Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PR.exe

Overview

General Information

Sample Name:PR.exe
Analysis ID:723837
MD5:4d32fa0ee0e0bf3e02f9c951b62f10d1
SHA1:55924e7ed2192b0d6cadfa327bf9271833a18f53
SHA256:31c5cfa7a0f0a0632b3c4b9edec97c1644d992fc6b16a7e772d09ad8f73c3c70
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Searches for specific processes (likely to inject)
Machine Learning detection for sample
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
PE file contains sections with non-standard names
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Entry point lies outside standard sections
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • PR.exe (PID: 6128 cmdline: C:\Users\user\Desktop\PR.exe MD5: 4D32FA0EE0E0BF3E02F9C951B62F10D1)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: PR.exeReversingLabs: Detection: 46%
Source: PR.exeVirustotal: Detection: 44%Perma Link
Source: PR.exeMetadefender: Detection: 24%Perma Link
Machine Learning detection for sample
Source: PR.exeJoe Sandbox ML: detected
Source: PR.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PR.exeStatic PE information: certificate valid
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_004012DE FindFirstFileW,FindNextFileW,RemoveDirectoryW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_004012DE
Source: PR.exeString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: PR.exe, 00000000.00000002.501649671.000000001025D000.00000004.00000001.01000000.00000004.sdmp, htmlayout.dll.0.drString found in binary or memory: http://crl.nmsu.edu/~mleisher/ucdata.html)
Source: PR.exeString found in binary or memory: http://express-files.com/uninstall/?sid=%s&aid=%s&d=%lld&s=%u
Source: PR.exeString found in binary or memory: http://express-files.com/welcome/?sid=%s&aid=%s&b=%d&d=%lld
Source: PR.exeString found in binary or memory: http://express-files.com/welcome/?sid=%s&aid=%s&b=%d&d=%lldExpressFilesExpressFilesDLerror%sExpressD
Source: PR.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: PR.exe, 00000000.00000003.243147116.0000000002BAB000.00000004.00000800.00020000.00000000.sdmp, PR.exe, 00000000.00000002.499575324.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, PR.exe, 00000000.00000002.501548684.0000000010223000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://terrainformatica.com/forums/topic.php?id=1772
Source: PR.exe, 00000000.00000002.501649671.000000001025D000.00000004.00000001.01000000.00000004.sdmp, htmlayout.dll.0.drString found in binary or memory: http://terrainformatica.comD
Source: PR.exeString found in binary or memory: http://www.babylon.com/redirects/redir.cgi?type=babylon_toolbar_eula
Source: PR.exeString found in binary or memory: http://www.babylon.com/redirects/redir.cgi?type=babylon_toolbar_eulalegal_terms2checkbox_install_too
Source: PR.exeString found in binary or memory: http://www.babylon.com/toolbar
Source: PR.exe, 00000000.00000002.499417994.0000000002B2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.babylon.com/toolbar0
Source: PR.exeString found in binary or memory: http://www.express-files.com/
Source: PR.exeString found in binary or memory: http://www.express-files.com/PublisherInstallLocationhttp://www.express-files.com/URLInfoAbout1.2.0D
Source: PR.exeString found in binary or memory: http://www.express-files.com/X
Source: PR.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PR.exe, 00000000.00000002.501649671.000000001025D000.00000004.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameHTMLayout.dll4 vs PR.exe
Source: PR.exe, 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameExpressFilesInstaller.exeP vs PR.exe
Source: PR.exeBinary or memory string: OriginalFilenameExpressFilesInstaller.exeP vs PR.exe
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_004046200_2_00404620
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0042E0BF0_2_0042E0BF
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_004BD30F0_2_004BD30F
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_004063B00_2_004063B0
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_004309040_2_00430904
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00406AA00_2_00406AA0
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00405C100_2_00405C10
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00427D700_2_00427D70
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00404EED0_2_00404EED
Source: C:\Users\user\Desktop\PR.exeMemory allocated: 77A20000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\PR.exeMemory allocated: 74AA0000 page execute and read and writeJump to behavior
Source: PR.exeReversingLabs: Detection: 46%
Source: PR.exeVirustotal: Detection: 44%
Source: PR.exeMetadefender: Detection: 24%
Source: C:\Users\user\Desktop\PR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00401000 CreateToolhelp32Snapshot,Process32FirstW,PathFindFileNameW,StrCmpIW,Process32NextW,CloseHandle,0_2_00401000
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_004018BE LockResource,SizeofResource,CreateFileW,VirtualFree,FreeResource,0_2_004018BE
Source: C:\Users\user\Desktop\PR.exeCommand line argument: uninstall.exe0_2_00403344
Source: C:\Users\user\Desktop\PR.exeCommand line argument: _downloader0_2_00403344
Source: C:\Users\user\Desktop\PR.exeCommand line argument: _downloader0_2_00403344
Source: C:\Users\user\Desktop\PR.exeCommand line argument: _downloader0_2_00403344
Source: C:\Users\user\Desktop\PR.exeFile created: C:\Users\user\AppData\Local\Temp\htmlayout.dllJump to behavior
Source: PR.exeString found in binary or memory: ED-INSTALL
Source: PR.exeString found in binary or memory: 0@_downloadertoolbar%u.exeBABYLON/mhp /mnt /mds /babTrack="affID=%s" /s /aflt=babsst /instlref=sst /srcExt=ssnext_pageprev_pageskip_pageside_page_%dinstall_foldersearch_keywordExpressFilesPipeExpressFilesPipeKeywordSoftware\ExpressFilesSoftware\ExpressFilesinstalllegal_termshttp://www.babylon.com/redirects/redir.cgi?type=babylon_toolbar_eulalegal_terms2checkbox_install_toolbaruninstall%u.tmpExpressFiles%u.tmpexpressdl%u.tmphtmlayout%u.tmpdht%u.tmpexpressdl_startshttp://express-files.com/uninstall/?sid=%s&aid=%s&d=%lld&s=%uidED-UNINSTALLED-INSTALL
Source: PR.exeString found in binary or memory: ED-INSTALL
Source: PR.exeString found in binary or memory: <link rel="shortcut icon" href="./icons/ed-install.ico">
Source: PR.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
Source: classification engineClassification label: mal64.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00401A2A CoCreateInstance,0_2_00401A2A
Source: PR.exeStatic file information: File size 4721272 > 1048576
Source: PR.exeStatic PE information: certificate valid
Source: PR.exeStatic PE information: Raw size of .p0 is bigger than: 0x100000 < 0x419600
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_008284D5 push dword ptr [esp+24h]; retn 0028h0_2_004B68C0
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_008284D5 push eax; mov dword ptr [esp], 00000000h0_2_0082852A
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0082BB4F push dword ptr [esp+2Ch]; retn 0034h0_2_0073BFBB
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00833080 push dword ptr [esp+2Ch]; retn 0030h0_2_0083309E
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00635069 push dword ptr [esp+24h]; retn 0030h0_2_0063509E
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00635069 push dword ptr [esp]; mov dword ptr [esp], ecx0_2_00832925
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00635069 push dword ptr [esp+08h]; retn 0014h0_2_00832930
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00422056 push dword ptr [esp+28h]; retn 002Ch0_2_0073E03C
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00429056 push dword ptr [esp+28h]; retn 003Ch0_2_00639E60
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00431055 pushad ; retf 0_2_0043106A
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0042405B pushfd ; mov dword ptr [esp], edi0_2_00424066
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0042405B push dword ptr [esp+2Ch]; retn 0030h0_2_00424090
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0042405B push ebx; mov dword ptr [esp], 114D6820h0_2_0083120C
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00420058 push dword ptr [esp+50h]; retn 0054h0_2_0042168E
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0042905C push dword ptr [esp+0Ch]; retn 0010h0_2_004290BC
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0042006B push dword ptr [esp+50h]; retn 0054h0_2_0042168E
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0073C05F push dword ptr [esp+4Ch]; retn 0050h0_2_0073C081
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0043106D push edx; retf 0_2_0043106E
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_008330B4 push dword ptr [esp+3Ch]; retn 0040h0_2_008330D7
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0043107D push 47B074CBh; retf 0_2_00431082
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0042207D push dword ptr [esp+10h]; retn 0014h0_2_004220E5
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0042207D push dword ptr [esp+04h]; retn 000Ch0_2_00833C7C
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0041F000 pushad ; mov dword ptr [esp], edi0_2_0042027D
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00424000 push dword ptr [esp+4Ch]; retn 0050h0_2_00641690
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_004B600C pushfd ; mov dword ptr [esp], esi0_2_00828115
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_004AE01B pushfd ; mov dword ptr [esp], 1D616640h0_2_006331DF
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0064A031 push dword ptr [esp+20h]; retn 0024h0_2_008282AD
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00429015 push dword ptr [esp+34h]; retn 0038h0_2_00831E2B
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00420019 push dword ptr [esp+50h]; retn 0054h0_2_0042168E
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0064A03F push dword ptr [esp+20h]; retn 0024h0_2_008282AD
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0043102C pushad ; retf 0_2_0043102D
Source: PR.exeStatic PE information: section name: .p0
Source: PR.exeStatic PE information: section name: .p1
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0042EACC LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_0042EACC
Source: initial sampleStatic PE information: section where entry point is pointing to: .p1
Source: initial sampleStatic PE information: section name: .p1 entropy: 7.632325075524795
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\PR.exeFile created: C:\Users\user\AppData\Local\Temp\htmlayout.dllJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\PR.exeMemory written: PID: 6128 base: 77A20005 value: E9 FB BF E9 FF Jump to behavior
Source: C:\Users\user\Desktop\PR.exeMemory written: PID: 6128 base: 778BC000 value: E9 FB 80 B6 88 Jump to behavior
Source: C:\Users\user\Desktop\PR.exeMemory written: PID: 6128 base: 77A20017 value: E9 9C E0 ED FF Jump to behavior
Source: C:\Users\user\Desktop\PR.exeMemory written: PID: 6128 base: 778FE0B0 value: E9 DB 60 B2 88 Jump to behavior
Source: C:\Users\user\Desktop\PR.exeMemory written: PID: 6128 base: 74AA0005 value: E9 CB 5A E6 FF Jump to behavior
Source: C:\Users\user\Desktop\PR.exeMemory written: PID: 6128 base: 74905AD0 value: E9 3B E5 B1 8B Jump to behavior
Source: C:\Users\user\Desktop\PR.exeMemory written: PID: 6128 base: 74AA0014 value: E9 4C B0 E8 FF Jump to behavior
Source: C:\Users\user\Desktop\PR.exeMemory written: PID: 6128 base: 7492B060 value: E9 3B 90 AF 8B Jump to behavior
Source: C:\Users\user\Desktop\PR.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-25233
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00740025 rdtsc 0_2_00740025
Source: C:\Users\user\Desktop\PR.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\PR.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_004012DE FindFirstFileW,FindNextFileW,RemoveDirectoryW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_004012DE
Source: C:\Users\user\Desktop\PR.exeAPI call chain: ExitProcess graph end nodegraph_0-25485
Source: C:\Users\user\Desktop\PR.exeAPI call chain: ExitProcess graph end nodegraph_0-25158

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\PR.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0040707A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040707A
Source: C:\Users\user\Desktop\PR.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\PR.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0042EACC LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_0042EACC
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_004014D8 OpenProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,SetLastError,GetLastError,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,0_2_004014D8
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00740025 rdtsc 0_2_00740025
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00424944 LdrFindResource_U,0_2_00424944
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0040D057 SetUnhandledExceptionFilter,0_2_0040D057
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0040707A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040707A
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0042B08C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042B08C
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00409537 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00409537
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0042E826 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0042E826
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_0042AEE9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0042AEE9

