Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WN9uCxgU1T.exe

Overview

General Information

Sample name:WN9uCxgU1T.exe
renamed because original name is a hash value
Original sample name:d88cbfff7d6a8163e124249f07e2f8434d6e5474fcda9f916f89afe50b88f413.exe
Analysis ID:1588267
MD5:8d1f05431e7319272bac9c427279c83c
SHA1:5b712cf5c1706213f3eccf0538a722dc02547b93
SHA256:d88cbfff7d6a8163e124249f07e2f8434d6e5474fcda9f916f89afe50b88f413
Tags:exeuser-adrian__luca
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
Found potential string decryption / allocating functions
One or more processes crash
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • WN9uCxgU1T.exe (PID: 3964 cmdline: "C:\Users\user\Desktop\WN9uCxgU1T.exe" MD5: 8D1F05431E7319272BAC9C427279C83C)
    • WerFault.exe (PID: 5412 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 532 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: WN9uCxgU1T.exeVirustotal: Detection: 71%Perma Link
Source: WN9uCxgU1T.exeReversingLabs: Detection: 91%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for sample
Source: WN9uCxgU1T.exeJoe Sandbox ML: detected
Source: WN9uCxgU1T.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net

System Summary

barindex
Binary is likely a compiled AutoIt script file
Source: WN9uCxgU1T.exe, 00000000.00000000.1348076715.0000000000E44000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_921d4967-f
Source: WN9uCxgU1T.exe, 00000000.00000000.1348076715.0000000000E44000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_ee0ab954-7
Source: WN9uCxgU1T.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f8488cef-d
Source: WN9uCxgU1T.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_8df5a7ee-0
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DB21C50_2_00DB21C5
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DC62D20_2_00DC62D2
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00E103DA0_2_00E103DA
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DC242E0_2_00DC242E
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DB25FA0_2_00DB25FA
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DA66E10_2_00DA66E1
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00D9E6A00_2_00D9E6A0
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DEE6160_2_00DEE616
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DC878F0_2_00DC878F
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DF88890_2_00DF8889
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DC68440_2_00DC6844
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00E108570_2_00E10857
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DBCB210_2_00DBCB21
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DC6DB60_2_00DC6DB6
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DA6F9E0_2_00DA6F9E
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DA30300_2_00DA3030
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DBF1D90_2_00DBF1D9
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DB31870_2_00DB3187
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00D912870_2_00D91287
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DB14840_2_00DB1484
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DA55200_2_00DA5520
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DB76960_2_00DB7696
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DA57600_2_00DA5760
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DB19780_2_00DB1978
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DBD9750_2_00DBD975
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DC9AB50_2_00DC9AB5
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00D9FCE00_2_00D9FCE0
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00E17DDB0_2_00E17DDB
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DB1D900_2_00DB1D90
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DBBDA60_2_00DBBDA6
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DA3FE00_2_00DA3FE0
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00D9DF000_2_00D9DF00
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: String function: 00D998C0 appears 32 times
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: String function: 00DB8900 appears 42 times
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: String function: 00D99A98 appears 32 times
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 532
Source: WN9uCxgU1T.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engineClassification label: mal60.winEXE@2/5@0/0
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3964
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\7ad76f8b-9892-4c4d-9994-c9632e54678aJump to behavior
Source: WN9uCxgU1T.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: WN9uCxgU1T.exeVirustotal: Detection: 71%
Source: WN9uCxgU1T.exeReversingLabs: Detection: 91%
Source: unknownProcess created: C:\Users\user\Desktop\WN9uCxgU1T.exe "C:\Users\user\Desktop\WN9uCxgU1T.exe"
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 532
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeSection loaded: wsock32.dllJump to behavior
Source: WN9uCxgU1T.exeStatic file information: File size 1181184 > 1048576
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DB8945 push ecx; ret 0_2_00DB8958
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00D92F12 push es; retf 0_2_00D92F13
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: vmci.sys
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware20,1
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DB7DCD ___security_init_cookie,LdrInitializeThunk,0_2_00DB7DCD
Source: WN9uCxgU1T.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: C:\Users\user\Desktop\WN9uCxgU1T.exeCode function: 0_2_00DB862B cpuid 0_2_00DB862B
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		2
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		2
Process Injection		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS11
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
WN9uCxgU1T.exe72%VirustotalBrowse
WN9uCxgU1T.exe91%ReversingLabsWin32.Trojan.AutoitInject
WN9uCxgU1T.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.t-msedge.net
13.107.246.45
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://upx.sf.netAmcache.hve.4.drfalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:42.0.0 Malachite
      Analysis ID:1588267
      Start date and time:2025-01-10 23:21:01 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 5m 45s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Run name:Run with higher sleep bypass
      Number of analysed new started processes analysed:10
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:WN9uCxgU1T.exe
      renamed because original name is a hash value
      Original Sample Name:d88cbfff7d6a8163e124249f07e2f8434d6e5474fcda9f916f89afe50b88f413.exe
      Detection:MAL
      Classification:mal60.winEXE@2/5@0/0
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 1
      • Number of non-executed functions: 61
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 20.189.173.20, 13.107.246.45, 40.126.31.69, 172.202.163.200
      • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      s-part-0017.t-0009.t-msedge.netFull-Ver_Setup.exeGet hashmaliciousLummaC StealerBrowse
      • 13.107.246.45
      Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
      • 13.107.246.45
      Qz8OEUxYuH.exeGet hashmaliciousFormBookBrowse
      • 13.107.246.45
      ztcrKv3zFz.exeGet hashmaliciousFormBookBrowse
      • 13.107.246.45
      gH3LlhcRzg.exeGet hashmaliciousFormBookBrowse
      • 13.107.246.45
      3j7f6Bv4FT.exeGet hashmaliciousUnknownBrowse
      • 13.107.246.45
      rComprobante_swift_8676534657698632.exeGet hashmaliciousAgentTeslaBrowse
      • 13.107.246.45
      6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
      • 13.107.246.45
      iRmpdWgpoF.exeGet hashmaliciousUnknownBrowse
      • 13.107.246.45
      7cYDC0HciP.exeGet hashmaliciousUnknownBrowse
      • 13.107.246.45

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WN9uCxgU1T.exe_a87e78bd101179c21e5cabb6292eaed3b922c0e6_95d20471_05260d53-cf84-4b07-9286-790e3bfe886c\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.8456398484452747
      Encrypted:false
      SSDEEP:192:rpfI47y0BU/HafjedqzuiFXZ24IO8W5t:FI475BU/wjhzuiFXY4IO8w
      MD5:1651BE29A92733319E2D43B5AA036323
      SHA1:7B28EEACE7F712BF2E0B7B5C9056FE90E2DA5CB6
      SHA-256:DB93790F16C5591FF2903EEE8F3B697CB79409D58AE215FFA73AA60DDD0BCDD9
      SHA-512:C167730AA19EFC794E470FAD32CFFADEF713C328169C616020C376286E33EB6A3FB5C82A4E962670737D59D3CC2F36201B26E3BC41AE5D7834B3A1B0B5E7C868
      Malicious:true
      Reputation:low
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.2.1.3.1.3.0.8.1.3.8.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.0.2.1.3.1.3.4.7.2.0.0.9.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.5.2.6.0.d.5.3.-.c.f.8.4.-.4.b.0.7.-.9.2.8.6.-.7.9.0.e.3.b.f.e.8.8.6.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.6.d.8.5.8.7.-.e.6.1.5.-.4.2.8.0.-.9.6.c.4.-.1.d.9.9.a.c.d.5.0.a.5.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.N.9.u.C.x.g.U.1.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.7.c.-.0.0.0.1.-.0.0.1.4.-.b.1.0.f.-.b.b.0.c.a.e.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.a.4.2.f.a.a.7.4.4.4.f.f.1.0.3.9.f.4.1.3.6.6.e.0.2.9.3.e.1.3.1.0.0.0.0.0.9.0.8.!.0.0.0.0.5.b.7.1.2.c.f.5.c.1.7.0.6.2.1.3.f.3.e.c.c.f.0.5.3.8.a.7.2.2.d.c.0.2.5.4.7.b.9.3.!.W.N.9.u.C.x.g.U.1.T...e.x.e.....T.a.r.g.e.t.A.p.p.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6946.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Fri Jan 10 22:21:53 2025, 0x1205a4 type
      Category:dropped
      Size (bytes):41622
      Entropy (8bit):1.8662960209826047
      Encrypted:false
      SSDEEP:192:ItLkvp9Q2MYHOYi+xdY2FQ5x5R4g1zDUsn:5vp9iYuEwpH34gZ
      MD5:0B76B8C93AC9202C49C1D3A58D0A378F
      SHA1:6CE827E03CFDD24C0D6F6225F4C13F7030ECF2ED
      SHA-256:DBFB6ABB6E4EF38BB19B8FA913809305A6B9541E5781D649DA5CC7C8BF895FF1
      SHA-512:8C496506A7310CB5BF6C8902D8FE3BEA74BAD9A5F0D7BD5B0CB73DAA300D11C55CDD1DAE6824B0D9E980AC5FB00A95C1E7C8B87CBC43BC73702698323A60385C
      Malicious:false
      Reputation:low
      Preview:MDMP..a..... ..........g........................\...............b'..........T.......8...........T...........P...F.......................................................................................................eJ......|.......GenuineIntel............T.......|......g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A12.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8294
      Entropy (8bit):3.7000104771248514
      Encrypted:false
      SSDEEP:192:R6l7wVeJYI6V6YcDcSUEm6gmfGZprj89bKasfwf0Om:R6lXJP6V6Y7SUEm6gmfGwK5fok
      MD5:CD20A6B6C8D06FDA9C92262EB549015D
      SHA1:85C83061A3E112B94C75CBF5DB4BBDD2C725E458
      SHA-256:03A935C6D2ED821F5CE703D5CA19593CB8BF57A301C3F49FB8F55B2503690EE8
      SHA-512:E486467341A428FD4558C865C87D14557345ABD59A6812CC93295DEAC9DE31FCB7E26E80B163D9667092DB3023852D9085C2B09F2BBE2C766B869F3AB2E9956E
      Malicious:false
      Reputation:low
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.6.4.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A42.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4579
      Entropy (8bit):4.4753286718372145
      Encrypted:false
      SSDEEP:48:cvIwWl8zsFJg77aI9zAWpW8VYOYm8M4JkVIFum+q8iniFHSuUd:uIjffI7l57VGJdqFHSuUd
      MD5:8BDF4A573850C4C61C2A65F4890A9377
      SHA1:F66400CE5BFDF3EFB3A25B289D45E4FAE8C413A7
      SHA-256:9CD32F4DDAFAA4B65BB1A1CE910AC89F97E7FCD3E40A5747566DE96114C0EFC1
      SHA-512:7F9A99B29228F9C9B4370D22CC12B03BE1DEE02B57EF82B2E07605B46EC77C6D4589501AA7A3CA226040D3F08B77CAA47C17964EEA5BD72B51699C30BF07EAD6
      Malicious:false
      Reputation:low
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670404" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\Windows\appcompat\Programs\Amcache.hve

