1e94eaf9b39500f5f4128a1b4499ab4b215e09bcaa61158b4e
    • Opcode Fuzzy Hash: ff663e0cca6a86ed0dadfcb778f9189d686d9368ccdec6cb3665bc74eaabb359
    • Instruction Fuzzy Hash: 11217939601610EFEB14CF84C885BAA77E5FF45751F108469EA529B1A1C771FE41CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A741A Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
    Download Yara Rule
    APIs
    • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,100A71E2,?,?,?,1009FE63,?,?,?,?,?,?), ref: 100A7442
    • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,100A71E2,?,?,?,1009FE63,?,?,?,?,?,?), ref: 100A7476
    • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 100A7490
    • HeapFree.KERNEL32(00000000,?), ref: 100A74A7
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: AllocHeap$FreeVirtual
    • String ID:
    • API String ID: 3499195154-0
    • Opcode ID: c1ea4dfeddbe9e6ed8214b2c14d7306fbc4eade8343a3f74ef79499c1336384a
    • Instruction ID: 2c20319bad1c28ef711661fa7fbd9028b6d979ea8596f2957e05b0d7aaae370e
    • Opcode Fuzzy Hash: c1ea4dfeddbe9e6ed8214b2c14d7306fbc4eade8343a3f74ef79499c1336384a
    • Instruction Fuzzy Hash: 871158702006619FEB31CF58CCC9D5A7BB6FB8D3607108A29E1A6CA5B2C3309942DF10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100B8E13 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(102373A0,?,00000000,?,?,100B83EC,00000010,?,?,?,?,?,100B7D65,100B7DC8,100B7644,100B7D6B), ref: 100B8E4E
    • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,100B83EC,00000010,?,?,?,?,?,100B7D65,100B7DC8,100B7644,100B7D6B), ref: 100B8E60
    • LeaveCriticalSection.KERNEL32(102373A0,?,00000000,?,?,100B83EC,00000010,?,?,?,?,?,100B7D65,100B7DC8,100B7644,100B7D6B), ref: 100B8E69
    • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,100B83EC,00000010,?,?,?,?,?,100B7D65,100B7DC8,100B7644,100B7D6B,100B40F3), ref: 100B8E7B
      • Part of subcall function 100B8D80: GetVersion.KERNEL32(?,100B8E23,?,100B83EC,00000010,?,?,?,?,?,100B7D65,100B7DC8,100B7644,100B7D6B,100B40F3,1009D463), ref: 100B8D93
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$Enter$InitializeLeaveVersion
    • String ID:
    • API String ID: 1193629340-0
    • Opcode ID: e531bb49b0eba0f39f75e835d722d6ac0fe849d55abdcbee5780fa29f2afd9b5
    • Instruction ID: d995fcdc5bfdd8422e1df45e00fb7c6f237e9ea7424d40d11a5b460f46ec3cfe
    • Opcode Fuzzy Hash: e531bb49b0eba0f39f75e835d722d6ac0fe849d55abdcbee5780fa29f2afd9b5
    • Instruction Fuzzy Hash: D3F04F3900126BDFDB10EFA8CCC8996B3ADFB58326B400436EA1586032D735F959DBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100A5ACB Relevance: 5.0, APIs: 4, Instructions: 12COMMON
    Download Yara Rule
    APIs
    • InitializeCriticalSection.KERNEL32(?,100A2A44,?,1009E4F4), ref: 100A5AD8
    • InitializeCriticalSection.KERNEL32 ref: 100A5AE0
    • InitializeCriticalSection.KERNEL32 ref: 100A5AE8
    • InitializeCriticalSection.KERNEL32 ref: 100A5AF0
    Memory Dump Source
    • Source File: 00000003.00000002.4066840109.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.4066812809.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000100BE000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4066921397.00000000101CD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067104806.000000001020E000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067127421.0000000010210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067152175.0000000010211000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067178887.000000001021B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067202705.000000001021F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067228057.000000001022B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010235000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067256180.0000000010237000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.4067315947.0000000010239000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: CriticalInitializeSection
    • String ID:
    • API String ID: 32694325-0
    • Opcode ID: a3dbd360746503a390bcc2d4b67aa406925a366b79a2ef3cc35c529021e603d2
    • Instruction ID: 29c78103e5d665d90befb387c0a0bcd68c9463bf0efcf30c9ccee5b762416334
    • Opcode Fuzzy Hash: a3dbd360746503a390bcc2d4b67aa406925a366b79a2ef3cc35c529021e603d2
    • Instruction Fuzzy Hash: 13C0023980103CAADE126B75EE8E88A7F26EB082A13218073E50853134CE321C20EFD0
    Uniqueness

    Uniqueness Score: -1.00%