HIPS / PFW / Operating System Protection Evasion

barindex
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00401000 CreateToolhelp32Snapshot,Process32FirstW,PathFindFileNameW,StrCmpIW,Process32NextW,CloseHandle,0_2_00401000
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00402025 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,MessageBoxW,0_2_00402025
Source: C:\Users\user\Desktop\PR.exeCode function: GetLocaleInfoA,0_2_00430543
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00409A25 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_00409A25
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00402B22 SHGetValueA,__time64,__localtime64_s,SHSetValueA,GetVersionExW,CoCreateGuid,UuidToStringW,__snwprintf,RpcStringFreeW,SHSetValueW,0_2_00402B22
Source: C:\Users\user\Desktop\PR.exeCode function: 0_2_00407846 GetSystemTimeAsFileTime,__aulldiv,0_2_00407846

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts3
Command and Scripting Interpreter		Path Interception1
Process Injection		11
Virtualization/Sandbox Evasion		1
Credential API Hooking		2
System Time Discovery		Remote Services1
Credential API Hooking		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts2
Native API		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Process Injection		LSASS Memory14
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
Obfuscated Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
Software Packing		NTDS12
Process Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
File and Directory Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials14
System Information Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PR.exe46%ReversingLabsWin32.PUA.ExpressDownloader
PR.exe44%VirustotalBrowse
PR.exe24%MetadefenderBrowse
PR.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\htmlayout.dll2%ReversingLabs
C:\Users\user\AppData\Local\Temp\htmlayout.dll1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\htmlayout.dll5%MetadefenderBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.PR.exe.10000000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://terrainformatica.com/forums/topic.php?id=17721%VirustotalBrowse
http://terrainformatica.com/forums/topic.php?id=17720%Avira URL Cloudsafe
http://terrainformatica.comD0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.babylon.com/redirects/redir.cgi?type=babylon_toolbar_eulaPR.exefalse
    		high
    http://www.babylon.com/redirects/redir.cgi?type=babylon_toolbar_eulalegal_terms2checkbox_install_tooPR.exefalse
      		high
      http://www.babylon.com/toolbar0PR.exe, 00000000.00000002.499417994.0000000002B2C000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.babylon.com/toolbarPR.exefalse
          		high
          http://terrainformatica.com/forums/topic.php?id=1772PR.exe, 00000000.00000003.243147116.0000000002BAB000.00000004.00000800.00020000.00000000.sdmp, PR.exe, 00000000.00000002.499575324.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, PR.exe, 00000000.00000002.501548684.0000000010223000.00000040.00000001.01000000.00000004.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://terrainformatica.comDPR.exe, 00000000.00000002.501649671.000000001025D000.00000004.00000001.01000000.00000004.sdmp, htmlayout.dll.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://crl.nmsu.edu/~mleisher/ucdata.html)PR.exe, 00000000.00000002.501649671.000000001025D000.00000004.00000001.01000000.00000004.sdmp, htmlayout.dll.0.drfalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:36.0.0 Rainbow Opal
            Analysis ID:723837
            Start date and time:2022-10-15 19:00:33 +02:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 6m 15s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:PR.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:12
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal64.evad.winEXE@1/1@0/0
            EGA Information:
            • Successful, ratio: 100%
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 84%
            • Number of executed functions: 25
            • Number of non-executed functions: 48
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): fs.microsoft.com
            • Not all processes where analyzed, report is missing behavior information

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            C:\Users\user\AppData\Local\Temp\htmlayout.dllstudy_guide_with_answers_for_fresh_water_certifications_california_downloader_2505b.exeGet hashmaliciousBrowse

              Created / dropped Files

              C:\Users\user\AppData\Local\Temp\htmlayout.dll

              Download File
              Process:C:\Users\user\Desktop\PR.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
              Category:dropped
              Size (bytes):936960
              Entropy (8bit):7.924513528423757
              Encrypted:false
              SSDEEP:12288:b3nqQ3krBXVXoxwXjND3iZ8baxfSelRmMimfwoCFSkylHu8DL6y47KYuLB3KikSQ:bM91XjQikAmf/T1Huc747KhgtSTEyY
              MD5:A55B82103A202C20717F45C201EC4553
              SHA1:C6607F6201793A20131281F3C5F612F38AE024D5
              SHA-256:C7EAAE39F8DAF00F43FEE614EF0FC4A4797252C409AF1A5E36AF439E7165FC05
              SHA-512:993891C388570612D1A6834489FCB80A32AB23A3E59859C0BFD9B60903CE240ACE1058E0F062F3C8A415505F85EF28D29D1C6DF7477E30A2BBB2D7F66F455F65
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 2%
              • Antivirus: Virustotal, Detection: 1%, Browse
              • Antivirus: Metadefender, Detection: 5%, Browse
              Joe Sandbox View:
              • Filename: study_guide_with_answers_for_fresh_water_certifications_california_downloader_2505b.exe, Detection: malicious, Browse
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ip.5-.yf-.yf-.yf...f..yf...f..yf...fi.yf...f..yf..&f(.yf..$f0.yf-.xfI.yf...f..yf...f,.yf...f,.yf...f,.yfRich-.yf................PE..L......N...........!..... ...0........%.......%...............................&.......................................%.(.....%.8.....%.......................%.......................................%.H...........................................UPX0....................................UPX1..... ..........................@....rsrc....0....%.....................@..............................................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):7.885963019060166
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:PR.exe
              File size:4721272
              MD5:4d32fa0ee0e0bf3e02f9c951b62f10d1
              SHA1:55924e7ed2192b0d6cadfa327bf9271833a18f53
              SHA256:31c5cfa7a0f0a0632b3c4b9edec97c1644d992fc6b16a7e772d09ad8f73c3c70
              SHA512:274ef06aee2958556af786613568378f2567a77521b3367cec58567132f362f05a0cde474fc769983e3be9b1a36ffa0889f1fc6582d07abdde696fb15296db2a
              SSDEEP:98304:fY9Aw2AWi+v+iPP2sq3pfe+amFFMj1INPtm:97vvP2sq31eDmy1gPQ
              TLSH:6C2623927275C032C0430E7DE861C0FDAD78AC54EB7088C776D83E6B76F26956A3A356
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(.r.l...l...l.......m...w...Y.......o...e...o...e...}...l.......w...y...w.......w...c...w...m...w...m...Richl..................

              File Icon

              Icon Hash:2d0c2f8b0e0d1307

              Static PE Info

              General

              Entrypoint:0x84554f
              Entrypoint Section:.p1
              Digitally signed:true
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
              Time Stamp:0x4EF9E421 [Tue Dec 27 15:28:33 2011 UTC]
              TLS Callbacks:0x83b609
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:1
              File Version Major:5
              File Version Minor:1
              Subsystem Version Major:5
              Subsystem Version Minor:1
              Import Hash:8a72f9325ccba2e6d83699ae4ce47f63

              Authenticode Signature

              Signature Valid:true
              Signature Issuer:CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
              Signature Validation Error:The operation completed successfully
              Error Number:0
              Not Before, Not After
              • 12/15/2011 4:00:00 PM 12/15/2012 3:59:59 PM
              Subject Chain
              • CN=Faglaro Enterprises Limited, O=Faglaro Enterprises Limited, STREET="Konstantinoupoleos, 22", L=Nicosia, S=Aglantzia/Cyprus, PostalCode=2107, C=CY
              Version:3
              Thumbprint MD5:65650DB9F1757E4030C150B4C95BCE6D
              Thumbprint SHA-1:D76FF3FA2EB22BF49CB793A7BCB814CC54ADDB16
              Thumbprint SHA-256:3201389CCD8D95CB2C9CAFF84FB21957393031D240BEF84023ED4220B5264522
              Serial:00DD2A4BBB66262A8FB4E084560573E908

              Entrypoint Preview

              Instruction
              push A03511A6h
              pushfd
              push dword ptr [esp+04h]
              mov byte ptr [esp], al
              mov dword ptr [esp+08h], 12043840h
              jmp 00007F5A50DF77C9h
              add byte ptr [eax], al
              inc esp
              jne 00007F5A50DFB7D2h
              insb
              imul esp, dword ptr [ebx+61h], 6F546574h
              imul esp, dword ptr [ebp+6Eh], 45h
              js 00007F5A50DFB762h
              cmc
              jmp 00007F5A50DF6856h
              clc
              push dword ptr [edi]
              pop dword ptr [esp+0Ch]
              cmp dl, FFFFFFD9h
              clc
              cmp edi, ebx
              mov byte ptr [esp+08h], 00000074h
              pushad
              mov byte ptr [esp], FFFFFFB7h
              pushfd
              lea esp, dword ptr [esp+30h]
              ja 00007F5A50DF334Ch
              clc
              call 00007F5A50DFC12Eh
              inc esi
              pushad
              inc edi
              mov byte ptr [esp+08h], cl
              lea esp, dword ptr [esp+24h]
              jmp 00007F5A50DF7FDDh
              add byte ptr [eax], al
              push ebp
              outsb
              push 6C646E61h
              inc ebp
              js 00007F5A50DFB7C5h
              jo 00007F5A50DFB7D7h
              imul ebp, dword ptr [edi+6Eh], 746C6946h
              jc 00007F5A50DFB763h
              mov dword ptr [esp+24h], 0083A459h
              push 5B4C937Bh
              push edi
              jmp 00007F5A50DF0778h
              out dx, eax
              jno 00007F5A50DFB7DDh
              add dword ptr [ecx], edi
              push ds
              mov ds, word ptr [eax]
              xchg esp, eax
              cmp dl, byte ptr [ebx+ebp*8-0D0B5DD0h]
              test byte ptr [edx], dl
              xchg eax, esp
              xlatb
              fsubr qword ptr [esi+08h]
              aas
              push esp
              mov ebx, BEB87608h
              pushad
              scasb
              nop
              fcom dword ptr [edi-59F54D6Eh]
              or ebp, dword ptr [ebp-51h]

              Rich Headers

              Programming Language:
              • [C++] VS2010 SP1 build 40219
              • [C++] VS2010 build 30319
              • [ C ] VS2008 SP1 build 30729
              • [IMP] VS2008 SP1 build 30729
              • [ASM] VS2010 SP1 build 40219
              • [ C ] VS2010 SP1 build 40219
              • [RES] VS2010 SP1 build 40219
              • [LNK] VS2010 SP1 build 40219

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x4379220xc50.p0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x43b4ac0x104.p1
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x44a0000x3b6c1.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x47f0000x1a78.rsrc
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x43cc680x20.p1
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x43ddd40x420.p1
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x11c2b0x11e00False0.5970962631118881data6.598860248501709IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x130000x77c00x7800False0.5557942708333333data6.160344874513789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x1b0000x30840x1200False0.2133246527777778data2.5802933454414196IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .p00x1f0000x4195720x419600unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .tls0x4390000x180x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .p10x43a0000xf2c80xf400False0.8702612704918032data7.632325075524795IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x44a0000x3b6c10x3b800False0.0679695706407563data2.5785919717396517IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x44a5480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088
              RT_ICON0x44a9b00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400
              RT_ICON0x44b3380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224
              RT_ICON0x44c3e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600
              RT_ICON0x44e9880x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896
              RT_ICON0x452bb00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584
              RT_ICON0x4633d80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088
              RT_ICON0x4638400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400
              RT_ICON0x4641c80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224
              RT_ICON0x4652700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600
              RT_ICON0x4678180x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896
              RT_ICON0x46ba400x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584
              RT_GROUP_ICON0x47c2680x5adata
              RT_GROUP_ICON0x47c2c40x5adata
              RT_VERSION0x47c3200x378data
              RT_HTML0x47c6980xa8aHTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
              RT_HTML0x47d1240x377cHTML document, Unicode text, UTF-8 (with BOM) text, with very long lines (1102), with CRLF line terminators
              RT_HTML0x4808a00x34bfHTML document, Unicode text, UTF-8 (with BOM) text, with very long lines (1102), with CRLF line terminators
              RT_HTML0x483d600x967HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
              RT_HTML0x4846c80x767HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
              RT_HTML0x484e300x64bHTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
              RT_MANIFEST0x48547c0x245ASCII text, with very long lines (364), with CRLF line terminatorsEnglishUnited States