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:MS Windows registry file, NT/2000 or above
      Category:dropped
      Size (bytes):1835008
      Entropy (8bit):4.393915259625943
      Encrypted:false
      SSDEEP:6144:Sl4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuNAZOBSqa:i4vF0MYQUMM6VFYSZU
      MD5:4B1C4DA94D3610CD66AA9106481A6C2B
      SHA1:D937E8E91D0E7D7EAC16E6128269B6867ACDC776
      SHA-256:AF2D72504D82488EF0717BC46C20B8831DCC5F8890999BE1E520FC0B61F415FF
      SHA-512:A1695B6F5C51C93A7DBF4BCD2742DA13365E66BA501097BC9776278400539781946474251D9538724B1F435BC6DCCBCBF611C78B000146E317244700E1E4D93C
      Malicious:false
      Reputation:low
      Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm"....c..............................................................................................................................................................................................................................................................................................................................................*..8........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):7.015060738482099
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.70%
      • Win32 EXE Yoda's Crypter (26571/9) 0.26%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:WN9uCxgU1T.exe
      File size:1'181'184 bytes
      MD5:8d1f05431e7319272bac9c427279c83c
      SHA1:5b712cf5c1706213f3eccf0538a722dc02547b93
      SHA256:d88cbfff7d6a8163e124249f07e2f8434d6e5474fcda9f916f89afe50b88f413
      SHA512:ab27c30c814452650b32e4f0c09c1ea3a7a72e45b3d349f710236d0249ffdec803d418a489b1dbc666de1449871386f2bdcb3c9021c3f7dfcb4d5caf97c76af5
      SSDEEP:24576:Fu6J33O0c+JY5UZ+XC0kGsoTCcNWHrLZw3URcfp6:Hu0c++OCvkGsECcNai3Umf
      TLSH:7745CF2273DDC360CB669173BF6AA7017E7B7C614630B95B2F980D3DA960162162C7A3
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

      File Icon

      Icon Hash:aaf3e3e3938382a0

      Static PE Info

      General

      Entrypoint:0x427dcd
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
      Time Stamp:0x6756FD41 [Mon Dec 9 14:22:57 2024 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:5
      OS Version Minor:1
      File Version Major:5
      File Version Minor:1
      Subsystem Version Major:5
      Subsystem Version Minor:1
      Import Hash:bd3825b6e0410966f0c31f64b6c7644a

      Entrypoint Preview

      Instruction
      call 00007F1CF56C868Ah
      jmp 00007F1CF56BB454h
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      push edi
      push esi
      mov esi, dword ptr [esp+10h]
      mov ecx, dword ptr [esp+14h]
      mov edi, dword ptr [esp+0Ch]
      mov eax, ecx
      mov edx, ecx
      add eax, esi
      cmp edi, esi
      jbe 00007F1CF56BB5DAh
      cmp edi, eax
      jc 00007F1CF56BB93Eh
      bt dword ptr [004C31FCh], 01h
      jnc 00007F1CF56BB5D9h
      rep movsb
      jmp 00007F1CF56BB8ECh
      cmp ecx, 00000080h
      jc 00007F1CF56BB7A4h
      mov eax, edi
      xor eax, esi
      test eax, 0000000Fh
      jne 00007F1CF56BB5E0h
      bt dword ptr [004BE324h], 01h
      jc 00007F1CF56BBAB0h
      bt dword ptr [004C31FCh], 00000000h
      jnc 00007F1CF56BB77Dh
      test edi, 00000003h
      jne 00007F1CF56BB78Eh
      test esi, 00000003h
      jne 00007F1CF56BB76Dh
      bt edi, 02h
      jnc 00007F1CF56BB5DFh
      mov eax, dword ptr [esi]
      sub ecx, 04h
      lea esi, dword ptr [esi+04h]
      mov dword ptr [edi], eax
      lea edi, dword ptr [edi+04h]
      bt edi, 03h
      jnc 00007F1CF56BB5E3h
      movq xmm1, qword ptr [esi]
      sub ecx, 08h
      lea esi, dword ptr [esi+08h]
      movq qword ptr [edi], xmm1
      lea edi, dword ptr [edi+08h]
      test esi, 00000007h
      je 00007F1CF56BB635h
      bt esi, 03h
      jnc 00007F1CF56BB688h

      Rich Headers

      Programming Language:
      • [ASM] VS2013 build 21005
      • [ C ] VS2013 build 21005
      • [C++] VS2013 build 21005
      • [ C ] VS2008 SP1 build 30729
      • [IMP] VS2008 SP1 build 30729
      • [ASM] VS2013 UPD4 build 31101
      • [RES] VS2013 build 21005
      • [LNK] VS2013 UPD4 build 31101

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x57d28.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x8f0000x2e10e0x2e200fc8a5b32808697dd41c898d938b66f67False0.3239911500677507data5.674452471189642IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0xc70000x57d280x57e0085cd222b991fda5a325b16896fb0734fFalse0.9251255778805121data7.886977822355403IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x11f0000x711c0x72008a46a4bc77a3f321996ff4079f834054False0.0017475328947368421data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
      RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
      RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
      RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
      RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
      RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
      RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
      RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
      RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
      RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
      RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
      RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
      RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
      RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
      RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
      RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
      RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
      RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
      RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
      RT_RCDATA0xcf7b80x4efeedata1.000327599315132
      RT_GROUP_ICON0x11e7a80x76dataEnglishGreat Britain0.6610169491525424
      RT_GROUP_ICON0x11e8200x14dataEnglishGreat Britain1.25
      RT_GROUP_ICON0x11e8340x14dataEnglishGreat Britain1.15
      RT_GROUP_ICON0x11e8480x14dataEnglishGreat Britain1.25
      RT_VERSION0x11e85c0xdcdataEnglishGreat Britain0.6181818181818182
      RT_MANIFEST0x11e9380x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

      Imports

      DLLImport
      KERNEL32.DLLDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
      COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
      GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
      IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
      MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
      OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit
      PSAPI.DLLGetProcessMemoryInfo
      SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
      USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
      USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
      UxTheme.dllIsThemeActive
      VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
      WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
      WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishGreat Britain

      Network Behavior

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Jan 10, 2025 23:21:49.896677017 CET1.1.1.1192.168.2.90xa10No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
      Jan 10, 2025 23:21:49.896677017 CET1.1.1.1192.168.2.90xa10No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:17:21:52
      Start date:10/01/2025
      Path:C:\Users\user\Desktop\WN9uCxgU1T.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\WN9uCxgU1T.exe"
      Imagebase:0xd90000
      File size:1'181'184 bytes
      MD5 hash:8D1F05431E7319272BAC9C427279C83C
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true

      General

      Target ID:4
      Start time:17:21:52
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 532
      Imagebase:0x270000
      File size:483'680 bytes
      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:0%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:66.7%
        Total number of Nodes:3
        Total number of Limit Nodes:0
        execution_graph 123733 db7dcd 123736 dc4e87 123733->123736 123737 db7dd2 LdrInitializeThunk 123736->123737

        Executed Functions

        Function 00DB7DCD Relevance: 1.5, APIs: 1, Instructions: 2COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 db7dcd-db7dd2 call dc4e87 LdrInitializeThunk
        APIs
        • ___security_init_cookie.LIBCMT ref: 00DB7DCD
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: ___security_init_cookie
        • String ID:
        • API String ID: 3657697845-0
        • Opcode ID: 37d1d09d41eb5fcb3a4af465fc0fb251569986102ab4ab40f909050fe7e311e5
        • Instruction ID: 43efc844c85ed64d94cd6d8feb6049979aa17656c91e9cfa11b290de758670cb
        • Opcode Fuzzy Hash: 37d1d09d41eb5fcb3a4af465fc0fb251569986102ab4ab40f909050fe7e311e5
        • Instruction Fuzzy Hash:

        Non-executed Functions

        Function 00DA6F9E Relevance: 71.5, APIs: 19, Strings: 19, Instructions: 5018COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _memmove$_memset
        • String ID: $ ]K$"$'$)$+$-$0$9$<$@$P\K$R$n$o$p$q$s{p${
        • API String ID: 1357608183-3800155241
        • Opcode ID: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
        • Instruction ID: 90538cc09f6e9074dda3ac3760c527690d357a5e468969659386e16db1c4696f
        • Opcode Fuzzy Hash: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
        • Instruction Fuzzy Hash: 3A93B275E00259DBDF24DF59C881BBDB7B1FF48310F29816AE945AB281E7709E81CB60
        Function 00DA3FE0 Relevance: 15.1, APIs: 1, Strings: 7, Instructions: 1132COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID:
        • String ID: 0DJ$0DJ$ERCP$VUUU$VUUU$VUUU$VUUU
        • API String ID: 0-223423113
        • Opcode ID: f5ff305bdbafe341a1db575146456b4f73aa52c1d9f9d9bce80aef23edd1e421
        • Instruction ID: 85bd88791e16e4acff6c36224dd947d4dd087dabd1c9da34c85bb45a986710ee
        • Opcode Fuzzy Hash: f5ff305bdbafe341a1db575146456b4f73aa52c1d9f9d9bce80aef23edd1e421
        • Instruction Fuzzy Hash: 81A29270E0421ACBDF24CF58C9407ADB7B1BF95314F1885AAD859A7380E7B49E81DFA1
        Function 00DA5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 2682 da5760-da5772 2683 da5a2a-da5a2c 2682->2683 2684 da5778-da577c 2682->2684 2686 da5a15-da5a1b 2683->2686 2684->2683 2685 da5782-da579c call d97d2c 2684->2685 2689 da579e 2685->2689 2690 da57a2-da57bc call d97667 * 2 2685->2690 2689->2690 2695 da57c0-da57c4 2690->2695 2696 da57ca-da57ce 2695->2696 2697 de04ed-de04f1 2695->2697 2698 da59e7-da5a12 call d9784b call d97b2e call d95904 * 2 2696->2698 2699 da57d4-da57d8 2696->2699 2697->2698 2700 de04f7 2697->2700 2698->2686 2699->2698 2702 da57de-da57e1 2699->2702 2704 de04fc-de0502 2700->2704 2702->2698 2703 da57e7-da57ec 2702->2703 2703->2698 2706 da57f2-da5818 call da3fe0 2703->2706 2707 de050c 2704->2707 2708 de0504 2704->2708 2715 da59d8-da59db 2706->2715 2716 da581e-da5836 2706->2716 2714 de0518-de052f call da54a8 2707->2714 2708->2707 2727 de0536-de0563 call d98029 call d98010 call db0db6 2714->2727 2715->2698 2722 da59dd-da59e1 2715->2722 2716->2704 2719 da583c-da5841 2716->2719 2719->2698 2723 da5847-da5851 2719->2723 2722->2698 2722->2714 2725 da5981-da5990 call d97d2c 2723->2725 2726 da5857-da585c 2723->2726 2735 da58b9-da58be 2725->2735 2726->2725 2729 da5862-da5865 2726->2729 2739 de056b-de0587 call de7bdb call d98047 call d95904 2727->2739 2732 da586b-da586f 2729->2732 2733 da5a21-da5a23 2729->2733 2736 da5a1e 2732->2736 2737 da5875-da587d 2732->2737 2733->2683 2735->2739 2740 da58c4-da58c6 2735->2740 2736->2733 2737->2727 2741 da5883-da5889 2737->2741 2749 de058c-de05d8 call d98029 call d98010 call db0db6 call db0e40 2739->2749 2743 da590b-da5921 call da5520 2740->2743 2744 da58c8-da58d0 2740->2744 2746 da588f-da58b6 call db0e40 2741->2746 2747 da5995-da59a3 call d98010 2741->2747 2769 da5927-da592c 2743->2769 2770 de0701-de071d call de7bdb call d98047 call d95904 2743->2770 2744->2749 2750 da58d6-da58df 2744->2750 2746->2735 2767 da59ae-da59d0 call db0db6 2747->2767 2768 da59a5-da59ab call db0e2c 2747->2768 2756 de05e0-de05e5 2749->2756 2750->2756 2757 da58e5-da5907 call db0e40 2750->2757 2763 de05ee-de05f3 2756->2763 2764 de05e7-de05e9 2756->2764 2757->2743 2774 de062e-de0633 2763->2774 2775 de05f5-de05fd 2763->2775 2772 de06a8-de06d6 call d98010 call db0d65 2764->2772 2767->2715 2768->2767 2779 da592e-da5936 2769->2779 2780 da5971-da597c 2769->2780 2792 de0722-de076e call d98029 call d98010 call db0db6 call db0e40 2770->2792 2825 de06fa 2772->2825 2826 de06d8-de06f7 call db0e40 call db2e70 2772->2826 2788 de066e-de0676 2774->2788 2789 de0635-de063d 2774->2789 2784 de05ff 2775->2784 2785 de0605-de062c 2775->2785 2791 da593c-da5945 2779->2791 2779->2792 2780->2695 2784->2785 2798 de06a5 2785->2798 2803 de067e-de06a2 2788->2803 2804 de0678 2788->2804 2799 de063f 2789->2799 2800 de0645-de066c 2789->2800 2801 da594b-da596d call db0e40 2791->2801 2802 de0776-de077b 2791->2802 2792->2802 2798->2772 2799->2800 2800->2798 2801->2780 2806 de077d-de077f 2802->2806 2807 de0784-de0789 2802->2807 2803->2798 2804->2803 2814 de083b-de0869 call d98010 call db0d65 2806->2814 2815 de078b-de0793 2807->2815 2816 de07c4-de07c9 2807->2816 2845 de088d 2814->2845 2846 de086b-de088a call db0e40 call db2e70 2814->2846 2821 de079b-de07c2 2815->2821 2822 de0795 2815->2822 2823 de07cb-de07d3 2816->2823 2824 de0804-de080c 2816->2824 2821->2814 2822->2821 2831 de07db-de0802 2823->2831 2832 de07d5 2823->2832 2834 de080e 2824->2834 2835 de0814-de0838 2824->2835 2825->2770 2826->2825 2831->2814 2832->2831 2834->2835 2835->2814 2846->2845
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _memmove
        • String ID:
        • API String ID: 4104443479-0
        • Opcode ID: bc5590fee32963866547a934e2f4481e6f2daf4eb5e9485274101ae2dbc06eb9
        • Instruction ID: f9948511c5b353e27e0c3f4df8646b23d374392718f0fbd803adf9bab2511f85
        • Opcode Fuzzy Hash: bc5590fee32963866547a934e2f4481e6f2daf4eb5e9485274101ae2dbc06eb9
        • Instruction Fuzzy Hash: 89127970A00609EFDF04DFA5D981AEEB7F5FF48310F104529E846A7294EB76A961CB70
        Function 00DA3030 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 3329 da3030-da3081 call da5a9d call d99837 * 2 3336 da30a9-da30ad 3329->3336 3337 da3083-da3092 call d99b3c 3329->3337 3339 da30b3-da30b6 3336->3339 3340 dd6c12-dd6c1d call d99b3c 3336->3340 3345 da3098-da309b 3337->3345 3346 da348f 3337->3346 3342 da30bc-da30d0 call da5b12 3339->3342 3343 da3496 3339->3343 3353 dd6c26-dd6c63 call d998c0 call de652d call dafd21 3340->3353 3342->3353 3354 da30d6-da30e2 call da5bc4 3342->3354 3351 da34a0-da34a5 3343->3351 3345->3346 3349 da30a1-da30a5 3345->3349 3346->3343 3349->3336 3352 dd6e86 3351->3352 3358 dd6e8f-dd6e9c call d97d2c 3352->3358 3363 dd6c68-dd6c7f call da54a8 3353->3363 3362 da30e8-da30f4 call d97667 3354->3362 3354->3363 3374 dd6ea5-dd6eb9 call de652d 3358->3374 3375 da30fa-da30fd 3362->3375 3376 dd6caf-dd6cc3 call da54a8 3362->3376 3372 dd6c98-dd6ca4 call d998c0 3363->3372 3373 dd6c81-dd6c8d call d998c0 3363->3373 3372->3376 3373->3372 3384 dd6ebe-dd6ec1 3374->3384 3377 da3103-da3106 3375->3377 3378 dd6d77-dd6d8b call da54a8 3375->3378 3394 dd6cf5-dd6cfb 3376->3394 3395 dd6cc5-dd6cd6 call d998c0 3376->3395 3377->3384 3385 da310c-da3126 3377->3385 3399 dd6cdc-dd6cf0 call de652d 3378->3399 3400 dd6d91-dd6dab call d992ce call d99050 3378->3400 3390 dd6ec7-dd6f23 3384->3390 3391 da3444-da3467 call d95904 call da5ace call d95904 3384->3391 3392 da312a-da3135 3385->3392 3397 dd6f2b-dd6f45 call def350 3390->3397 3398 da3140-da3146 3392->3398 3402 dd6d0d-dd6d14 call d992ce 3394->3402 3403 dd6cfd-dd6d0b call d992ce 3394->3403 3395->3399 3423 dd6f47-dd6f4f 3397->3423 3424 dd6f72-dd6f78 3397->3424 3407 da314c-da3151 3398->3407 3408 da3422-da3428 3398->3408 3399->3394 3441 dd6dad-dd6de7 call de61bb call d9928a call d98ee0 call d998c0 3400->3441 3442 dd6de9-dd6e01 call dafd21 3400->3442 3421 dd6d15-dd6d2c call d99050 3402->3421 3403->3421 3407->3408 3416 da3157-da315a 3407->3416 3408->3374 3419 da342e-da343f call d99730 call d94014 3408->3419 3416->3408 3425 da3160-da3162 3416->3425 3419->3391 3421->3442 3447 dd6d32-dd6d73 call de61bb call d9928a call d98ee0 call d998c0 3421->3447 3423->3397 3430 dd6f51-dd6f70 call d99730 call de60ef 3423->3430 3433 dd6f8f-dd6fa9 call d992ce call d99050 3424->3433 3434 dd6f7a-dd6f8d call de652d 3424->3434 3425->3408 3431 da3168-da31a3 call da3fe0 3425->3431 3430->3397 3457 da31a9-da31ca 3431->3457 3458 da3414-da341c 3431->3458 3452 dd6fc3-dd6fd5 call d998c0 call de617e 3433->3452 3468 dd6fab-dd6fc1 call d98ee0 3433->3468 3434->3452 3441->3442 3466 dd6e06-dd6e08 3442->3466 3503 dd6d75 3447->3503 3465 da31d0-da31dc 3457->3465 3457->3466 3458->3408 3463 dd6e22-dd6e25 3458->3463 3463->3408 3473 dd6e2b-dd6e5a call da54a8 3463->3473 3465->3408 3474 da31e2-da31e5 3465->3474 3469 dd6e0a 3466->3469 3470 dd6e12 3466->3470 3468->3452 3469->3470 3470->3463 3493 dd6e63-dd6e70 call d97d2c 3473->3493 3480 da340a 3474->3480 3481 da31eb-da31ef 3474->3481 3480->3458 3481->3398 3487 da31f5-da3200 3481->3487 3490 da3204-da3206 3487->3490 3492 da320c-da3216 3490->3492 3490->3493 3497 da34aa-da34af 3492->3497 3498 da321c-da3245 3492->3498 3502 dd6e79-dd6e7d 3493->3502 3497->3352 3501 da324b-da325b call db571c 3498->3501 3498->3502 3501->3351 3507 da3261-da328f call db0e40 3501->3507 3502->3352 3503->3442 3507->3358 3510 da3295-da3298 3507->3510 3510->3358 3511 da329e-da32a0 3510->3511 3511->3358 3512 da32a6-da32ab 3511->3512 3513 da346a-da3478 call d97f27 3512->3513 3514 da32b1-da32c2 call db0db6 3512->3514 3521 da3481-da348a 3513->3521 3519 da32c8-da32d7 3514->3519 3520 da34b4 3514->3520 3522 da34bb 3519->3522 3523 da32dd-da3330 call db0db6 call db0e40 3519->3523 3520->3522 3525 da33b2-da33d9 call db0db6 3521->3525 3527 da34c5-da34c7 3522->3527 3523->3527 3536 da3336-da3348 call db2d55 3523->3536 3531 da33db-da33dd 3525->3531 3532 da3401-da3405 3525->3532 3541 da34cc 3527->3541 3531->3532 3535 da33df-da33fe call db0e40 call db0e2c 3531->3535 3537 da334a-da3356 call db0db6 3532->3537 3535->3532 3536->3537 3546 da33a3-da33ac 3536->3546 3537->3541 3547 da335c-da3391 3537->3547 3541->3340 3546->3521 3546->3525 3547->3392 3549 da3397-da339e 3547->3549 3549->3490
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: __itow__swprintf
        • String ID: 3cA
        • API String ID: 674341424-2523384761
        • Opcode ID: bd8f269727dd203b3cd5d455fda2b58de944a4bb22d2e13bbec33b21dd907dda
        • Instruction ID: 34c4193b494f91ca1dbbddb3db1d4076a57b3acc945d6ffb9832bd569c68496a
        • Opcode Fuzzy Hash: bd8f269727dd203b3cd5d455fda2b58de944a4bb22d2e13bbec33b21dd907dda