              Imports

              DLLImport
              RPCRT4.dllUuidToStringW, RpcStringFreeW
              SHLWAPI.dllSHSetValueW, PathFindFileNameW, SHGetValueA, SHSetValueA, SHGetValueW, SHDeleteValueW, SHDeleteKeyW, StrCmpIW, PathRemoveExtensionW
              USER32.dllCreateWindowExW, GetMessageW, DispatchMessageW, GetWindowRect, PostQuitMessage, DefWindowProcW, ShowWindow, MessageBoxW, GetWindowThreadProcessId, GetShellWindow, LoadIconW, RegisterClassExW, LoadCursorW, GetSystemMetrics, TranslateMessage
              KERNEL32.dllGetStringTypeW, GetConsoleMode, GetConsoleCP, QueryPerformanceCounter, HeapCreate, GetFileType, InitializeCriticalSectionAndSpinCount, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetModuleFileNameA, GetStdHandle, IsProcessorFeaturePresent, ExitProcess, HeapSize, Sleep, LCMapStringW, TlsFree, TlsSetValue, TlsGetValue, GetFileSize, FindFirstFileW, SetFilePointer, VirtualQuery, VirtualFree, WriteFile, OpenProcess, WideCharToMultiByte, TerminateProcess, ReadFile, CreateFileW, MultiByteToWideChar, GetLastError, FindClose, Process32FirstW, RemoveDirectoryW, Process32NextW, FindNextFileW, CreateToolhelp32Snapshot, CloseHandle, DeleteFileW, GetCurrentProcessId, CreateProcessW, HeapAlloc, HeapFree, GetProcessHeap, SetLastError, GetProcAddress, GetModuleHandleA, FindResourceA, FreeResource, LoadResource, LoadLibraryW, SizeofResource, GetTempPathW, LockResource, CreateMutexW, CreateDirectoryW, CopyFileW, GetModuleFileNameW, FindResourceW, GetVersionExW, InitializeCriticalSection, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, GetTickCount, MapViewOfFile, SetEvent, SetEnvironmentVariableA, OpenFileMappingA, MoveFileExW, GetModuleHandleW, GetCurrentThreadId, RtlUnwind, HeapReAlloc, SetStdHandle, WriteConsoleW, FlushFileBuffers, CompareStringW, VirtualAlloc, OpenEventA, TlsAlloc, IsValidCodePage, GetOEMCP, GetACP, InterlockedDecrement, InterlockedIncrement, GetCPInfo, GetTimeZoneInformation, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, GetStartupInfoW, HeapSetInformation, GetCommandLineA, LocalAlloc, FreeLibrary, InterlockedExchange, LoadLibraryA, RaiseException, GetSystemTimeAsFileTime, EncodePointer, DecodePointer
              ADVAPI32.dllSetSecurityDescriptorDacl, InitializeSecurityDescriptor, SetSecurityDescriptorGroup, DuplicateTokenEx, GetTokenInformation, GetSidSubAuthorityCount, GetSidSubAuthority, OpenProcessToken, SetSecurityDescriptorSacl
              SHELL32.dllSHGetSpecialFolderPathW, SHChangeNotify, ShellExecuteW
              ole32.dllCoCreateInstance, CoInitialize, CoCreateGuid, CoUninitialize
              OLEAUT32.dllSysFreeString, SysAllocString
              KERNEL32.dllInitializeCriticalSection, GetModuleFileNameW, GetModuleHandleW, TerminateProcess, GetCurrentProcess, DeleteCriticalSection, LoadLibraryW, CreateEventW, CompareStringW, SetLastError, GetModuleHandleA, VirtualProtect, GetTickCount, EnterCriticalSection, LeaveCriticalSection, VirtualFree, VirtualAlloc, WriteProcessMemory, CreateToolhelp32Snapshot, GetCurrentProcessId, GetCurrentThreadId, Thread32First, OpenThread, Thread32Next, CloseHandle, SuspendThread, ResumeThread, GetSystemInfo, FreeLibrary, LoadResource, MultiByteToWideChar, WideCharToMultiByte, FindResourceExW, FindResourceExA, GetThreadLocale, GetUserDefaultLCID, GetSystemDefaultLCID, EnumResourceNamesA, EnumResourceNamesW, EnumResourceLanguagesA, EnumResourceLanguagesW, EnumResourceTypesA, EnumResourceTypesW, HeapAlloc, HeapFree, HeapDestroy, HeapCreate, GetSystemTime, GetLocalTime, SystemTimeToFileTime, CompareFileTime, GetCommandLineA, GetLastError, RaiseException, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, WriteFile, GetStdHandle, GetModuleFileNameA, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, InterlockedDecrement, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, Sleep, ExitProcess, SetHandleCount, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetSystemTimeAsFileTime, HeapReAlloc, HeapSize, LoadLibraryA, GetLocaleInfoA, RtlUnwind, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, InitializeCriticalSectionAndSpinCount, VirtualQuery
              USER32.dllMessageBoxW, CharUpperBuffW, wsprintfW
              KERNEL32.dllGetModuleFileNameW
              KERNEL32.dllGetModuleHandleA, LoadLibraryA, LocalAlloc, LocalFree, GetModuleFileNameA, ExitProcess

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              No network behavior found