        • Instruction Fuzzy Hash: 02226A716083009FCB24DF28D891B6EB7E5EF89710F14491DF89A97291DB71E904CBB2
        Function 00D9FCE0 Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1040COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID:
        • String ID: pbL
        • API String ID: 0-2198975964
        • Opcode ID: f4dcd20d2bc5d81d89870ef2a695217c5eca1df5ed962e9f7e233abbde67ac23
        • Instruction ID: bae848136c38c95501194bec4a780c7b1e8d49aafdf220045d48661c22a83e7f
        • Opcode Fuzzy Hash: f4dcd20d2bc5d81d89870ef2a695217c5eca1df5ed962e9f7e233abbde67ac23
        • Instruction Fuzzy Hash: EE925B706083419FDB20DF14C490B6ABBE1FF86304F19896DE89A9B351D775EC45CBA2
        Function 00DA5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00DB0DB6: std::exception::exception.LIBCMT ref: 00DB0DEC
          • Part of subcall function 00DB0DB6: __CxxThrowException@8.LIBCMT ref: 00DB0E01
        • _memmove.LIBCMT ref: 00DE0258
        • _memmove.LIBCMT ref: 00DE036D
        • _memmove.LIBCMT ref: 00DE0414
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _memmove$Exception@8Throwstd::exception::exception
        • String ID:
        • API String ID: 1300846289-0
        • Opcode ID: 7e59d6d005cac17bdf0d515b6185c65b2e751bd3579f41a42c57154c824fcbd6
        • Instruction ID: 7d76af429d06c07a3fb77d2aa38375916653b7803e27b82c1bdf5d0ee0942513
        • Opcode Fuzzy Hash: 7e59d6d005cac17bdf0d515b6185c65b2e751bd3579f41a42c57154c824fcbd6
        • Instruction Fuzzy Hash: 1D02B070A00209DFCF04EF69D981AAEBBF5EF45300F148069E84ADB295EB75D950CBB5
        Function 00D9E6A0 Relevance: 6.0, Strings: 4, Instructions: 1004COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID:
        • String ID: DdL$DdL$DdL$DdL
        • API String ID: 0-1563988167
        • Opcode ID: d23c6b499de0a7fbb547df9319404598a5cece590a92a1b032f5e0038fb359f7
        • Instruction ID: df622dbb0c21220af1fe642a9a035b006b996d3992e0b35098c0f79728d6490a
        • Opcode Fuzzy Hash: d23c6b499de0a7fbb547df9319404598a5cece590a92a1b032f5e0038fb359f7
        • Instruction Fuzzy Hash: 1E929C75A00205CFCF24CF98C480AAEB7B1FF59314F29856AE845AB351D735ED82CBA5
        Function 00E17DDB Relevance: 3.6, APIs: 2, Instructions: 571COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 25a1e612490df0e2fd5aff0df4db96d0646e8fd45de2b35679b98956547aaa80
        • Instruction ID: 93cc32113d6d84a6751fd4b64401ea76e6bf3309298803bfde1fe3d7582cd21e
        • Opcode Fuzzy Hash: 25a1e612490df0e2fd5aff0df4db96d0646e8fd45de2b35679b98956547aaa80
        • Instruction Fuzzy Hash: 0512CF71600205ABEB258F24CD49FEF7BB4EB49714F104629F916FA2E1DF749985CB20
        Function 00DF8889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
        Download Yara Rule
        APIs
        • __time64.LIBCMT ref: 00DF889B
          • Part of subcall function 00DB520A: __aulldiv.LIBCMT ref: 00DB5233
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: __aulldiv__time64
        • String ID: 0eL
        • API String ID: 325419493-3167399643
        • Opcode ID: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
        • Instruction ID: ecb4487547bf79ec4904c5b9ea5f82777b3f37579da573928e76747348c5b439
        • Opcode Fuzzy Hash: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
        • Instruction Fuzzy Hash: 3521A5326255108BC729CF29E441A51B3E1EBA5311B69CE6CD1F5CB2C0CA34A905DB64
        Function 00D9DF00 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7fedcd55ce1be01234807a739cd4bdd318ff75d00aeb43b21d4f5e2df7acffac
        • Instruction ID: c92fce2968f6a5071d8bb696c3f571a24fa9013cb23c092e92780f81f26de905
        • Opcode Fuzzy Hash: 7fedcd55ce1be01234807a739cd4bdd318ff75d00aeb43b21d4f5e2df7acffac
        • Instruction Fuzzy Hash: 11229DB4A00215DFDF24DF54C490AAEB7B1FF04310F18856AE896AB351E774E985CBB1
        Function 00DA66E1 Relevance: 3.4, Strings: 2, Instructions: 889COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID:
        • String ID: 0DJ0EJ0FJpGJ$pGJ
        • API String ID: 0-2520054932
        • Opcode ID: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
        • Instruction ID: c97722a5e159a90ba96b60206b1e0755b3a0524d57f81fabe57f0405d949a70b
        • Opcode Fuzzy Hash: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
        • Instruction Fuzzy Hash: DF727075E00259DBDB14DF59C8807AEB7B5FF49310F18816AE949EB290E734DE81CBA0
        Function 00DEE616 Relevance: 3.1, Strings: 2, Instructions: 561COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID:
        • String ID: ($|
        • API String ID: 0-1631851259
        • Opcode ID: e10e0101c6e5428e3f3f3b8754e90dc55a18d34dd6833db7f52c40727a3dee7e
        • Instruction ID: d77700237bfc2729475b1cf22c2009788b6483295ab608e8e5abb82a614ee4f3
        • Opcode Fuzzy Hash: e10e0101c6e5428e3f3f3b8754e90dc55a18d34dd6833db7f52c40727a3dee7e
        • Instruction Fuzzy Hash: D9323675A007059FD728EF19C4819AAB7F1FF48320B15C46EE89ADB3A1D770E941CB54
        Function 00DBF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
        • Instruction ID: aa8540cdc928fe39af1e46a7695dadc3aadb4e1d0c4c12886fe4b91816ba81d2
        • Opcode Fuzzy Hash: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
        • Instruction Fuzzy Hash: 49320535D29F018DD7239638DC32339A289AFB73C8F15D737E81AB59A5EB28D4834214
        Function 00DC242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
        • Instruction ID: 51888345e1a18a8d09705ffc37ba3a9a3f254cfbe2146d3d901594d2cbbf50cb
        • Opcode Fuzzy Hash: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
        • Instruction Fuzzy Hash: 8EB1F020E2AF414DD72396398835336BA9CAFBB2C5F51D72BFC2670D22EB2185934185
        Function 00E10857 Relevance: .5, Instructions: 477COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 5eb806d70b46a9202dd3e543ee6ca14ab650e64b5adbaddcfbe08c0bc828943e
        • Instruction ID: 5445ceb5629206e85a59a6e78f3504a036c611c076545666bceb64b608178fcc
        • Opcode Fuzzy Hash: 5eb806d70b46a9202dd3e543ee6ca14ab650e64b5adbaddcfbe08c0bc828943e
        • Instruction Fuzzy Hash: 52026E756006019FCB14EF28C851E6AB7E5FF89314F04895DF89A9B362DB70EC81CBA1
        Function 00E103DA Relevance: .4, Instructions: 397COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: __itow__swprintf
        • String ID:
        • API String ID: 674341424-0
        • Opcode ID: 4343597e8507452ccff4b02692f110eb0ad94be3eec77fb80de36c15d9900197
        • Instruction ID: 4e98a8e8f1a2efd206a6173746a4dbf913bb54998f939a5330ff2b0107d72cd1
        • Opcode Fuzzy Hash: 4343597e8507452ccff4b02692f110eb0ad94be3eec77fb80de36c15d9900197
        • Instruction Fuzzy Hash: E2E14E31604204AFCB14DF68C895E6EBBE5FF89314F04896DF44ADB261D770E985CBA2
        Function 00D91287 Relevance: .4, Instructions: 379COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
        • Instruction ID: f2ab49882c58938813d8b9a9a9c324f3096a910e20533aed382efc2d675f4ce2
        • Opcode Fuzzy Hash: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
        • Instruction Fuzzy Hash: CEA15A78106547BEEF28AB284C45FBF359DDF42351F28021EF582D6192CB20DD8296B5
        Function 00DB21C5 Relevance: .3, Instructions: 345COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
        • Instruction ID: e7fdbebdfd8ceb2ef365b891ef7f047061e79ebfac772ff705b0a1960bdc1c5d
        • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
        • Instruction Fuzzy Hash: D8C18F372051938ADF2D463A84740BEBAA15EA27B136E076DD8B3CB5D4EE20C965D630
        Function 00DB25FA Relevance: .3, Instructions: 341COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
        • Instruction ID: d6a060051b74978a0b088d7686ec12249df54422a4c8928a528d2f8a607d61bd
        • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
        • Instruction Fuzzy Hash: D5C180372151938ADF2D463AC4341BEBBA15EA27B136E07ADD4B3DB1D4EE20C925D630
        Function 00DB1D90 Relevance: .3, Instructions: 331COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
        • Instruction ID: 8f23e97fb83cf9df1fd33418307f931fc014d012c39d02a6f95fb52eb3638506
        • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
        • Instruction Fuzzy Hash: 03C182372151938ADF2D463AC4340BEBAA15EA27B135E076DE8B3CB1D4EE20C925D630
        Function 00DB1978 Relevance: .3, Instructions: 323COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
        • Instruction ID: 5a48a6d29cd19a73a14b105ae45440586b0f0bd0ca0c16ed166175e4d7e7616e
        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
        • Instruction Fuzzy Hash: 8FC1813A21519389DF2D463AC4341BEFBA15EA27B13AE076DD4B3CB1C4EE20D925D630
        Function 00D968DC Relevance: 18.3, APIs: 12, Instructions: 275COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1703 d968dc-d96902 call db0db6 call d9522e 1708 d96929-d9693b call db37cb 1703->1708 1709 d96904-d96906 1703->1709 1715 d96941-d96953 call db37cb 1708->1715 1716 d96a72-d96a74 1708->1716 1711 d96907-d9690c 1709->1711 1713 d9691e-d96926 1711->1713 1714 d9690e-d9691d call db0e2c * 2 1711->1714 1714->1713 1720 d96a7a-d96a7d 1715->1720 1724 d96959-d9696b call db37cb 1715->1724 1716->1720 1725 d96a84-d96a87 1720->1725 1729 dce2ba-dce2bd 1724->1729 1730 d96971-d96983 call db37cb 1724->1730 1727 d969eb-d969f7 call d9586d 1725->1727 1736 d969fd-d96a20 call d96faa call d96f5d call db37cb 1727->1736 1737 dce3f7-dce3fc 1727->1737 1734 dce2c5-dce2ed call dafc86 call d96f5d call d96faa call db2bfc 1729->1734 1730->1734 1740 d96989-d9699b call db37cb 1730->1740 1774 dce2ef-dce2f5 1734->1774 1775 dce324-dce327 1734->1775 1736->1725 1766 d96a22-d96a34 call db37cb 1736->1766 1737->1711 1739 dce402-dce403 1737->1739 1744 dce408-dce412 call def7a1 1739->1744 1750 dce348-dce34d 1740->1750 1751 d969a1-d969b3 call db37cb 1740->1751 1754 dce417-dce419 1744->1754 1750->1716 1755 dce353-dce365 call d97908 1750->1755 1764 d969b9-d969cb call db37cb 1751->1764 1765 dce38a-dce39a call defafd 1751->1765 1768 dce367-dce36b 1755->1768 1769 dce372-dce37d 1755->1769 1782 d969cd-d969df call db37cb 1764->1782 1783 d969e5-d969e8 1764->1783 1787 dce39c-dce3e8 call d97de1 * 2 call d9700b call d96a8c call d95904 * 2 1765->1787 1788 dce3ef-dce3f5 1765->1788 1766->1725 1784 d96a36-d96a48 call db37cb 1766->1784 1768->1755 1776 dce36d 1768->1776 1769->1711 1777 dce383 1769->1777 1774->1775 1781 dce2f7-dce300 1774->1781 1785 dce329-dce337 1775->1785 1786 dce312-dce31f call db0e2c 1775->1786 1776->1716 1777->1765 1781->1786 1789 dce302-dce305 1781->1789 1782->1716 1782->1783 1783->1727 1800 d96a4a-d96a5c call db37cb 1784->1800 1801 d96a5e-d96a67 1784->1801 1798 dce33c-dce343 call db0e2c 1785->1798 1786->1744 1787->1754 1818 dce3ea 1787->1818 1788->1744 1789->1786 1794 dce307-dce310 1789->1794 1794->1798 1798->1716 1800->1727 1800->1801 1801->1711 1807 d96a6d 1801->1807 1807->1727 1818->1716
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: __wcsnicmp
        • String ID:
        • API String ID: 1038674560-0
        • Opcode ID: 925611d6804fe502eb64822f337db5433ea1a7a143fe913b499dbfc23ac76dca
        • Instruction ID: 58a640b239ecdf9efaa4f2d15a92ea55ea76e02cec13b405d9283041bbf729aa
        • Opcode Fuzzy Hash: 925611d6804fe502eb64822f337db5433ea1a7a143fe913b499dbfc23ac76dca
        • Instruction Fuzzy Hash: 4F81F4B1640206BACF21AB64DC42FAF3768EF05700F184029F946AB196EF74EE45D7B5
        Function 00DF449A Relevance: 18.2, APIs: 12, Instructions: 179COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1819 df449a-df44b6 1821 df44bf-df4515 call db0db6 call db2bfc call db0db6 call db2dbc call db354c 1819->1821 1822 df44b8-df44ba 1819->1822 1835 df45ab-df45ba call db2efd 1821->1835 1836 df451b-df4536 call db2d8d call db3987 1821->1836 1823 df4667-df466d 1822->1823 1842 df45bc-df45e1 call db40bb call db0e2c * 2 1835->1842 1843 df45e6-df45fa 1835->1843 1847 df4538-df4550 1836->1847 1848 df45a2-df45aa call db2d8d 1836->1848 1842->1823 1851 df45fc-df460b call db354c 1843->1851 1852 df4654-df4666 call db0e2c * 2 1843->1852 1862 df457e-df458a call db2d8d 1847->1862 1863 df4552-df457c call dafb31 * 2 1847->1863 1848->1835 1867 df460d-df4634 call db3698 1851->1867 1868 df4636-df4649 call db40bb 1851->1868 1852->1823 1875 df458b-df45a0 call db2d8d * 2 1862->1875 1863->1875 1879 df4650 1867->1879 1868->1879 1875->1835 1879->1852
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _wcscat$_wcscmp_wcscpy_wcsncpy_wcsstr
        • String ID:
        • API String ID: 3576275495-0
        • Opcode ID: f2dd82df36c9484ed452d294227e50002af446f68463c0679fc1068f518ba4c5
        • Instruction ID: 6ca8cd1a5ad7bc9c92754d3aeaa8d514714b0c3c123fa15db22d22a22e2855d2
        • Opcode Fuzzy Hash: f2dd82df36c9484ed452d294227e50002af446f68463c0679fc1068f518ba4c5
        • Instruction Fuzzy Hash: 3741B532900204BBEB14BB749C47EFF77ACDF45720F14456AFA06E6182EA34DA0196B9
        Function 00DB6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1885 db6e03-db6e1c 1886 db6e1e-db6e28 call db8b28 call db8db6 1885->1886 1887 db6e36-db6e4b call db2de0 1885->1887 1894 db6e2d 1886->1894 1887->1886 1893 db6e4d-db6e50 1887->1893 1895 db6e52 1893->1895 1896 db6e64-db6e6a 1893->1896 1899 db6e2f-db6e35 1894->1899 1900 db6e58-db6e62 call db8b28 1895->1900 1901 db6e54-db6e56 1895->1901 1897 db6e6c 1896->1897 1898 db6e76-db6e87 call dc3cbc call dc3a13 1896->1898 1897->1900 1902 db6e6e-db6e74 1897->1902 1909 db6e8d-db6e99 call dc3a3d 1898->1909 1910 db7072-db707c call db8dc6 1898->1910 1900->1894 1901->1896 1901->1900 1902->1898 1902->1900 1909->1910 1915 db6e9f-db6eab call dc3a67 1909->1915 1915->1910 1918 db6eb1-db6eb8 1915->1918 1919 db6eba 1918->1919 1920 db6f28-db6f33 call dc3a91 1918->1920 1922 db6ebc-db6ec2 1919->1922 1923 db6ec4-db6ee0 call dc3a91 1919->1923 1920->1899 1927 db6f39-db6f3c 1920->1927 1922->1920 1922->1923 1923->1899 1928 db6ee6-db6ee9 1923->1928 1929 db6f6b-db6f78 1927->1929 1930 db6f3e-db6f47 call dc3d0c 1927->1930 1932 db702b-db702d 1928->1932 1933 db6eef-db6ef8 call dc3d0c 1928->1933 1934 db6f7a-db6f89 call dc4500 1929->1934 1930->1929 1938 db6f49-db6f69 1930->1938 1932->1899 1933->1932 1941 db6efe-db6f16 call dc3a91 1933->1941 1942 db6f8b-db6f93 1934->1942 1943 db6f96-db6fbd call dc4450 call dc4500 1934->1943 1938->1934 1941->1899 1948 db6f1c-db6f23 1941->1948 1942->1943 1951 db6fcb-db6ff2 call dc4450 call dc4500 1943->1951 1952 db6fbf-db6fc8 1943->1952 1948->1932 1957 db7000-db700f call dc4450 1951->1957 1958 db6ff4-db6ffd 1951->1958 1952->1951 1961 db703c-db7055 1957->1961 1962 db7011 1957->1962 1958->1957 1963 db7028 1961->1963 1964 db7057-db7070 1961->1964 1965 db7013-db7015 1962->1965 1966 db7017-db7025 1962->1966 1963->1932 1964->1932 1965->1966 1967 db7032-db7034 1965->1967 1966->1963 1967->1932 1968 db7036 1967->1968 1968->1961 1969 db7038-db703a 1968->1969 1969->1932 1969->1961
        APIs
        • _memset.LIBCMT ref: 00DB6E3E
          • Part of subcall function 00DB8B28: __getptd_noexit.LIBCMT ref: 00DB8B28
        • __gmtime64_s.LIBCMT ref: 00DB6ED7
        • __gmtime64_s.LIBCMT ref: 00DB6F0D
        • __gmtime64_s.LIBCMT ref: 00DB6F2A
        • __allrem.LIBCMT ref: 00DB6F80
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DB6F9C
        • __allrem.LIBCMT ref: 00DB6FB3
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DB6FD1
        • __allrem.LIBCMT ref: 00DB6FE8
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DB7006
        • __invoke_watson.LIBCMT ref: 00DB7077
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
        • String ID:
        • API String ID: 384356119-0
        • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
        • Instruction ID: 2abb3a54acef0b3b7a6ec6881d66efb5a087eba76defb84914f91734a11a7de9
        • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
        • Instruction Fuzzy Hash: F971E676A00717EBD714AE68DC41BEAB7B8EF44764F14822EF516D7281E774DA008BB0
        Function 00DF9155 Relevance: 12.3, APIs: 8, Instructions: 322COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 2544 df9155-df9205 call dc1940 call db0db6 call d9522e call df8f5f call d94ee5 call db354c 2557 df920b-df9212 call df9734 2544->2557 2558 df92b8-df92bf call df9734 2544->2558 2563 df9218-df92b6 call db40fb call db2dbc call db2d8d call db40fb call db2d8d * 2 2557->2563 2564 df92c1-df92c3 2557->2564 2558->2564 2565 df92c8 2558->2565 2568 df92cb-df9387 call d94f0b * 8 call df98e3 call db525b 2563->2568 2567 df952a-df952b 2564->2567 2565->2568 2571 df9548-df9558 call d95211 2567->2571 2603 df9389-df938b 2568->2603 2604 df9390-df93ab call df8fa5 2568->2604 2603->2567 2607 df943d-df9449 call db53a6 2604->2607 2608 df93b1-df93b9 2604->2608 2615 df945f-df9463 2607->2615 2616 df944b-df945a 2607->2616 2609 df93bb-df93bf 2608->2609 2610 df93c1 2608->2610 2612 df93c6-df93e4 call d94f0b 2609->2612 2610->2612 2620 df940e-df9434 call df8953 call db4863 2612->2620 2621 df93e6-df93eb 2612->2621 2618 df9469-df94f2 call db40bb call df99ea call df8b06 2615->2618 2619 df9505-df9519 2615->2619 2616->2567 2629 df952d-df9543 call df98a2 2618->2629 2644 df94f4-df9503 2618->2644 2619->2629 2630 df951b-df9528 2619->2630 2620->2608 2643 df943a 2620->2643 2626 df93ee-df9401 call df90dd 2621->2626 2639 df9403-df940c 2626->2639 2629->2571 2630->2567 2639->2620 2643->2607 2644->2567
        APIs
          • Part of subcall function 00DF8F5F: __time64.LIBCMT ref: 00DF8F69
          • Part of subcall function 00D94EE5: _fseek.LIBCMT ref: 00D94EFD
        • __wsplitpath.LIBCMT ref: 00DF9234
          • Part of subcall function 00DB40FB: __wsplitpath_helper.LIBCMT ref: 00DB413B
        • _wcscpy.LIBCMT ref: 00DF9247
        • _wcscat.LIBCMT ref: 00DF925A
        • __wsplitpath.LIBCMT ref: 00DF927F
        • _wcscat.LIBCMT ref: 00DF9295
        • _wcscat.LIBCMT ref: 00DF92A8
          • Part of subcall function 00DF8FA5: _memmove.LIBCMT ref: 00DF8FDE
          • Part of subcall function 00DF8FA5: _memmove.LIBCMT ref: 00DF8FED
        • _wcscmp.LIBCMT ref: 00DF91EF
          • Part of subcall function 00DF9734: _wcscmp.LIBCMT ref: 00DF9824
          • Part of subcall function 00DF9734: _wcscmp.LIBCMT ref: 00DF9837
        • _wcsncpy.LIBCMT ref: 00DF94C5
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _wcscat_wcscmp$__wsplitpath_memmove$__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
        • String ID:
        • API String ID: 2744720387-0
        • Opcode ID: 399d582de9c20c8765367d64c56b1fa89cf83462de3145a455e9ac53565308cb
        • Instruction ID: 3970a86cde8d8ad5b222edacd4ff649989dfd117e6f9f24600bf10b75e6d7c9b
        • Opcode Fuzzy Hash: 399d582de9c20c8765367d64c56b1fa89cf83462de3145a455e9ac53565308cb
        • Instruction Fuzzy Hash: 12C12AB1D0021DAADF21DF95CC95EEEB7B9EF45310F0080AAF609E6251DB309A858F75
        Function 00DEBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 2646 debbaf-debbce call db1484 2649 debbdf-debbf0 call db1484 2646->2649 2650 debbd0 2646->2650 2655 debbf7-debc08 call db1484 2649->2655 2656 debbf2-debbf5 2649->2656 2651 debbd3-debbda 2650->2651 2653 debc97-debc9b 2651->2653 2655->2656 2659 debc0a-debc1b call db1484 2655->2659 2656->2651 2662 debc1d-debc22 2659->2662 2663 debc24-debc35 call db1484 2659->2663 2662->2651 2663->2662 2666 debc37-debc48 call db1484 2663->2666 2669 debc4f-debc60 call db1484 2666->2669 2670 debc4a-debc4d 2666->2670 2673 debc6a-debc7b call db1484 2669->2673 2674 debc62-debc65 2669->2674 2670->2651 2673->2650 2677 debc81-debc85 2673->2677 2674->2651 2678 debc87-debc90 call debc9e 2677->2678 2679 debc92 2677->2679 2678->2653 2679->2653
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _memcmp
        • String ID:
        • API String ID: 2931989736-0
        • Opcode ID: 69f4a9ee4471d3b742fe204232521a94e9e3c838df7205ae948ccdb36eb6070b
        • Instruction ID: 43ac01f0fdc610d247de0b92dfb5e8177b84c506352d3d3655d7c2e504657c01
        • Opcode Fuzzy Hash: 69f4a9ee4471d3b742fe204232521a94e9e3c838df7205ae948ccdb36eb6070b