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:19:01:20
              Start date:15/10/2022
              Path:C:\Users\user\Desktop\PR.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\PR.exe
              Imagebase:0x400000
              File size:4721272 bytes
              MD5 hash:4D32FA0EE0E0BF3E02F9C951B62F10D1
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:3%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:5.7%
                Total number of Nodes:662
                Total number of Limit Nodes:35
                execution_graph 25114 422623 25115 4225b7 25114->25115 25118 4225dd 25115->25118 25133 4abade 77 API calls 25115->25133 25117 64ae4e 25118->25117 25121 429c44 25118->25121 25123 429bd4 25121->25123 25124 429bf8 25123->25124 25126 429bfa 25123->25126 25134 42ad8c 25123->25134 25152 42ae65 6 API calls __decode_pointer 25123->25152 25131 429c20 25126->25131 25153 42ad26 74 API calls __cinit 25126->25153 25128 429c2a 25155 42ae8d RaiseException 25128->25155 25154 429bb7 63 API calls std::exception::exception 25131->25154 25132 429c38 25133->25118 25135 42ae3f 25134->25135 25145 42ad9e 25134->25145 25163 42ae65 6 API calls __decode_pointer 25135->25163 25137 42ae45 25164 42b079 63 API calls __getptd_noexit 25137->25164 25142 42adfb RtlAllocateHeap 25142->25145 25143 42adaf 25143->25145 25156 42b36f 63 API calls 2 library calls 25143->25156 25157 42b1c4 63 API calls 7 library calls 25143->25157 25158 42cb79 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 25143->25158 25145->25142 25145->25143 25146 42ae2b 25145->25146 25149 42ae30 25145->25149 25151 42ae37 25145->25151 25159 42ad3d 63 API calls 4 library calls 25145->25159 25160 42ae65 6 API calls __decode_pointer 25145->25160 25161 42b079 63 API calls __getptd_noexit 25146->25161 25162 42b079 63 API calls __getptd_noexit 25149->25162 25151->25123 25152->25123 25153->25131 25154->25128 25155->25132 25156->25143 25157->25143 25159->25145 25160->25145 25161->25149 25162->25151 25163->25137 25164->25151 25165 42aa90 25166 42aaa0 25165->25166 25167 42aa9b 25165->25167 25171 42a99a 25166->25171 25179 42d97c GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 25167->25179 25170 42aaae 25172 42a9a6 _realloc 25171->25172 25176 42aa43 _realloc 25172->25176 25177 42a9f3 ___DllMainCRTStartup 25172->25177 25180 42a865 25172->25180 25174 42aa23 25175 42a865 __CRT_INIT@12 156 API calls 25174->25175 25174->25176 25175->25176 25176->25170 25177->25174 25177->25176 25178 42a865 __CRT_INIT@12 156 API calls 25177->25178 25178->25174 25179->25166 25181 42a8f0 25180->25181 25182 42a874 25180->25182 25184 42a8f6 25181->25184 25185 42a927 25181->25185 25231 42d560 HeapCreate 25182->25231 25189 42a87f 25184->25189 25191 42a911 25184->25191 25328 42cdab 63 API calls _doexit 25184->25328 25186 42a985 25185->25186 25187 42a92c 25185->25187 25186->25189 25342 42b7b8 75 API calls 2 library calls 25186->25342 25332 42b49e 8 API calls __decode_pointer 25187->25332 25189->25177 25191->25189 25329 42d05c 64 API calls ___crtGetEnvironmentStringsA 25191->25329 25193 42a931 25333 42ca5b 25193->25333 25198 42a88b __RTC_Initialize 25205 42a89b GetCommandLineA 25198->25205 25222 42a88f 25198->25222 25199 42a91b 25330 42b4d2 66 API calls 2 library calls 25199->25330 25203 42a949 25339 42b423 6 API calls __crt_waiting_on_module_handle 25203->25339 25204 42a920 25331 42d590 VirtualFree HeapFree HeapFree HeapDestroy 25204->25331 25267 42d3dd 25205->25267 25209 42a95b 25212 42a962 25209->25212 25213 42a979 25209->25213 25340 42b50f 63 API calls 5 library calls 25212->25340 25341 42aab3 63 API calls _realloc 25213->25341 25214 42a8b5 25217 42a8b9 25214->25217 25325 42d322 108 API calls 3 library calls 25214->25325 25324 42b4d2 66 API calls 2 library calls 25217->25324 25218 42a969 GetCurrentThreadId 25218->25189 25219 42a97f 25219->25189 25323 42d590 VirtualFree HeapFree HeapFree HeapDestroy 25222->25323 25223 42a8c5 25224 42a8d9 25223->25224 25308 42d0aa 25223->25308 25230 42a8de 25224->25230 25327 42d05c 64 API calls ___crtGetEnvironmentStringsA 25224->25327 25228 42a8ee 25228->25217 25230->25189 25232 42a87a 25231->25232 25232->25189 25233 42b826 GetModuleHandleW 25232->25233 25234 42b841 25233->25234 25235 42b83a 25233->25235 25237 42b84b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 25234->25237 25238 42b9a9 25234->25238 25343 42caf5 Sleep GetModuleHandleW 25235->25343 25242 42b894 TlsAlloc 25237->25242 25361 42b4d2 66 API calls 2 library calls 25238->25361 25239 42b840 25239->25234 25243 42b8e2 TlsSetValue 25242->25243 25244 42b9ae 25242->25244 25243->25244 25245 42b8f3 25243->25245 25244->25198 25344 42cdba 7 API calls 4 library calls 25245->25344 25247 42b8f8 25345 42b3a8 TlsGetValue 25247->25345 25250 42b3a8 __encode_pointer 7 API calls 25251 42b913 25250->25251 25252 42b3a8 __encode_pointer 7 API calls 25251->25252 25253 42b923 25252->25253 25254 42b3a8 __encode_pointer 7 API calls 25253->25254 25255 42b933 25254->25255 25357 42da12 InitializeCriticalSectionAndSpinCount __mtinitlocknum 25255->25357 25257 42b940 25257->25238 25358 42b423 6 API calls __crt_waiting_on_module_handle 25257->25358 25259 42b954 25259->25238 25260 42ca5b __calloc_crt 63 API calls 25259->25260 25261 42b96d 25260->25261 25261->25238 25359 42b423 6 API calls __crt_waiting_on_module_handle 25261->25359 25263 42b987 25263->25238 25264 42b98e 25263->25264 25360 42b50f 63 API calls 5 library calls 25264->25360 25266 42b996 GetCurrentThreadId 25266->25244 25268 42d3fb GetEnvironmentStringsW 25267->25268 25269 42d41a 25267->25269 25270 42d403 25268->25270 25271 42d40f GetLastError 25268->25271 25269->25270 25272 42d4b3 25269->25272 25273 42d436 GetEnvironmentStringsW 25270->25273 25274 42d445 WideCharToMultiByte 25270->25274 25271->25269 25275 42d4bc GetEnvironmentStrings 25272->25275 25276 42a8ab 25272->25276 25273->25274 25273->25276 25280 42d4a8 FreeEnvironmentStringsA 25274->25280 25281 42d479 25274->25281 25275->25276 25277 42d4cc 25275->25277 25293 42ce08 25276->25293 25365 42ca16 63 API calls _malloc 25277->25365 25280->25276 25363 42ca16 63 API calls _malloc 25281->25363 25284 42d4e6 25286 42d4f9 ___crtGetEnvironmentStringsA 25284->25286 25287 42d4ed FreeEnvironmentStringsA 25284->25287 25285 42d47f 25285->25280 25288 42d487 WideCharToMultiByte 25285->25288 25290 42d503 FreeEnvironmentStringsA 25286->25290 25287->25276 25289 42d499 25288->25289 25292 42d4a1 25288->25292 25364 42aab3 63 API calls _realloc 25289->25364 25290->25276 25292->25280 25366 42d788 25293->25366 25295 42ce14 GetStartupInfoA 25296 42ca5b __calloc_crt 63 API calls 25295->25296 25303 42ce35 25296->25303 25297 42d053 _realloc 25297->25214 25298 42cfd0 GetStdHandle 25302 42cf9a 25298->25302 25299 42d035 SetHandleCount 25299->25297 25300 42ca5b __calloc_crt 63 API calls 25300->25303 25301 42cfe2 GetFileType 25301->25302 25302->25297 25302->25298 25302->25299 25302->25301 25368 430125 InitializeCriticalSectionAndSpinCount _realloc 25302->25368 25303->25297 25303->25300 25303->25302 25305 42cf1d 25303->25305 25305->25297 25305->25302 25306 42cf46 GetFileType 25305->25306 25367 430125 InitializeCriticalSectionAndSpinCount _realloc 25305->25367 25306->25305 25309 42d0b3 25308->25309 25313 42d0b8 _strlen 25308->25313 25369 42c18d 107 API calls __setmbcp 25309->25369 25311 42a8ce 25311->25224 25326 42cbe4 74 API calls 5 library calls 25311->25326 25312 42ca5b __calloc_crt 63 API calls 25314 42d0ed _strlen 25312->25314 25313->25311 25313->25312 25314->25311 25315 42d14b 25314->25315 25317 42ca5b __calloc_crt 63 API calls 25314->25317 25318 42d171 25314->25318 25321 42d132 25314->25321 25370 42e685 63 API calls 2 library calls 25314->25370 25372 42aab3 63 API calls _realloc 25315->25372 25317->25314 25373 42aab3 63 API calls _realloc 25318->25373 25321->25314 25371 42aee9 10 API calls 3 library calls 25321->25371 25323->25189 25324->25222 25325->25223 25326->25224 25327->25228 25328->25191 25329->25199 25330->25204 25331->25189 25332->25193 25336 42ca64 25333->25336 25335 42a93d 25335->25189 25335->25203 25336->25335 25337 42ca82 Sleep 25336->25337 25374 42fc16 25336->25374 25338 42ca97 25337->25338 25338->25335 25338->25336 25339->25209 25340->25218 25341->25219 25342->25189 25343->25239 25344->25247 25346 42b3c0 25345->25346 25347 42b3e1 GetModuleHandleW 25345->25347 25346->25347 25348 42b3ca TlsGetValue 25346->25348 25349 42b3f1 25347->25349 25350 42b3fc GetProcAddress 25347->25350 25355 42b3d5 25348->25355 25362 42caf5 Sleep GetModuleHandleW 25349->25362 25352 42b3d9 25350->25352 25353 42b414 25352->25353 25354 42b40c RtlEncodePointer 25352->25354 25353->25250 25354->25353 25355->25347 25355->25352 25356 42b3f7 25356->25350 25356->25353 25357->25257 25358->25259 25359->25263 25360->25266 25361->25244 25362->25356 25363->25285 25364->25292 25365->25284 25366->25295 25367->25305 25368->25302 25369->25313 25370->25314 25371->25321 25372->25311 25373->25311 25375 42fc22 _realloc 25374->25375 25376 42fc3a 25375->25376 25386 42fc59 _memset 25375->25386 25387 42b079 63 API calls __getptd_noexit 25376->25387 25378 42fc3f 25388 42b011 6 API calls 2 library calls 25378->25388 25380 42fccb RtlAllocateHeap 25380->25386 25381 42fc4f _realloc 25381->25336 25386->25380 25386->25381 25389 42db8e 63 API calls 2 library calls 25386->25389 25390 42e3a0 5 API calls 2 library calls 25386->25390 25391 42fd12 LeaveCriticalSection _doexit 25386->25391 25392 42ae65 6 API calls __decode_pointer 25386->25392 25387->25378 25389->25386 25390->25386 25391->25386 25392->25386 25393 404253 25394 40426d 25393->25394 25395 404274 25393->25395 25394->25395 25397 402fed 25394->25397 25398 402ff9 __EH_prolog3 25397->25398 25413 40292d 25398->25413 25400 40300a 25401 4030b4 25400->25401 25405 4030b7 HTMLayoutDataReady 25400->25405 25424 401166 MultiByteToWideChar 25400->25424 25401->25395 25404 403051 25428 403130 25404->25428 25405->25401 25407 40305a 25434 403194 25407->25434 25410 403088 HTMLayoutDataReady VirtualFree 25410->25401 25412 403082 25412->25410 25414 402955 25413->25414 25420 4029c1 25413->25420 25415 40295e PathFindFileNameW 25414->25415 25414->25420 25417 402977 _wcsrchr 25415->25417 25421 4029a2 25417->25421 25447 411837 78 API calls 2 library calls 25417->25447 25418 402a03 25418->25400 25439 40707a 25420->25439 25421->25420 25422 4029d1 LockResource 25421->25422 25422->25420 25423 4029de SizeofResource 25422->25423 25423->25420 25425 4011b9 25424->25425 25426 40118b VirtualAlloc 25424->25426 25425->25404 25425->25405 25426->25425 25427 4011a5 MultiByteToWideChar 25426->25427 25427->25425 25429 40313c __EH_prolog3 25428->25429 25449 407967 25429->25449 25433 403178 25433->25407 25435 403068 25434->25435 25436 4031a3 25434->25436 25435->25410 25438 4030f5 77 API calls _memmove 25435->25438 25436->25435 25437 402fc4 77 API calls 25436->25437 25437->25436 25438->25412 25440 407082 25439->25440 25441 407084 IsDebuggerPresent 25439->25441 25440->25418 25448 40d920 25441->25448 25444 4086ee SetUnhandledExceptionFilter UnhandledExceptionFilter 25445 408713 GetCurrentProcess TerminateProcess 25444->25445 25446 40870b __call_reportfault 25444->25446 25445->25418 25446->25445 25447->25421 25448->25444 25451 407bed 25449->25451 25452 40315f 25451->25452 25457 407c13 std::exception::exception 25451->25457 25462 40ca9f 25451->25462 25479 40cb42 DecodePointer 25451->25479 25452->25433 25461 4030f5 77 API calls _memmove 25452->25461 25454 407c51 25481 407d83 66 API calls std::exception::operator= 25454->25481 25456 407c5b 25482 40cb6a RaiseException 25456->25482 25457->25454 25480 407bd6 76 API calls __cinit 25457->25480 25460 407c6c 25461->25433 25463 40cb1c 25462->25463 25473 40caad 25462->25473 25489 40cb42 DecodePointer 25463->25489 25465 40cb22 25490 409704 66 API calls __getptd_noexit 25465->25490 25468 40cadb RtlAllocateHeap 25469 40cb14 25468->25469 25468->25473 25469->25451 25471 40cab8 25471->25473 25483 40cfcd 66 API calls 2 library calls 25471->25483 25484 40ce1e 66 API calls 7 library calls 25471->25484 25485 40c5e7 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 25471->25485 25472 40cb08 25487 409704 66 API calls __getptd_noexit 25472->25487 25473->25468 25473->25471 25473->25472 25477 40cb06 25473->25477 25486 40cb42 DecodePointer 25473->25486 25488 409704 66 API calls __getptd_noexit 25477->25488 25479->25451 25480->25454 25481->25456 25482->25460 25483->25471 25484->25471 25486->25473 25487->25477 25488->25469 25489->25465 25490->25469 25491 429806 25492 429813 25491->25492 25494 4298cf 25492->25494 25495 8284d5 25492->25495 25496 4b689c 25495->25496 25497 8284f1 25495->25497 25496->25494 25507 74133c 90 API calls 25497->25507 25508 402a05 25509 402a61 25508->25509 25510 402a26 PostQuitMessage 25508->25510 25511 402a66 DefWindowProcW 25509->25511 25512 402a2e HTMLayoutProcND 25509->25512 25510->25512 25515 402a7b GetWindowRect 25511->25515 25513 402a50 25512->25513 25514 402a44 DefWindowProcW 25512->25514 25516 40707a __setmbcp_nolock 5 API calls 25513->25516 25514->25513 25515->25513 25517 402a5d 25516->25517 25518 421ed5 25520 421ede 25518->25520 25519 4c3c2b 25520->25519 25522 82bb4f 25520->25522 25523 424250 25522->25523 25524 82bb59 25522->25524 25528 424269 25523->25528 25539 651a5b 25523->25539 25547 4b0774 25524->25547 25527 82bb5f 25529 64e494 25527->25529 25530 82bb74 25527->25530 25574 640ccf Thread32Next Thread32Next 25529->25574 25558 429d22 25530->25558 25533 82aa8c 25536 64e5d6 25536->25528 25543 64164d 25536->25543 25538 64e5e5 25542 62e67a 25539->25542 25540 652c31 25542->25539 25542->25540 25575 7400f5 77 API calls 25542->25575 25544 4242f0 25543->25544 25544->25538 25545 4224fa 25544->25545 25576 4b4f40 93 API calls ctype 25544->25576 25548 4b077e 25547->25548 25550 4b078b 25547->25550 25577 4286c3 25548->25577 25550->25527 25552 6319c2 25550->25552 25556 429790 25550->25556 25584 422322 76 API calls 25552->25584 25557 73a065 25556->25557 25581 429bd4 75 API calls 5 library calls 25556->25581 25582 82d266 90 API calls 25556->25582 25583 421c3c 87 API calls 25556->25583 25559 429d33 25558->25559 25560 429d3a 25558->25560 25559->25560 25564 429d76 25559->25564 25586 42b079 63 API calls __getptd_noexit 25560->25586 25562 429d3f 25587 42b011 6 API calls 2 library calls 25562->25587 25565 429d4e 25564->25565 25588 42b079 63 API calls __getptd_noexit 25564->25588 25567 826df6 25565->25567 25568 64374f 25567->25568 25570 6547bc 25567->25570 25569 429d22 63 API calls 25568->25569 25571 652f56 25568->25571 25569->25568 25589 643746 63 API calls 25571->25589 25574->25533 25576->25545 25578 62fd93 25577->25578 25579 739beb 25578->25579 25585 62e67a 77 API calls 25578->25585 25581->25556 25586->25562 25588->25562 25590 40ae87 RtlEncodePointer 25591 42b41a 25592 42b3a8 __encode_pointer 7 API calls 25591->25592 25593 42b421 25592->25593 25594 40813a 25634 40c8b0 25594->25634 25596 408146 GetStartupInfoW 25597 40815a HeapSetInformation 25596->25597 25600 408165 25596->25600 25597->25600 25599 4081b3 25601 4081be 25599->25601 25753 408111 66 API calls 3 library calls 25599->25753 25635 40d867 HeapCreate 25600->25635 25636 40b180 GetModuleHandleW 25601->25636 25604 4081c4 25605 4081cf __RTC_Initialize 25604->25605 25754 408111 66 API calls 3 library calls 25604->25754 25661 40d5d6 GetStartupInfoW 25605->25661 25609 4081e9 GetCommandLineA 25674 40d53f GetEnvironmentStringsW 25609->25674 25618 40820e 25698 40d20e 25618->25698 25619 408214 25620 40821f 25619->25620 25757 40c889 66 API calls 3 library calls 25619->25757 25718 40c668 25620->25718 25623 408227 25624 408232 25623->25624 25758 40c889 66 API calls 3 library calls 25623->25758 25724 40d1af 25624->25724 25630 408262 25760 40c86b 66 API calls _doexit 25630->25760 25633 408267 _flsall 25634->25596 25635->25599 25637 40b194 25636->25637 25638 40b19d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 25636->25638 25761 40aecd 70 API calls _free 25637->25761 25640 40b1e7 TlsAlloc 25638->25640 25643 40b235 TlsSetValue 25640->25643 25644 40b2f6 25640->25644 25641 40b199 25641->25604 25643->25644 25645 40b246 25643->25645 25644->25604 25762 40c611 RtlEncodePointer EncodePointer __init_pointers __initp_misc_winsig FindHandlerForForeignException 25645->25762 25647 40b24b EncodePointer EncodePointer EncodePointer EncodePointer 25763 40e68d InitializeCriticalSectionAndSpinCount 25647->25763 25649 40b28a 25650 40b2f1 25649->25650 25651 40b28e DecodePointer 25649->25651 25771 40aecd 70 API calls _free 25650->25771 25653 40b2a3 25651->25653 25653->25650 25764 40c49d 25653->25764 25656 40b2c1 DecodePointer 25657 40b2d2 25656->25657 25657->25650 25658 40b2d6 25657->25658 25770 40af0a 66 API calls 4 library calls 25658->25770 25660 40b2de GetCurrentThreadId 25660->25644 25662 40c49d __calloc_crt 66 API calls 25661->25662 25668 40d5f4 25662->25668 25663 4081dd 25663->25609 25755 40c889 66 API calls 3 library calls 25663->25755 25664 40d769 25665 40d79f GetStdHandle 25664->25665 25667 40d803 SetHandleCount 25664->25667 25669 40d7b1 GetFileType 25664->25669 25672 40d7d7 InitializeCriticalSectionAndSpinCount 25664->25672 25665->25664 25666 40c49d __calloc_crt 66 API calls 25666->25668 25667->25663 25668->25663 25668->25664 25668->25666 25673 40d6e9 25668->25673 25669->25664 25670 40d720 InitializeCriticalSectionAndSpinCount 25670->25663 25670->25673 25671 40d715 GetFileType 25671->25670 25671->25673 25672->25663 25672->25664 25673->25664 25673->25670 25673->25671 25675 40d55b WideCharToMultiByte 25674->25675 25680 4081f9 25674->25680 25677 40d590 25675->25677 25678 40d5c8 FreeEnvironmentStringsW 25675->25678 25783 40c458 25677->25783 25678->25680 25687 40d484 25680->25687 25682 40d59e WideCharToMultiByte 25683 40d5b0 25682->25683 25684 40d5bc FreeEnvironmentStringsW 25682->25684 25789 40c318 66 API calls 2 library calls 25683->25789 25684->25680 25686 40d5b8 25686->25684 25688 40d499 25687->25688 25689 40d49e GetModuleFileNameA 25687->25689 25796 40ab30 94 API calls __setmbcp 25688->25796 25691 40d4c5 25689->25691 25790 40d2ea 25691->25790 25693 408203 25693->25618 25756 40c889 66 API calls 3 library calls 25693->25756 25695 40c458 __malloc_crt 66 API calls 25696 40d507 25695->25696 25696->25693 25697 40d2ea _parse_cmdline 76 API calls 25696->25697 25697->25693 25699 40d217 25698->25699 25703 40d21c _strlen 25698->25703 25798 40ab30 94 API calls __setmbcp 25699->25798 25701 40d22a 25701->25619 25702 40c49d __calloc_crt 66 API calls 25705 40d251 _strlen 25702->25705 25703->25701 25703->25702 25704 40d2a0 25800 40c318 66 API calls 2 library calls 25704->25800 25705->25701 25705->25704 25707 40c49d __calloc_crt 66 API calls 25705->25707 25708 40d2c6 25705->25708 25711 40d2dd 25705->25711 25799 40cbb6 66 API calls 2 library calls 25705->25799 25707->25705 25801 40c318 66 API calls 2 library calls 25708->25801 25802 409660 10 API calls __call_reportfault 25711->25802 25714 