        • Instruction Fuzzy Hash: E9212661604246BBE60476229E52FFB7B5CDE10368F284423FD0596247EB78FE1081B5
        Function 00DFC75C Relevance: 10.8, APIs: 7, Instructions: 280COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • __swprintf.LIBCMT ref: 00DFC890
        • __swprintf.LIBCMT ref: 00DFC8D3
          • Part of subcall function 00D97DE1: _memmove.LIBCMT ref: 00D97E22
        • __swprintf.LIBCMT ref: 00DFC927
          • Part of subcall function 00DB3698: __woutput_l.LIBCMT ref: 00DB36F1
        • __swprintf.LIBCMT ref: 00DFC975
          • Part of subcall function 00DB3698: __flsbuf.LIBCMT ref: 00DB3713
          • Part of subcall function 00DB3698: __flsbuf.LIBCMT ref: 00DB372B
        • __swprintf.LIBCMT ref: 00DFC9C4
        • __swprintf.LIBCMT ref: 00DFCA13
        • __swprintf.LIBCMT ref: 00DFCA62
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: __swprintf$__flsbuf$__woutput_l_memmove
        • String ID:
        • API String ID: 1085135966-0
        • Opcode ID: 08cbf9ea8a07e00e0847f29702dfc94e1c29246ef4a4e0b45be8a7287cd81770
        • Instruction ID: b7bdefa47bfb27274a9095e90b46fb31e98f3d8febe255f697cfec66e61f61a4
        • Opcode Fuzzy Hash: 08cbf9ea8a07e00e0847f29702dfc94e1c29246ef4a4e0b45be8a7287cd81770
        • Instruction Fuzzy Hash: 7FA12DB1414304ABDB00EFA4C995DAFB7ECEF99704F40492DF595C6191EA35EA08CB72
        Function 00DEAED4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 249COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 2962 deaed4-deaefd 2964 deaeff-deaf01 2962->2964 2965 deaf05-deaf09 2962->2965 2964->2965 2966 deaf3a-deaf3e 2965->2966 2967 deaf0b-deaf32 call db354c 2965->2967 2968 deaff9-deaffd 2966->2968 2969 deaf44-deaf5b 2966->2969 2992 deaf34 2967->2992 2993 deaf35-deaf36 2967->2993 2971 deafff-deb040 call d97de1 call da5bc4 call d95904 call def3c3 2968->2971 2972 deb07a-deb07e 2968->2972 2980 deaf5d-deaf6d call db2bfc 2969->2980 2981 deaf74-deaf7c 2969->2981 3056 deb042-deb046 2971->3056 3057 deb071-deb076 2971->3057 2974 deb0c9-deb0cd 2972->2974 2975 deb080-deb0c1 call d97de1 call da5bc4 call d95904 call def3c3 2972->2975 2977 deb0cf-deb0d1 2974->2977 2978 deb0e3-deb0ec 2974->2978 3062 deb0c4-deb0c8 2975->3062 3063 deb0c3 2975->3063 2983 deb0e2 2977->2983 2984 deb0d3-deb0df call deb1a7 2977->2984 2988 deb0ee-deb101 2978->2988 2989 deb159-deb15c 2978->2989 2980->2981 2990 deaf7e-deaf7f 2981->2990 2991 deafaa-deafba call db3662 2981->2991 2983->2978 2984->2983 3017 deb0e1 2984->3017 3019 deb103-deb10d 2988->3019 3020 deb111-deb11b 2988->3020 3001 deb15e-deb160 2989->3001 3002 deb178-deb17a 2989->3002 2999 deaf95-deafa6 call db3987 2990->2999 3000 deaf81-deaf82 2990->3000 3023 deafbd-deafbf 2991->3023 2992->2993 2993->2966 3009 deafc2-deafc6 2999->3009 3035 deafa8 2999->3035 3008 deaf84-deaf93 call db354c 3000->3008 3000->3009 3010 deb177 3001->3010 3011 deb162-deb174 3001->3011 3013 deb17c-deb199 call d934c2 3002->3013 3014 deb19b-deb19d 3002->3014 3008->3023 3024 deafc8-deafee call db354c 3009->3024 3025 deaff4-deaff5 3009->3025 3010->3002 3011->3010 3027 deb176 3011->3027 3016 deb19e-deb1a4 3013->3016 3014->3016 3017->2983 3030 deb10f 3019->3030 3031 deb110 3019->3031 3033 deb11d-deb123 3020->3033 3034 deb127-deb12d 3020->3034 3023->3009 3036 deafc1 3023->3036 3024->3025 3058 deaff0 3024->3058 3025->2968 3027->3010 3030->3031 3031->3020 3039 deb126 3033->3039 3040 deb125 3033->3040 3041 deb12f-deb13d 3034->3041 3042 deb141-deb147 3034->3042 3035->3036 3036->3009 3039->3034 3040->3039 3046 deb13f 3041->3046 3047 deb140 3041->3047 3042->2989 3048 deb149-deb155 3042->3048 3046->3047 3047->3042 3052 deb158 3048->3052 3053 deb157 3048->3053 3052->2989 3053->3052 3060 deb048-deb06e call db354c 3056->3060 3061 deb070 3056->3061 3057->2972 3058->3025 3060->3057 3060->3061 3061->3057 3062->2974 3063->3062
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _wcscmp$_wcsstr
        • String ID: @
        • API String ID: 3312506106-2766056989
        • Opcode ID: 525916a8bc504fa4b13b14d336d007f5d6dda10833d5cc4250fb434a5272fc3c
        • Instruction ID: c5be2290a4cf5a5d056c1d1a95dfafc244479ce29e38a8629d3c2bc15c57069a
        • Opcode Fuzzy Hash: 525916a8bc504fa4b13b14d336d007f5d6dda10833d5cc4250fb434a5272fc3c
        • Instruction Fuzzy Hash: 0D81C0711083869FDB05EF16C881BAB77D8EF84324F08856AFD858A095DB34ED49CB71
        Function 00DF64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 3550 df64b8-df64c5 3551 df662e-df663a call d97667 3550->3551 3552 df64cb-df64cf 3550->3552 3561 df663c-df664a call de6084 3551->3561 3562 df66aa-df66ae 3551->3562 3552->3551 3554 df64d5-df64df 3552->3554 3556 df64e5-df64f6 call d97667 3554->3556 3557 df65a3-df65a7 3554->3557 3569 df6559-df6566 call d99837 3556->3569 3570 df64f8-df6503 call d99837 3556->3570 3559 df65a9-df65e6 call db0db6 call db0e40 call df549c call d99a98 call db0e2c * 2 3557->3559 3560 df65e8-df6623 call db0db6 call db0e40 call d99a98 call db0e2c 3557->3560 3617 df6628-df6629 3559->3617 3560->3617 3582 df664c-df6651 call d99b3c 3561->3582 3583 df6653-df665d call d99837 3561->3583 3565 df66cc-df66dd call db0e40 3562->3565 3566 df66b0-df66ca call db0e40 3562->3566 3588 df66e0-df66ef call df5acd call d99a3c 3565->3588 3566->3588 3596 df6568-df6575 call d99837 3569->3596 3597 df6576-df659e call d99837 call d9784b call d99a3c 3569->3597 3593 df6505-df6512 call d99837 3570->3593 3594 df6513-df6554 call d99837 call d9784b call d99a3c call df5887 call db0e40 call db0e2c 3570->3594 3600 df6660-df6683 call df5acd call d99a3c call d979f2 3582->3600 3583->3600 3620 df66f4-df66f7 call d95904 3588->3620 3593->3594 3594->3620 3596->3597 3636 df669d-df66a8 call db0e40 3597->3636 3642 df6685-df668f 3600->3642 3643 df6691-df669a 3600->3643 3623 df66fc-df6704 3617->3623 3620->3623 3636->3620 3646 df669c 3642->3646 3643->3646 3646->3636
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _memmove$__itow__swprintf
        • String ID:
        • API String ID: 3253778849-0
        • Opcode ID: 7737c114a36851362f9cff69a5865d84050081a44473ada8722d867349a6da20
        • Instruction ID: bb9f22e4602da0b21eb41a5bf5ba44f870ce526eb5861b05737af7677ad288a2
        • Opcode Fuzzy Hash: 7737c114a36851362f9cff69a5865d84050081a44473ada8722d867349a6da20
        • Instruction Fuzzy Hash: B8617C3050025A9BCF01EF64CC92AFE7BA9EF05308F058559FA566B292EB35ED05CB70
        Function 00DF4CC1 Relevance: 9.2, APIs: 6, Instructions: 170COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 3650 df4cc1-df4d0b call dc1940 call df466e * 2 call df4a31 3659 df4d0d-df4d0f 3650->3659 3660 df4d14-df4d24 call df4a31 3650->3660 3661 df4f22-df4f27 3659->3661 3664 df4d2a-df4d2e 3660->3664 3665 df4df0-df4e35 call d97de1 * 2 call df49c7 call d95904 * 2 3660->3665 3664->3659 3666 df4d30-df4d48 3664->3666 3691 df4e8a-df4ea3 call db354c 3665->3691 3692 df4e37-df4e4f call df3671 3665->3692 3671 df4d8c-df4dda call db40fb call db2d8d * 2 3666->3671 3672 df4d4a-df4d63 call db354c 3666->3672 3671->3665 3693 df4ddc-df4def call db2d8d 3671->3693 3680 df4d85-df4d87 3672->3680 3681 df4d65-df4d80 3672->3681 3680->3661 3681->3661 3691->3659 3701 df4ea9-df4f20 call db2bfc * 2 3691->3701 3692->3659 3700 df4e55-df4e85 call d97de1 call df5123 call d95904 3692->3700 3693->3665 3700->3661 3701->3661
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _wcscmp
        • String ID:
        • API String ID: 856254489-0
        • Opcode ID: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
        • Instruction ID: 8a0366697a664874c90f612b39d04149309e1426a5fb20d76d00bad3b2c323f5
        • Opcode Fuzzy Hash: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
        • Instruction Fuzzy Hash: 4B5142B24083499BC725DB64DC819EFB3ECEF84350F04492EB689D3151EE34A688C776
        Function 00D99837 Relevance: 9.1, APIs: 6, Instructions: 146COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 3713 d99837-d99849 3714 d9984b-d99850 3713->3714 3715 d99851-d99855 3713->3715 3716 d9988b-d9988c 3715->3716 3717 d99857-d99867 call db34c0 3715->3717 3718 dcf5d8-dcf5e6 call db3490 3716->3718 3719 d99892-d99893 3716->3719 3728 d9986a-d99874 call db0db6 3717->3728 3729 dcf5eb 3718->3729 3721 d99899-d998b4 call db3698 3719->3721 3722 dcf4da-dcf4dd 3719->3722 3721->3728 3726 dcf5c0-dcf5d3 call db3698 3722->3726 3727 dcf4e3-dcf4e8 3722->3727 3726->3718 3731 dcf59c-dcf5a5 3727->3731 3732 dcf4ee-dcf4ef 3727->3732 3744 d99886-d99889 3728->3744 3745 d99876-d99884 call d97de1 3728->3745 3729->3729 3735 dcf5ae 3731->3735 3736 dcf5a7-dcf5ac 3731->3736 3737 dcf564-dcf597 call db2dbc call d95904 3732->3737 3738 dcf4f1-dcf4f2 3732->3738 3741 dcf5b3-dcf5ba call db2dbc 3735->3741 3736->3741 3737->3731 3742 dcf4f4-dcf4f6 3738->3742 3743 dcf502-dcf526 call db0db6 3738->3743 3741->3726 3742->3743 3756 dcf528-dcf537 call df550b 3743->3756 3757 dcf539-dcf53b 3743->3757 3744->3714 3745->3744 3758 dcf53e-dcf548 call db0db6 3756->3758 3757->3758 3763 dcf54a-dcf552 call d97de1 3758->3763 3764 dcf554-dcf55e call db0e2c 3758->3764 3763->3764 3764->3737
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: __i64tow__itow__swprintf
        • String ID:
        • API String ID: 421087845-0
        • Opcode ID: 7bcafa12e8cb9d546087ae0c13376f8b73a3c8d299bf9db3645951ad734d3080
        • Instruction ID: ea95bc68726668a4ba1084161e41aab3ffb57cf0e6f2fe2f476ca7dd9f78c772
        • Opcode Fuzzy Hash: 7bcafa12e8cb9d546087ae0c13376f8b73a3c8d299bf9db3645951ad734d3080
        • Instruction Fuzzy Hash: 9841B471510206EFDF249F78D852FB6B7E9EF05310F24446EE58AD7291EA31D9418B30
        Function 00DF55FD Relevance: 9.1, APIs: 6, Instructions: 138COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 3769 df55fd-df5614 3771 df561a-df5624 call db2bfc 3769->3771 3772 df5775 3769->3772 3771->3772 3776 df562a-df5632 3771->3776 3774 df5777-df577c 3772->3774 3777 df56cf-df56d9 call db2bfc 3776->3777 3778 df5638-df5668 call db40bb call db358a call db2bfc 3776->3778 3784 df56df-df5717 call db40bb call db358a call db2bfc 3777->3784 3785 df5770-df5773 3777->3785 3778->3777 3792 df566a-df569b call db40bb call db358a call db2bfc 3778->3792 3784->3785 3799 df5719-df5746 call db40bb call db358a call db2bfc 3784->3799 3785->3774 3792->3777 3807 df569d-df56ca call db40bb call db358a call db2bfc 3792->3807 3799->3785 3813 df5748-df576c call db40bb call db358a 3799->3813 3807->3777 3820 df56cc 3807->3820 3813->3785 3820->3777
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _wcsncpy
        • String ID:
        • API String ID: 1735881322-0
        • Opcode ID: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
        • Instruction ID: 291d575bfcb8801493f7f1253dfd8000abf31a0297881e1bf73d6e45de3fd2d0
        • Opcode Fuzzy Hash: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
        • Instruction Fuzzy Hash: F841A466C10618B6CB11FBB49C869DFB7B8DF04310F508966E619E3221EB34E245C7FA
        Function 00DB9AE6 Relevance: 9.0, APIs: 6, Instructions: 45COMMON
        Download Yara Rule
        APIs
        • __init_pointers.LIBCMT ref: 00DB9AE6
          • Part of subcall function 00DB3187: __initp_misc_winsig.LIBCMT ref: 00DB31A5
        • __mtinitlocks.LIBCMT ref: 00DB9AEB
        • __mtterm.LIBCMT ref: 00DB9AF4
          • Part of subcall function 00DB9B5C: _free.LIBCMT ref: 00DB9C5D
        • __calloc_crt.LIBCMT ref: 00DB9B19
        • __initptd.LIBCMT ref: 00DB9B3B
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: __calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
        • String ID:
        • API String ID: 206718379-0
        • Opcode ID: 077d5c0f99fda34c06fd1b26cca46798951cce19c7061b0ffca82948e383fe55
        • Instruction ID: e25e9dde3c4791e08baf156daea0e5ba12ee1cc817a91c987e51170c7d35ac6b
        • Opcode Fuzzy Hash: 077d5c0f99fda34c06fd1b26cca46798951cce19c7061b0ffca82948e383fe55
        • Instruction Fuzzy Hash: 59F0F632519791DBE6347776BC63ACAA684DF02730F240A29F213C51D2EF1088004278
        Function 00DFA1EF Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: __swprintf_memset_wcsncpy
        • String ID: :$\
        • API String ID: 214737766-1166558509
        • Opcode ID: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
        • Instruction ID: 10d1e23f2519cfdd9df523fcba5d18fcd54e5c1a1adfa52c6b9d2a928a85a45f
        • Opcode Fuzzy Hash: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
        • Instruction Fuzzy Hash: 193191B150010AABDB209FA4DC49FFF77BCEF88700F1445BAFA09D6160EA7096448B39
        Function 00DEA439 Relevance: 7.8, APIs: 5, Instructions: 273COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _wcscmp$__swprintf_iswctype
        • String ID:
        • API String ID: 3564621516-0
        • Opcode ID: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
        • Instruction ID: d3d9a195a32c045842f2bcdf5a03aace4752979be8e75470cb70efb1ecf824b9
        • Opcode Fuzzy Hash: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
        • Instruction Fuzzy Hash: A0A1DE31204647AFD715EF69C884BAAB7E8FF44314F048629F999D2190DB30F959CBB2
        Function 00DB541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
        • String ID:
        • API String ID: 1559183368-0
        • Opcode ID: 5f1ff27ecb40ff672c6b963bdcbb91b938089e4726130bfa6a2e3a5f931ee01a
        • Instruction ID: a0d636eb29e082b658494992143cc6f9e1f88e36a799463c98f5e38d5b2a4b52
        • Opcode Fuzzy Hash: 5f1ff27ecb40ff672c6b963bdcbb91b938089e4726130bfa6a2e3a5f931ee01a
        • Instruction Fuzzy Hash: AF51A670A00B05DBDB249E69E8407EE77E6EF40321F288729F867962D8D771DD909B70
        Function 00DF46B7 Relevance: 7.6, APIs: 5, Instructions: 73COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _wcscpy$_memmove_strcat
        • String ID:
        • API String ID: 559723171-0
        • Opcode ID: de56ce9617f3aca52c0813d3aa7d2567c867b191378b8155293d27d06681c82b
        • Instruction ID: b6ae417464897d2f14f6138216878ba73082ae214870592fe86ee0087a166d31
        • Opcode Fuzzy Hash: de56ce9617f3aca52c0813d3aa7d2567c867b191378b8155293d27d06681c82b
        • Instruction Fuzzy Hash: 4A11D831500118ABDB10BB30AC4AEFF77BCEB01711F1585BAF54696051EF74D9858BB4
        Function 00DEBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _memcmp
        • String ID:
        • API String ID: 2931989736-0
        • Opcode ID: 7c26e2e8b89362a653cc0400413d5b10d698c9d03250d8de96d81db894dbabbb
        • Instruction ID: 2c070c624bd31f16b12844160e5ea56eade907d831c28463f4ea9397c9940fc2
        • Opcode Fuzzy Hash: 7c26e2e8b89362a653cc0400413d5b10d698c9d03250d8de96d81db894dbabbb
        • Instruction Fuzzy Hash: 0301B571604145BBD6047A229E52FFBB75CDE503A8B284433FD0696242FB54FE10C6B4
        Function 00D96A8C Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 478COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _iswctype_wcscpy
        • String ID: AU3!$EA06
        • API String ID: 2497406411-2658333250
        • Opcode ID: 4781125ca166825588d68b5edf5b5f887c139103f418c94bf321b8132ec7d7c5
        • Instruction ID: 148d3a235ea162cf0cc2617a40fceef5b1b68edeb75c22516a90e6bef9e38095
        • Opcode Fuzzy Hash: 4781125ca166825588d68b5edf5b5f887c139103f418c94bf321b8132ec7d7c5
        • Instruction Fuzzy Hash: 69028A711083419FCB25EF24C881AAFBBE5EF95314F14492DF49A972A2DB30D949CB72
        Function 00DFEB23 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 323COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D99837: __itow.LIBCMT ref: 00D99862
          • Part of subcall function 00D99837: __swprintf.LIBCMT ref: 00D998AC
          • Part of subcall function 00DAFC86: _wcscpy.LIBCMT ref: 00DAFCA9
        • _wcstok.LIBCMT ref: 00DFEC94
        • _wcscpy.LIBCMT ref: 00DFED23
        • _memset.LIBCMT ref: 00DFED56
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _wcscpy$__itow__swprintf_memset_wcstok
        • String ID: X
        • API String ID: 774024439-3081909835
        • Opcode ID: 5f63eabd900585ca30706693ede9ba4275561f5c38432772f56cd3c6626f7487
        • Instruction ID: e60a1f0942dabda628699e59937542867d852a01382d8743d74aa79421dd4f19
        • Opcode Fuzzy Hash: 5f63eabd900585ca30706693ede9ba4275561f5c38432772f56cd3c6626f7487
        • Instruction Fuzzy Hash: 7CC191715083449FCB14EF28D881A6AB7E4FF85310F15892DF9999B2A2DB30ED45CB72
        Function 00DA2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00DB0DB6: std::exception::exception.LIBCMT ref: 00DB0DEC
          • Part of subcall function 00DB0DB6: __CxxThrowException@8.LIBCMT ref: 00DB0E01
          • Part of subcall function 00D97DE1: _memmove.LIBCMT ref: 00D97E22
          • Part of subcall function 00D97A51: _memmove.LIBCMT ref: 00D97AAB
        • __swprintf.LIBCMT ref: 00DA2ECD
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
        • String ID: (+I
        • API String ID: 1943609520-2960116247
        • Opcode ID: 21f521673211c63e055d0da72932523ff923a3a2e42963ed3dbe2612b8802916
        • Instruction ID: 9f9bae700f93813d37cf090de39efa04600cde1607a75fc09630df4fc4f2dd83
        • Opcode Fuzzy Hash: 21f521673211c63e055d0da72932523ff923a3a2e42963ed3dbe2612b8802916
        • Instruction Fuzzy Hash: F3911C71118201AFCB14EF28D895D7FB7A4EF95710F04491EF4969B2A1EB20EE44CBB2
        Function 00DA3137 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _memmove$_free
        • String ID: 3cA
        • API String ID: 2620147621-2523384761
        • Opcode ID: 1b99c16daf26ba05b26fd3cba724ea838179ea068b8530a01c401a2aae47b380
        • Instruction ID: addad49d5963485f9313b713bdeecb7508f3a7b7963e697564cbe2f0e303140a
        • Opcode Fuzzy Hash: 1b99c16daf26ba05b26fd3cba724ea838179ea068b8530a01c401a2aae47b380
        • Instruction Fuzzy Hash: CA514B716043418FDB25CF68C441B6EBBE6EF8A310F08882DF99987351DB71E901CBA2
        Function 00DA6192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _memset$_memmove
        • String ID: ERCP
        • API String ID: 2532777613-1384759551
        • Opcode ID: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
        • Instruction ID: 63b4f7f445dd193e36a9ad630ecbc6bf25e87172664fe723e3bd347d7fe59fbf
        • Opcode Fuzzy Hash: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
        • Instruction Fuzzy Hash: 2551B071900305DBDB24DF65C8817EABBE4EF05314F28856EE58ACB240E774EA41CB74
        Function 00E1B635 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _memset
        • String ID: oL$doL
        • API String ID: 2102423945-3421622115
        • Opcode ID: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
        • Instruction ID: d063f95130564a958f092f6aac2cb7aaec938eb0a131700718dacb37a27f8e1a
        • Opcode Fuzzy Hash: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
        • Instruction Fuzzy Hash: 18F05EB2540300BAE6502761BC06FBB3A9CEB08395F018439BA09E5192D7759C0087BC
        Function 00DFD899 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _wcscat$__wsplitpath
        • String ID:
        • API String ID: 1413645957-0
        • Opcode ID: 188660a599668010583c76a9614ab57aaee43a98a951f5589b54779c745aba27
        • Instruction ID: c03935c5b71466b366e0ebe65798216e90df76bc3f261b41ace906071ecec9ba
        • Opcode Fuzzy Hash: 188660a599668010583c76a9614ab57aaee43a98a951f5589b54779c745aba27
        • Instruction Fuzzy Hash: 3F81A2725042499FCB20EFA4C84497AB7EAEF89314F19C82EF989C7251E670D945CF72
        Function 00DFDC1A Relevance: 6.2, APIs: 4, Instructions: 185COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _wcscat$__wsplitpath_wcscpy
        • String ID:
        • API String ID: 3240238573-0
        • Opcode ID: 4f4890e2e2a3eabc3efe22c229ca72d21f946308a6877a74bd565c218d50dfe6
        • Instruction ID: dce2145d465c25543185911093eb86546d97495b3777b6ac61ce28025dd1e629
        • Opcode Fuzzy Hash: 4f4890e2e2a3eabc3efe22c229ca72d21f946308a6877a74bd565c218d50dfe6
        • Instruction Fuzzy Hash: FD617E725043099FCB10EF64C8559AEB3E9FF89314F05892DF98987251EB31E945CBB2