40d2e9 25716 40d376 25714->25716 25803 41012f 76 API calls x_ismbbtype_l 25714->25803 25715 40d474 25715->25619 25716->25715 25717 41012f 76 API calls __wincmdln 25716->25717 25717->25716 25719 40c676 __IsNonwritableInCurrentImage 25718->25719 25804 40e4e2 25719->25804 25721 40c694 __initterm_e 25723 40c6b5 __IsNonwritableInCurrentImage 25721->25723 25807 407bd6 76 API calls __cinit 25721->25807 25723->25623 25725 40d1bd 25724->25725 25728 40d1c2 25724->25728 25808 40ab30 94 API calls __setmbcp 25725->25808 25727 408238 25730 403344 25727->25730 25728->25727 25809 41012f 76 API calls x_ismbbtype_l 25728->25809 25731 403380 _memset 25730->25731 25732 4033ae CoInitialize GetModuleFileNameW 25731->25732 25733 4033d3 PathFindFileNameW 25732->25733 25734 40350e CoUninitialize 25732->25734 25737 4033e8 25733->25737 25735 40707a __setmbcp_nolock 5 API calls 25734->25735 25736 403522 25735->25736 25736->25630 25759 40c83f 66 API calls _doexit 25736->25759 25741 403436 PathRemoveExtensionW 25737->25741 25742 403450 25737->25742 25740 40350d 25740->25734 25741->25742 25810 40196e GetTempPathW 25742->25810 25745 4034ac 25745->25740 25747 4034c1 GetMessageW 25745->25747 25748 4034fd KiUserCallbackDispatcher 25747->25748 25748->25740 25749 4034d7 25748->25749 25848 403295 25749->25848 25852 4032cf EnterCriticalSection 25749->25852 25753->25601 25754->25605 25759->25630 25760->25633 25761->25641 25762->25647 25763->25649 25767 40c4a6 25764->25767 25766 40b2b9 25766->25650 25766->25656 25767->25766 25768 40c4c4 Sleep 25767->25768 25772 40f7f2 25767->25772 25769 40c4d9 25768->25769 25769->25766 25769->25767 25770->25660 25771->25644 25773 40f7fe 25772->25773 25777 40f819 25772->25777 25774 40f80a 25773->25774 25773->25777 25781 409704 66 API calls __getptd_noexit 25774->25781 25776 40f82c RtlAllocateHeap 25776->25777 25779 40f853 25776->25779 25777->25776 25777->25779 25782 40cb42 DecodePointer 25777->25782 25778 40f80f 25778->25767 25779->25767 25781->25778 25782->25777 25785 40c461 25783->25785 25784 40ca9f _malloc 65 API calls 25784->25785 25785->25784 25786 40c497 25785->25786 25787 40c478 Sleep 25785->25787 25786->25678 25786->25682 25788 40c48d 25787->25788 25788->25785 25788->25786 25789->25686 25792 40d309 25790->25792 25794 40d376 25792->25794 25797 41012f 76 API calls x_ismbbtype_l 25792->25797 25793 40d474 25793->25693 25793->25695 25794->25793 25795 41012f 76 API calls __wincmdln 25794->25795 25795->25794 25796->25689 25797->25792 25798->25703 25799->25705 25800->25701 25801->25701 25802->25714 25803->25714 25805 40e4e8 EncodePointer 25804->25805 25805->25805 25806 40e502 25805->25806 25806->25721 25807->25723 25808->25728 25809->25728 25811 40199e 25810->25811 25811->25811 25817 4019e5 25811->25817 25859 4018be 25811->25859 25814 40707a __setmbcp_nolock 5 API calls 25816 4019f6 25814->25816 25815 4019d4 LoadLibraryW 25815->25817 25816->25740 25818 407bed 25816->25818 25817->25814 25821 407bf7 25818->25821 25819 40ca9f _malloc 66 API calls 25819->25821 25820 403487 25820->25745 25830 402d70 25820->25830 25821->25819 25821->25820 25823 407c13 std::exception::exception 25821->25823 25907 40cb42 DecodePointer 25821->25907 25829 407c51 25823->25829 25908 407bd6 76 API calls __cinit 25823->25908 25825 407c5b 25910 40cb6a RaiseException 25825->25910 25828 407c6c 25909 407d83 66 API calls std::exception::operator= 25829->25909 25831 402d7c __EH_prolog3 25830->25831 25911 403fbe 25831->25911 25834 402f8e 25834->25745 25835 407897 __snwprintf 102 API calls 25836 402e02 _memset 25835->25836 25917 407897 25836->25917 25839 407897 __snwprintf 102 API calls 25840 402ecb 25839->25840 25934 402c96 SHGetSpecialFolderPathW 25840->25934 25844 402eec 25845 402ef2 SHGetSpecialFolderPathW 25844->25845 25846 402f07 _memset 25844->25846 25845->25834 25845->25846 25946 403784 25846->25946 25849 4032c8 25848->25849 25850 40329e InitializeCriticalSection 25848->25850 25849->25749 26007 407bd6 76 API calls __cinit 25850->26007 25853 4032e8 LeaveCriticalSection 25852->25853 25857 4032f1 25852->25857 25854 403339 TranslateMessage DispatchMessageW 25853->25854 25854->25748 25855 403333 LeaveCriticalSection 25855->25854 25855->25857 25856 403315 EnterCriticalSection 25856->25857 25858 40333b LeaveCriticalSection 25856->25858 25857->25855 25857->25856 25858->25854 25860 4018db 25859->25860 25861 401966 25860->25861 25862 4018f3 LockResource 25860->25862 25861->25815 25861->25817 25862->25861 25863 401901 SizeofResource 25862->25863 25872 401738 25863->25872 25866 40195d FreeResource 25866->25861 25867 40191d CreateFileW 25868 401943 VirtualFree 25867->25868 25869 401939 25867->25869 25868->25866 25885 4010c3 SetFilePointer WriteFile 25869->25885 25873 401748 __write_nolock 25872->25873 25888 404500 25873->25888 25875 40707a __setmbcp_nolock 5 API calls 25876 4018ba 25875->25876 25876->25866 25876->25867 25878 40185b VirtualAlloc 25882 401791 _memmove 25878->25882 25879 4017dd VirtualQuery 25880 401841 VirtualFree 25879->25880 25879->25882 25880->25882 25881 4017fc VirtualAlloc 25881->25880 25883 401814 VirtualQuery 25881->25883 25882->25878 25882->25879 25882->25880 25882->25881 25884 401890 25882->25884 25891 404620 25882->25891 25883->25882 25884->25875 25886 4010ee 25885->25886 25887 4010ef FindCloseChangeNotification 25885->25887 25886->25887 25887->25868 25895 404440 25888->25895 25890 404516 25890->25882 25892 404632 _memmove 25891->25892 25893 404697 25891->25893 25892->25893 25903 404520 25892->25903 25893->25882 25896 40446c 25895->25896 25897 404451 25895->25897 25896->25890 25897->25896 25900 405bd0 25897->25900 25898 4044a2 25898->25890 25902 40ca9f 66 API calls 25900->25902 25901 405be1 25901->25898 25902->25901 25904 404531 25903->25904 25905 404547 _memmove 25903->25905 25906 405bd0 66 API calls 25904->25906 25905->25893 25906->25905 25907->25821 25908->25829 25909->25825 25910->25828 25912 404002 25911->25912 25913 404007 LoadIconW LoadCursorW LoadIconW RegisterClassExW 25911->25913 25912->25913 25914 404084 GetSystemMetrics GetCurrentProcessId GetSystemMetrics GetTickCount CreateWindowExW 25913->25914 25915 402db4 25913->25915 25914->25915 25916 4040ed ShowWindow HTMLayoutSetCallback HTMLayoutWindowAttachEventHandler 25914->25916 25915->25834 25915->25835 25915->25836 25916->25915 25918 4078b5 25917->25918 25919 4078cd 25917->25919 25972 409704 66 API calls __getptd_noexit 25918->25972 25920 4078f1 25919->25920 25922 4078dc 25919->25922 25976 40b6e1 102 API calls 11 library calls 25920->25976 25974 409704 66 API calls __getptd_noexit 25922->25974 25923 4078ba 25973 4096b2 11 API calls __wcsicmp_l 25923->25973 25926 4078e1 25975 4096b2 11 API calls __wcsicmp_l 25926->25975 25929 407924 25930 407932 25929->25930 25932 402eb8 25929->25932 25977 408727 97 API calls 5 library calls 25929->25977 25930->25932 25978 408727 97 API calls 5 library calls 25930->25978 25932->25839 25935 402d5b 25934->25935 25936 402cce 25934->25936 25937 40707a __setmbcp_nolock 5 API calls 25935->25937 25979 4011c3 CreateFileW 25936->25979 25938 402d6e 25937->25938 25945 403acb SHGetValueW 25938->25945 25942 402d27 25990 4010fd 85 API calls 25942->25990 25944 402d3b VirtualFree 25944->25935 25945->25844 25947 4037a3 25946->25947 25948 40382c PostQuitMessage 25947->25948 25950 40384c 25947->25950 25971 403833 25948->25971 25949 40707a __setmbcp_nolock 5 API calls 25951 403842 25949->25951 25991 404167 25950->25991 25951->25834 25955 4038c7 26000 404203 HTMLayoutVisitElements 25955->26000 25957 4038d9 26001 404203 HTMLayoutVisitElements 25957->26001 25959 407897 __snwprintf 102 API calls 25960 4038eb 25959->25960 25960->25959 25962 40392a 25960->25962 26002 404203 HTMLayoutVisitElements 25960->26002 26003 404203 HTMLayoutVisitElements 25962->26003 25965 403936 26004 404203 HTMLayoutVisitElements 25965->26004 25966 4039ce 25966->25971 26005 40374d HTMLayoutSetElementState HTMLayoutVisitElements 25966->26005 25967 403983 25967->25966 25970 403a14 25967->25970 25967->25971 25970->25971 26006 40374d HTMLayoutSetElementState HTMLayoutVisitElements 25970->26006 25971->25949 25972->25923 25973->25932 25974->25926 25975->25932 25976->25929 25977->25930 25978->25932 25980 401257 GetLastError 25979->25980 25981 4011ea GetFileSize 25979->25981 25984 40125d 25980->25984 25982 401248 GetLastError 25981->25982 25983 4011f9 VirtualAlloc 25981->25983 25985 40124e CloseHandle 25982->25985 25983->25985 25986 40120f ReadFile 25983->25986 25984->25935 25989 4075d2 102 API calls 4 library calls 25984->25989 25985->25984 25987 401231 GetLastError VirtualFree 25986->25987 25988 401223 25986->25988 25987->25985 25988->25985 25989->25942 25990->25944 25992 40292d 81 API calls 25991->25992 25993 40417b 25992->25993 25994 404180 HTMLayoutLoadHtml HTMLayoutGetRootElement HTMLayout_UseElement 25993->25994 25997 4038b3 25993->25997 25995 4041d3 HTMLayout_UseElement 25994->25995 25996 4041cc HTMLayout_UnuseElement 25994->25996 25995->25997 25998 4041ef HTMLayout_UnuseElement 25995->25998 25996->25995 25997->25971 25999 404203 HTMLayoutVisitElements 25997->25999 25998->25997 25999->25955 26000->25957 26001->25960 26002->25960 26003->25965 26004->25967 26005->25966 26006->25970 26007->25849 26008 6314ac 26009 6314b6 26008->26009 26010 4b0c91 26008->26010 26013 82d225 26010->26013 26014 4b9a72 26013->26014 26014->26013 26015 8343ef 26014->26015 26017 4b9abe SuspendThread 26014->26017 26018 4224fa 77 API calls 26014->26018 26017->26014