        Function 00DF9E4A Relevance: 6.2, APIs: 4, Instructions: 156COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: __swprintf_wprintf$_memmove
        • String ID:
        • API String ID: 2249476411-0
        • Opcode ID: caf2c998783c6d6a87866aef771a2fbcf86fc1c5da1596bf467658d350e7574b
        • Instruction ID: fd5130a03303a63b063dce405d502eecd80ef2c748102c2d688e524437f36214
        • Opcode Fuzzy Hash: caf2c998783c6d6a87866aef771a2fbcf86fc1c5da1596bf467658d350e7574b
        • Instruction Fuzzy Hash: D7517D71900109BACF15EBA4DD46EEEB778EF04300F604165B509721A2EB316F59DF75
        Function 00DF955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00D94EE5: _fseek.LIBCMT ref: 00D94EFD
          • Part of subcall function 00DF9734: _wcscmp.LIBCMT ref: 00DF9824
          • Part of subcall function 00DF9734: _wcscmp.LIBCMT ref: 00DF9837
        • _free.LIBCMT ref: 00DF96A2
        • _free.LIBCMT ref: 00DF96A9
        • _free.LIBCMT ref: 00DF9714
        • _free.LIBCMT ref: 00DF971C
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _free$_wcscmp$_fseek
        • String ID:
        • API String ID: 3404660211-0
        • Opcode ID: 8c66bba008aa022ea217763876d92d68911b16dfe2cdbb3685ec8a45d3e1b5f3
        • Instruction ID: b77868b2c72bab5c7804e8027e36eb0c24a6fcef258e67ea6d7e4c347b283a7b
        • Opcode Fuzzy Hash: 8c66bba008aa022ea217763876d92d68911b16dfe2cdbb3685ec8a45d3e1b5f3
        • Instruction Fuzzy Hash: 3F515EB1D14258AFDF249F64DC81BAEBBB9EF48300F10449EF609A7241DB715A81CF68
        Function 00DF9C38 Relevance: 6.2, APIs: 4, Instructions: 150COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: __swprintf_wprintf$_memmove
        • String ID:
        • API String ID: 2249476411-0
        • Opcode ID: 3b826556c743c12135e1125909714c24acfff879d9fb167c7e2db4d00805d54e
        • Instruction ID: 5771098e9b3c73ae1124141fed9869666b466dc3fcdb202f0161f852ac63edac
        • Opcode Fuzzy Hash: 3b826556c743c12135e1125909714c24acfff879d9fb167c7e2db4d00805d54e
        • Instruction Fuzzy Hash: 34517A32D00609AADF15EBE0DD46EEEB778EF14300F604165B509720A2EB352F59DB74
        Function 00DB470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: __flsbuf__flush__getptd_noexit__write_memmove
        • String ID:
        • API String ID: 2782032738-0
        • Opcode ID: 8d5e84d796d2a622fb585a85b2cb739199fd67226ed781522a47284023b78b74
        • Instruction ID: a74ad065e6d6f85cc362e5ba7255da7b7a7f4e437abff59d22bdb0c3b83ca927
        • Opcode Fuzzy Hash: 8d5e84d796d2a622fb585a85b2cb739199fd67226ed781522a47284023b78b74
        • Instruction Fuzzy Hash: 9E41C479A00745DBDB18CE69C8909EE7BA6EF46360B28813DE857C7642DB70DD41CBB0
        Function 00DC8F37 Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: __write$__getbuf__getptd_noexit__lseeki64
        • String ID:
        • API String ID: 4182129353-0
        • Opcode ID: b77aae38ed6e34726ab9f9f279fa09a21295c2db3db9c1ce0869ba17ac253568
        • Instruction ID: 424cc04d6554080dff28e2b653ae7915a9ed3083c629379432dc424c2781e3e3
        • Opcode Fuzzy Hash: b77aae38ed6e34726ab9f9f279fa09a21295c2db3db9c1ce0869ba17ac253568
        • Instruction Fuzzy Hash: AC4129711007029FD3349F68C865FBAB7E5EF41320F08862DE5A68B6D1EB34E840AB70
        Function 00DFEF95 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _wcscmp
        • String ID:
        • API String ID: 856254489-0
        • Opcode ID: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
        • Instruction ID: 831adecb07b57fe55607c110132c3712c5527040b97d207ef18c98bf890187b6
        • Opcode Fuzzy Hash: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
        • Instruction Fuzzy Hash: 1A31D43250020D6ADF24AFA4DC48BFE77AC9F44360F1585BAE904D20A1DF75DA44CB79
        Function 00DFF0F2 Relevance: 6.1, APIs: 4, Instructions: 112COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _wcscmp
        • String ID:
        • API String ID: 856254489-0
        • Opcode ID: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
        • Instruction ID: e1b913f2b2bf539e0f4408a72d701be44159953e4041c441db5c2958b35e3d60
        • Opcode Fuzzy Hash: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
        • Instruction Fuzzy Hash: 2231933650021DAADF20AFA4EC49BFE77ACDF45360F254175E900E20A0DB31DA45DA78
        Function 00DC6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
        • String ID:
        • API String ID: 3016257755-0
        • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
        • Instruction ID: b2480b7925b1b11d0445c27138912305a1f3ab18a7e6b90239b76a400eaef3c5
        • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
        • Instruction Fuzzy Hash: A5014B7244814ABBCF265E85CC01DEE3F72BB18391B588419FA585A031D636C9B1BFA1
        Function 00E0AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: __itow_s
        • String ID: xbL$xbL
        • API String ID: 3653519197-3351732020
        • Opcode ID: d646e4bb21cf180c2b3bcf2ba2aa6e399e6fdbde90ff57f1201e620ffab942ef
        • Instruction ID: cccdab1aa75990f1e0c4c0d3319b181a35b2b52735f96ba373dba4261daa4faa
        • Opcode Fuzzy Hash: d646e4bb21cf180c2b3bcf2ba2aa6e399e6fdbde90ff57f1201e620ffab942ef
        • Instruction Fuzzy Hash: CFB17174A00209EFCF14DF54C891EBABBB9FF58304F149569F945AB291DB30D981CB60
        Function 00DE8310 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _memset
        • String ID:
        • API String ID: 2102423945-3916222277
        • Opcode ID: aa973d33a02bfa199831d235f317d3626315b443824ea58ce6c4261de3f61784
        • Instruction ID: 3243c8794588afd6a5361c022ca939bc3df60aad9d7d7e247ba93b34953687c7
        • Opcode Fuzzy Hash: aa973d33a02bfa199831d235f317d3626315b443824ea58ce6c4261de3f61784
        • Instruction Fuzzy Hash: 53818D71900289AFDF11EFA5CC45AEE7B79FF08304F184169F819A6161DB319E15EB34
        Function 00D9708B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _wcscat
        • String ID: \
        • API String ID: 2563891980-2967466578
        • Opcode ID: 37f8556a626ae037f6edf7abe1d4f3c4d2ba69555b9a07e1d7be78a4c2c9eb1a
        • Instruction ID: 7ac9bb7a99ee1ec432e7440017f62ffc66f1b018c53c1874989cca7cc424fbd7
        • Opcode Fuzzy Hash: 37f8556a626ae037f6edf7abe1d4f3c4d2ba69555b9a07e1d7be78a4c2c9eb1a
        • Instruction Fuzzy Hash: C3718F71508301AEC744EF25E841EABBBE8FF85310F45893EF445871A1EB719948CB7A
        Function 00E0F41E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00E0F448
        • _memset.LIBCMT ref: 00E0F511
          • Part of subcall function 00D99837: __itow.LIBCMT ref: 00D99862
          • Part of subcall function 00D99837: __swprintf.LIBCMT ref: 00D998AC
          • Part of subcall function 00DAFC86: _wcscpy.LIBCMT ref: 00DAFCA9
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _memset$__itow__swprintf_wcscpy
        • String ID: @
        • API String ID: 2523036003-2766056989
        • Opcode ID: fc9b12f333b0dcf5a4b7df1c92d6160ab3b60f831e68bfb17c9988c3f6607c25
        • Instruction ID: 177dede8972fc2faa6ee66aad1ee380d3887401aed1bfd18b57dc153c8f389e1
        • Opcode Fuzzy Hash: fc9b12f333b0dcf5a4b7df1c92d6160ab3b60f831e68bfb17c9988c3f6607c25
        • Instruction Fuzzy Hash: AF61AE71A006199FCF14EFA8C8919AEBBB4FF48314F10446DE815BB791CB30AD41CBA0
        Function 00E17152 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: _memset
        • String ID: 0$F
        • API String ID: 2102423945-3044882817
        • Opcode ID: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
        • Instruction ID: f52e38cde74013a76c2f11b7c9a6e729450c0ca49e7624e78199e18b5bf1600d
        • Opcode Fuzzy Hash: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
        • Instruction Fuzzy Hash: 7D4147B5A01205EFDB20DFA4D884EEA7BF5FF48310F144429F945A7361D731A9A4CBA4
        Function 00DB6B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: __calloc_crt
        • String ID: K
        • API String ID: 3494438863-4153964727
        • Opcode ID: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
        • Instruction ID: dcb1eb7982e4df0fd0ab21486e60e1cf9e8457c6d6a9bedc6f7feef34e3c6be6
        • Opcode Fuzzy Hash: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
        • Instruction Fuzzy Hash: FEF04471204611DBEBA49F55BC51ED667E4E740730B540466E502CE190EF78D8819ABC
        Function 00DB9B79 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
        Download Yara Rule
        APIs
        • __lock.LIBCMT ref: 00DB9B94
          • Part of subcall function 00DB9C0B: __mtinitlocknum.LIBCMT ref: 00DB9C1D
        • __updatetlocinfoEx_nolock.LIBCMT ref: 00DB9BA4
          • Part of subcall function 00DB9100: ___addlocaleref.LIBCMT ref: 00DB911C
          • Part of subcall function 00DB9100: ___removelocaleref.LIBCMT ref: 00DB9127
          • Part of subcall function 00DB9100: ___freetlocinfo.LIBCMT ref: 00DB913B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1887568934.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
        • Associated: 00000000.00000002.1887549867.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887635868.0000000000E44000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E4E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887705522.0000000000E52000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1887754421.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d90000_WN9uCxgU1T.jbxd
        Similarity
        • API ID: Ex_nolock___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
        • String ID: 8K
        • API String ID: 3369060592-2802361588
        • Opcode ID: d41c92ecd1d7e74e0adb9f475a826e210c9bd16fdcadbad4fdccb8f20f9f3334
        • Instruction ID: 629a8db97bdf2e4748cf8387b9c11449e61d9142a51748c521ff6730868d19c4
        • Opcode Fuzzy Hash: d41c92ecd1d7e74e0adb9f475a826e210c9bd16fdcadbad4fdccb8f20f9f3334
        • Instruction Fuzzy Hash: 73E08C7194B340EAEE24FBA9A963BC9B664DB80B21F20026EF147550C1CE782400DA3F