                Executed Functions

                Function 00403344 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 151windowCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • _memset.LIBCMT ref: 0040337B
                • _memset.LIBCMT ref: 00403392
                • _memset.LIBCMT ref: 004033A9
                • CoInitialize.OLE32(00000000), ref: 004033B2
                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004033C5
                • PathFindFileNameW.SHLWAPI(?), ref: 004033DB
                • PathRemoveExtensionW.SHLWAPI(?,?), ref: 0040343D
                • GetMessageW.USER32(?,00000005,?), ref: 004034C9
                • TranslateMessage.USER32(?), ref: 004034EA
                • DispatchMessageW.USER32 ref: 004034F7
                • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00403507
                • CoUninitialize.OLE32 ref: 0040350E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: Message_memset$FileNamePath$CallbackDispatchDispatcherExtensionFindInitializeModuleRemoveTranslateUninitializeUser
                • String ID: _downloader$uninstall.exe
                • API String ID: 1925323219-1242169958
                • Opcode ID: c324590a0ce745eda1344a380bc435acc89318a2be9a551ed4d93f5a503d84b7
                • Instruction ID: 4c72e9e54b9c5b156c6e465c00aec75b6206f9886f539bb8ff1e4c5f3ecefcbb
                • Opcode Fuzzy Hash: c324590a0ce745eda1344a380bc435acc89318a2be9a551ed4d93f5a503d84b7
                • Instruction Fuzzy Hash: E951D8B29002186BDB20AFB49C49DEB7BBDAF04305F0044BBE505E7191E639DF84CB19
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004018BE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 277 4018be-4018df 279 4018e5-4018f1 call 422a8a 277->279 280 401966-40196d 277->280 279->280 282 4018f3-4018ff LockResource 279->282 282->280 283 401901-40191b SizeofResource call 401738 282->283 286 40195d-401960 FreeResource 283->286 287 40191d-401937 CreateFileW 283->287 286->280 288 401948 287->288 289 401939-40193e call 4010c3 287->289 291 40194a-401957 VirtualFree 288->291 292 401943-401946 289->292 291->286 292->291
                APIs
                • LockResource.KERNEL32(00000000), ref: 004018F4
                • SizeofResource.KERNEL32(00000000,00000000), ref: 00401903
                  • Part of subcall function 00401738: VirtualQuery.KERNEL32(?,?,0000001C), ref: 004017EA
                  • Part of subcall function 00401738: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 0040180C
                  • Part of subcall function 00401738: VirtualQuery.KERNEL32(00000000,?,0000001C), ref: 0040181C
                  • Part of subcall function 00401738: _memmove.LIBCMT ref: 00401839
                  • Part of subcall function 00401738: VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0040184B
                  • Part of subcall function 00401738: _memmove.LIBCMT ref: 0040187E
                • CreateFileW.KERNEL32(?,C0000000,00000001,?,00000004,00000000,00000000), ref: 0040192E
                • VirtualFree.KERNELBASE(?,00000000,00000000,00008000), ref: 00401957
                  • Part of subcall function 004010C3: SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 004010D0
                  • Part of subcall function 004010C3: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004010E4
                  • Part of subcall function 004010C3: FindCloseChangeNotification.KERNEL32(?), ref: 004010F2
                • FreeResource.KERNEL32(?), ref: 00401960
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: Virtual$FileFreeResource$Query_memmove$AllocChangeCloseCreateFindLockNotificationPointerSizeofWrite
                • String ID: DATA
                • API String ID: 3338994381-2607161047
                • Opcode ID: 43634e365bc6304ab77662dd5d6e79e39689ae69be95f1e161d3ea62de2dfd7f
                • Instruction ID: b6a72d859ebda8869b5ec73df7a6c5c7c88b4df4c73b1f2fdcee4555530aa3c9
                • Opcode Fuzzy Hash: 43634e365bc6304ab77662dd5d6e79e39689ae69be95f1e161d3ea62de2dfd7f
                • Instruction Fuzzy Hash: 9411C1B29001547FCB202FB09C89EEF7FACEB093A5F148176F602B21A0D6354E05CA68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404620 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 664COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: _memmove
                • String ID: $=A
                • API String ID: 4104443479-2872446614
                • Opcode ID: 40503abbdc25397d16d02e79969c2ce682e5507a5d6ef3e192dadf46dc2f7650
                • Instruction ID: 958b532b45518b410c63ed0a0fa3cb7b791211a8b1247b0f4ebe38763940f10d
                • Opcode Fuzzy Hash: 40503abbdc25397d16d02e79969c2ce682e5507a5d6ef3e192dadf46dc2f7650
                • Instruction Fuzzy Hash: 31425DB0A00606EFDB18CFA9C4947AAB7B1FF84314F14826ED91567781D379A991CFC8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404EED Relevance: 2.1, Strings: 1, Instructions: 811COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID:
                • String ID: ,<A
                • API String ID: 0-3158208111
                • Opcode ID: 5fb24749b243ac1bb5544f10881352a6255c9b45cb4883c4c2a4926d12b19fdb
                • Instruction ID: 6749fb4c82892b048401d6f7300d245d6c794ae251d6cbf270c4ca08fd9c1e47
                • Opcode Fuzzy Hash: 5fb24749b243ac1bb5544f10881352a6255c9b45cb4883c4c2a4926d12b19fdb
                • Instruction Fuzzy Hash: 41629BB0E00A16DBCB08CF55C4906EEBBB2FF84311F14826EC8566BB84D778A955DF94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403FBE Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 103windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • LoadIconW.USER32(?,ED-UNINSTALL), ref: 00404009
                • LoadCursorW.USER32 ref: 0040403E
                • LoadIconW.USER32(00007F00,00007F00), ref: 00404061
                • RegisterClassExW.USER32 ref: 0040406E
                • GetSystemMetrics.USER32 ref: 00404085
                • GetCurrentProcessId.KERNEL32 ref: 00404096
                • GetSystemMetrics.USER32 ref: 004040A6
                • GetTickCount.KERNEL32 ref: 004040B7
                • CreateWindowExW.USER32 ref: 004040DD
                • ShowWindow.USER32(00000000,00000000), ref: 004040EF
                • HTMLayoutSetCallback.HTMLAYOUT(?,00404253,?), ref: 00404101
                • HTMLayoutWindowAttachEventHandler.HTMLAYOUT(?,Function_000026FA,?,0000FFFF), ref: 00404118
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: LoadWindow$IconLayoutMetricsSystem$AttachCallbackClassCountCreateCurrentCursorEventHandlerProcessRegisterShowTick
                • String ID: 0$ED-INSTALL$ED-UNINSTALL$Express Files Installer
                • API String ID: 210944194-3508738347
                • Opcode ID: 06d340f8641b789c9a5e5abd886eba0797611e60d313e248d42d0477f59ae928
                • Instruction ID: b7c46b048ad1924dbec244454a61321318e935f4e6c9be6193158c84f22ab041
                • Opcode Fuzzy Hash: 06d340f8641b789c9a5e5abd886eba0797611e60d313e248d42d0477f59ae928
                • Instruction Fuzzy Hash: 51414EB1940309AFCB109FA5ED88ADABFF9FF48305F10852EF555A6290C7789A50CF58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402D70 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 167COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • __EH_prolog3.LIBCMT ref: 00402D77
                  • Part of subcall function 00403FBE: LoadIconW.USER32(?,ED-UNINSTALL), ref: 00404009
                  • Part of subcall function 00403FBE: LoadCursorW.USER32 ref: 0040403E
                  • Part of subcall function 00403FBE: LoadIconW.USER32(00007F00,00007F00), ref: 00404061
                  • Part of subcall function 00403FBE: RegisterClassExW.USER32 ref: 0040406E
                • __snwprintf.LIBCMT ref: 00402DFD
                • _memset.LIBCMT ref: 00402E63
                • _memset.LIBCMT ref: 00402E89
                • __snwprintf.LIBCMT ref: 00402EB3
                • __snwprintf.LIBCMT ref: 00402EC6
                • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000026,00000001), ref: 00402EF9
                • _memset.LIBCMT ref: 00402F31
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: Load__snwprintf_memset$Icon$ClassCursorFolderH_prolog3PathRegisterSpecial
                • String ID: 0.2$000$109130$\ExpressFiles$install_dir$magnets://&dn=%s
                • API String ID: 185405883-2498389280
                • Opcode ID: 79e3d5576d4aaa686428d6ada03952e0f5d0565c25d4f907fa76fc17c96a4213
                • Instruction ID: ea2785b9a7cfe83e38df8a92285021a84428914f4ddce35af8cdc146302160d4
                • Opcode Fuzzy Hash: 79e3d5576d4aaa686428d6ada03952e0f5d0565c25d4f907fa76fc17c96a4213
                • Instruction Fuzzy Hash: 8051F572940201AADF109F25DD8ABD73BA4AF15344F08447EBC08AF2C3DBB89A44C769
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403784 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 196windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 110 403784-4037a1 111 4037a3-4037a6 110->111 112 4037e4-4037f9 110->112 113 4037a8-4037ab 111->113 114 40381a 111->114 115 403808-40380f 112->115 116 4037fb-403804 112->116 119 4037d3-4037da 113->119 120 4037ad 113->120 118 403820-40382a 114->118 115->114 117 403811-403818 115->117 116->115 117->118 121 403844-40384a 118->121 122 40382c-40382d PostQuitMessage 118->122 119->117 124 4037dc-4037e2 119->124 120->118 123 4037af-4037b2 120->123 121->122 126 40384c-40384f 121->126 125 403833 122->125 123->118 127 4037b4-4037d1 123->127 124->118 128 403835-403843 call 40707a 125->128 129 403851-403854 126->129 130 403866-403868 126->130 127->118 132 403856-403864 129->132 133 403886-403891 130->133 134 40386a-403870 130->134 135 403898-4038ae call 407972 call 404167 132->135 133->135 134->133 137 403872-403884 134->137 141 4038b3-4038b5 135->141 137->132 141->125 142 4038bb-4038f1 call 404203 * 3 141->142 149 4038f7-403928 call 407897 call 404203 142->149 154 40392a-40394a call 404203 149->154 157 403977-40398b call 404203 154->157 158 40394c-403974 call 4035f4 154->158 163 4039b8-4039c0 157->163 164 40398d-4039b5 call 4035f4 157->164 158->157 163->125 165 4039c6-4039cc 163->165 164->163 168 403a14 165->168 169 4039ce-4039f6 165->169 173 403a19-403a2c 168->173 171 403a48-403a4a 169->171 172 4039f8-403a01 call 40374d 169->172 171->128 172->125 179 403a07-403a10 172->179 173->171 176 403a2e-403a37 call 40374d 173->176 176->125 181 403a3d-403a46 176->181 179->169 182 403a12 179->182 181->171 181->173 182->171
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: MessagePostQuit__snwprintf
                • String ID: install_folder$next_page$prev_page$search_keyword$side_page_%d$skip_page$m@
                • API String ID: 332545653-1195871625
                • Opcode ID: 2d3211c976f39a1ad3cae1e698c64a211162ba75ea046345c91a74a11c8fd23e
                • Instruction ID: 0742a25780819667d97fd00682e1908afe3abac025f018701c19e54c2fcfc051
                • Opcode Fuzzy Hash: 2d3211c976f39a1ad3cae1e698c64a211162ba75ea046345c91a74a11c8fd23e
                • Instruction Fuzzy Hash: D171A3B2B001456BC719EF64CC85BEABB9CBB44309F0445BBE515B72C2D7B8AB518B84
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401738 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 124memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 183 401738-401796 call 410340 call 404500 188 4018a5-4018bd call 40707a 183->188 189 40179c-4017a9 183->189 191 4017ad-4017db call 404620 189->191 195 40185b-401869 VirtualAlloc 191->195 196 4017dd-4017f2 VirtualQuery 191->196 199 40186d-40188a call 4082c0 195->199 197 401841-401859 VirtualFree 196->197 198 4017f4-4017fa 196->198 197->199 198->197 200 4017fc-401812 VirtualAlloc 198->200 199->191 206 401890-4018a3 call 405b80 199->206 200->197 202 401814-40182a VirtualQuery 200->202 204 401830-40183e call 4082c0 202->204 205 40182c 202->205 204->197 205->204 206->188
                APIs
                • VirtualQuery.KERNEL32(?,?,0000001C), ref: 004017EA
                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 0040180C
                • VirtualQuery.KERNEL32(00000000,?,0000001C), ref: 0040181C
                • _memmove.LIBCMT ref: 00401839
                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0040184B
                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00401867
                • _memmove.LIBCMT ref: 0040187E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: Virtual$AllocQuery_memmove$Free
                • String ID: 1.2.5
                • API String ID: 4294742970-1624589015
                • Opcode ID: 31501027feff36da652c365caaae3264d79ff67f4ca3a71e9f11514a9d4cf7f2
                • Instruction ID: 86625964a9214b745db249fa7d2cbd1e1e24644384fedf20ee64b46e1609f527
                • Opcode Fuzzy Hash: 31501027feff36da652c365caaae3264d79ff67f4ca3a71e9f11514a9d4cf7f2
                • Instruction Fuzzy Hash: 56412DB2908300AFD311DF55D841A5FBBE8FBC8754F10492EF694E2290D774EA45CB9A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004011C3 Relevance: 13.6, APIs: 9, Instructions: 67filememoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 211 4011c3-4011e8 CreateFileW 212 401257 GetLastError 211->212 213 4011ea-4011f7 GetFileSize 211->213 216 40125d-401263 212->216 214 401248 GetLastError 213->214 215 4011f9-40120d VirtualAlloc 213->215 217 40124e-401255 CloseHandle 214->217 215->217 218 40120f-401221 ReadFile 215->218 217->216 219 401231-401246 GetLastError VirtualFree 218->219 220 401223-401228 218->220 219->217 220->217 221 40122a-40122f 220->221 221->217
                APIs
                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004011DD
                • GetFileSize.KERNEL32(00000000,00000000), ref: 004011EC
                • VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00401203
                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00401219
                • GetLastError.KERNEL32 ref: 00401231
                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0040123E
                • GetLastError.KERNEL32 ref: 00401248
                • CloseHandle.KERNEL32(00000000), ref: 0040124F
                • GetLastError.KERNEL32 ref: 00401257
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: ErrorFileLast$Virtual$AllocCloseCreateFreeHandleReadSize
                • String ID:
                • API String ID: 1146571148-0
                • Opcode ID: 37dd9eed26a83323c2a284823be1f5f25ad69bc7794b18f68c4e50ebe19554da
                • Instruction ID: c12a782f906d818db8c3dc3d81b72a54dfbdf4662c09b18b9902188595212558
                • Opcode Fuzzy Hash: 37dd9eed26a83323c2a284823be1f5f25ad69bc7794b18f68c4e50ebe19554da
                • Instruction Fuzzy Hash: 3B115171201214BFD7215FA1AC4CEAF3EACEF4A762B114065FA0AF62A4C6748B41D669
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040292D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 222 40292d-40294f 223 4029f5 222->223 224 402955-402958 222->224 225 4029f7-402a04 call 40707a 223->225 224->223 226 40295e-40298c PathFindFileNameW call 407972 call 4079be 224->226 233 4029ab 226->233 234 40298e-402995 226->234 236 4029ad-4029bf 233->236 234->233 235 402997-4029a6 call 411837 234->235 235->233 240 4029a8-4029a9 235->240 241 4029c1-4029c3 236->241 242 4029c5-4029c7 call 422a8a 236->242 240->236 241->225 243 4029cd-4029cf 242->243 243->241 244 4029d1-4029dc LockResource 243->244 244->241 245 4029de-4029f3 SizeofResource 244->245 245->225
                APIs
                • PathFindFileNameW.SHLWAPI(?,00000104), ref: 00402964
                • _wcsrchr.LIBCMT ref: 00402980
                • __wcsicoll.LIBCMT ref: 0040299D
                • LockResource.KERNEL32(00000000), ref: 004029D2
                • SizeofResource.KERNEL32(00000000,00000000), ref: 004029E0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: Resource$FileFindLockNamePathSizeof__wcsicoll_wcsrchr
                • String ID: HTML
                • API String ID: 2245601013-787223889
                • Opcode ID: dda1e72e56ba5a56434a93195db2fa2a826fa0460f9a1286134031ebcd19e3a4
                • Instruction ID: d2d7791254bdd5dbebf1fad31e424753c879ce168d6b070590b9077a05e1630d
                • Opcode Fuzzy Hash: dda1e72e56ba5a56434a93195db2fa2a826fa0460f9a1286134031ebcd19e3a4
                • Instruction Fuzzy Hash: 42212CB1A00214ABCB209F25CD4D9EFB7BCAF05710F244576F415F32C0E6BC8D8196A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402FED Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • __EH_prolog3.LIBCMT ref: 00402FF4
                  • Part of subcall function 0040292D: PathFindFileNameW.SHLWAPI(?,00000104), ref: 00402964
                  • Part of subcall function 0040292D: _wcsrchr.LIBCMT ref: 00402980
                  • Part of subcall function 0040292D: __wcsicoll.LIBCMT ref: 0040299D
                • HTMLayoutDataReady.HTMLAYOUT(?,?,?,?,?), ref: 00403098
                • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 004030A6
                • HTMLayoutDataReady.HTMLAYOUT(?,?,?,?), ref: 004030C2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: DataLayoutReady$FileFindFreeH_prolog3NamePathVirtual__wcsicoll_wcsrchr
                • String ID: .css$.html
                • API String ID: 3167611623-4083043085
                • Opcode ID: 432df8b93222d1f18cf9b40762c0fbb3e75d5c6c1ec1d04aa8d5ac892871735a
                • Instruction ID: b8d1d480978cf86a5870125b932f261cdf0a3e3d280eb0778ca8e60e29150886
                • Opcode Fuzzy Hash: 432df8b93222d1f18cf9b40762c0fbb3e75d5c6c1ec1d04aa8d5ac892871735a
                • Instruction Fuzzy Hash: 60216036900209AFCF11EF90CC41EDEBBB5AF08315F20847AE540771A1DB3AAE05DB28
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404167 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 0040292D: PathFindFileNameW.SHLWAPI(?,00000104), ref: 00402964
                  • Part of subcall function 0040292D: _wcsrchr.LIBCMT ref: 00402980
                  • Part of subcall function 0040292D: __wcsicoll.LIBCMT ref: 0040299D
                • HTMLayoutLoadHtml.HTMLAYOUT(?,?,004038B3,-00000004,00000000,?,?,?,004038B3,?,?,?), ref: 0040418D
                • HTMLayoutGetRootElement.HTMLAYOUT(?,00000000), ref: 004041A4
                • HTMLayout_UseElement.HTMLAYOUT(00000000), ref: 004041B7
                • HTMLayout_UnuseElement.HTMLAYOUT(?), ref: 004041CD
                • HTMLayout_UseElement.HTMLAYOUT(?), ref: 004041DB
                • HTMLayout_UnuseElement.HTMLAYOUT(?), ref: 004041F0
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: Element$Layout_$LayoutUnuse$FileFindHtmlLoadNamePathRoot__wcsicoll_wcsrchr
                • String ID:
                • API String ID: 592801526-0
                • Opcode ID: 23b2188b13e09366928207186a69aecbe308896f3c39084960b98da94681c3d7
                • Instruction ID: fbd6acc7b171e58c408a97e6f1990444d0adef6c4c254aca0c88bb36e11ae2c2
                • Opcode Fuzzy Hash: 23b2188b13e09366928207186a69aecbe308896f3c39084960b98da94681c3d7
                • Instruction Fuzzy Hash: 3511A07559021AFFCB01CFA4DC88ADEBBB8FF04355F108121F904E6151D734AA559BD8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402C96 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 304 402c96-402cc8 SHGetSpecialFolderPathW 305 402d5d-402d6f call 40707a 304->305 306 402cce-402cd6 304->306 308 402cd9-402ce3 306->308 308->308 310 402ce5-402cfd call 4011c3 308->310 312 402d02-402d08 310->312 313 402d0a-402d55 call 4075d2 call 4010fd VirtualFree 312->313 314 402d5b-402d5c 312->314 313->314 314->305
                APIs
                • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000001), ref: 00402CC0
                • __snprintf.LIBCMT ref: 00402D22
                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00402D55
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: FolderFreePathSpecialVirtual__snprintf
                • String ID: %ws$\Babylon\log_file.txt
                • API String ID: 1580690700-2964430317
                • Opcode ID: bdc2ffd35a787e7dff7cd27678a4c457d3113ba41b49fc49a99695fa0d7ae68e
                • Instruction ID: 701b53b33f1e6b625f5b8f7938b7a6b3f20370d80b49a7aed30468fb6318e0b4
                • Opcode Fuzzy Hash: bdc2ffd35a787e7dff7cd27678a4c457d3113ba41b49fc49a99695fa0d7ae68e
                • Instruction Fuzzy Hash: 22110A76E0021CABDB259B64DC46FDF73BCAB08714F0001AAF515B61C0DEB49FC48A98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402A05 Relevance: 7.6, APIs: 5, Instructions: 61windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 319 402a05-402a24 320 402a61-402a64 319->320 321 402a26-402a28 PostQuitMessage 319->321 322 402a66-402a9c DefWindowProcW GetWindowRect 320->322 323 402a2e-402a42 HTMLayoutProcND 320->323 321->323 324 402a50-402a5e call 40707a 322->324 323->324 325 402a44-402a4a DefWindowProcW 323->325 325->324
                APIs
                • PostQuitMessage.USER32(00000000), ref: 00402A28
                • HTMLayoutProcND.HTMLAYOUT(?,?,?,?,?), ref: 00402A38
                • DefWindowProcW.USER32(?,?,?,?), ref: 00402A4A
                • DefWindowProcW.USER32(?,?,?,?), ref: 00402A6C
                • GetWindowRect.USER32 ref: 00402A83
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: ProcWindow$LayoutMessagePostQuitRect
                • String ID:
                • API String ID: 1511509333-0
                • Opcode ID: 518305beab2af7f7448f46251e0551b1fe354645419727d614e3ae1f13e98812
                • Instruction ID: 90a3f11a1d24aca5853dd8f26fd1a97eb3622acbc46f7bdf96269802c25a46cf
                • Opcode Fuzzy Hash: 518305beab2af7f7448f46251e0551b1fe354645419727d614e3ae1f13e98812
                • Instruction Fuzzy Hash: 1F112E35600109AFDB10EFA5DD889FFBBBCEB4D315B10406AF902A2251C7749901DFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040196E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 330 40196e-40199b GetTempPathW 331 40199e-4019a8 330->331 331->331 332 4019aa-4019b8 331->332 333 4019ea 332->333 334 4019ba-4019d2 call 4018be 332->334 336 4019ec-4019f7 call 40707a 333->336 334->333 339 4019d4-4019e3 LoadLibraryW 334->339 339->333 341 4019e5-4019e8 339->341 341->336
                APIs
                • GetTempPathW.KERNEL32(00000103,?), ref: 0040198F
                • LoadLibraryW.KERNEL32(?), ref: 004019DB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: LibraryLoadPathTemp
                • String ID: HTMLAYOUT$htmlayout.dll
                • API String ID: 1483161324-2382852306
                • Opcode ID: e960e21d78d1ae5ad20f9f79a2075018b3328378a562535e321627666c4a5d81
                • Instruction ID: 6331d88366f79d09ef44652b39a10c8b0e618bf6c13ab4c123d8d644c5d9ff0f
                • Opcode Fuzzy Hash: e960e21d78d1ae5ad20f9f79a2075018b3328378a562535e321627666c4a5d81
                • Instruction Fuzzy Hash: 3E01F7B2B0130DAADB20DBA4DC56BEB77FCEB44344F104176E81AE71D1E6349B08C658
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404520 Relevance: 4.6, APIs: 3, Instructions: 109COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 342 404520-40452f 343 404531-404545 call 405bd0 342->343 344 40455c-404561 342->344 347 404547-40454f 343->347 345 404563-404573 344->345 346 404576-40457e 344->346 345->346 348 404580-4045a7 call 4082c0 346->348 349 4045a8-4045b0 346->349 347->344 350 404551-40455b 347->350 352 4045b2-4045b5 349->352 353 4045b7-4045d2 call 4082c0 349->353 352->353 357 4045d4-4045f7 call 4082c0 353->357 358 4045f8-404601 353->358 360 404603 358->360 361 40460a-40460f 358->361 360->361 363 404611-404613 361->363 364 404616-40461d 361->364 363->364
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: da11ffc6254176748c6d125490bfd6c9b072b5a764866eec23804c336a4009d9
                • Instruction ID: 65e9f65510cc0a37031750185b7e9495de23893c3ced0783b30cabe660683ad7
                • Opcode Fuzzy Hash: da11ffc6254176748c6d125490bfd6c9b072b5a764866eec23804c336a4009d9
                • Instruction Fuzzy Hash: 00314BB1610B009FC764DF79DA80967B3E9FBC8314B008A6ED94A87B44E675F800CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00429BD4 Relevance: 4.5, APIs: 3, Instructions: 34COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 366 429bd4-429bdc 367 429beb-429bee call 42ad8c 366->367 369 429bf3-429bf6 367->369 370 429bf8-429bf9 369->370 371 429bde-429be9 call 42ae65 369->371 371->367 374 429bfa-429c06 371->374 375 429c21-429c38 call 429bb7 call 42ae8d 374->375 376 429c08-429c20 call 429b6a call 42ad26 374->376 376->375
                APIs
                • _malloc.LIBCMT ref: 00429BEE
                  • Part of subcall function 0042AD8C: __FF_MSGBANNER.LIBCMT ref: 0042ADAF
                  • Part of subcall function 0042AD8C: __NMSG_WRITE.LIBCMT ref: 0042ADB6
                  • Part of subcall function 0042AD8C: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,0042CA27,00000001,00000001,00000001,?,0042DB18,00000018,004333D0,0000000C,0042DBA9), ref: 0042AE03
                • std::bad_exception::bad_exception.LIBCMT ref: 00429C25
                • __CxxThrowException@8.LIBCMT ref: 00429C33
                  • Part of subcall function 00429B6A: std::exception::exception.LIBCMT ref: 00429B76
                Memory Dump Source
                • Source File: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: AllocateException@8HeapThrow_mallocstd::bad_exception::bad_exceptionstd::exception::exception
                • String ID:
                • API String ID: 2138351685-0
                • Opcode ID: ae7820c94cfebbf9c7d89e35ce583fcb0d2bd5b5b4d4198207abc5bc5e14436e
                • Instruction ID: 471027db271056a619afcf3bb428b00acc562f7b6dac88000fe9580d0c48a08d
                • Opcode Fuzzy Hash: ae7820c94cfebbf9c7d89e35ce583fcb0d2bd5b5b4d4198207abc5bc5e14436e
                • Instruction Fuzzy Hash: 97F0E930B002352BCF186B22FC0395E3B68AB01719FA4446BFC0155191DF6CAE11865E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004010C3 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON
                Download Yara Rule
                APIs
                • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 004010D0
                • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004010E4
                • FindCloseChangeNotification.KERNEL32(?), ref: 004010F2
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: File$ChangeCloseFindNotificationPointerWrite
                • String ID:
                • API String ID: 2088425310-0
                • Opcode ID: 1002a22316de52ea5788a1ba0b74fc4a1cb8523fe08b3c32eab6c29cee157856
                • Instruction ID: 18ab1dfcabc32ec26dcb0b6fad4685691ae14b671c62a4fd2cc7cd1d940cdffd
                • Opcode Fuzzy Hash: 1002a22316de52ea5788a1ba0b74fc4a1cb8523fe08b3c32eab6c29cee157856
                • Instruction Fuzzy Hash: D2E09272501128BBCF215FA2DC08DDB7FADFF096A2B108068BE0AD6164D731DA51DBE4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401166 Relevance: 3.8, APIs: 3, Instructions: 45memoryCOMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000), ref: 00401183
                • VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 00401198
                • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000), ref: 004011B0
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: ByteCharMultiWide$AllocVirtual
                • String ID:
                • API String ID: 681469954-0
                • Opcode ID: 05b1766ab735f38e4f4e05d2b4678030cf6ab776469cd64b41af7fe1176e1849
                • Instruction ID: 1f1c780e14bf0ead77e861e0243f11b59c76169c223fe8d86e92b6732d1fc7a3
                • Opcode Fuzzy Hash: 05b1766ab735f38e4f4e05d2b4678030cf6ab776469cd64b41af7fe1176e1849
                • Instruction Fuzzy Hash: DDF03CB6600208BFDF108F98CCC5EAB7BADEB48354F144426FB01EB250C2B1DE408BA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403ACB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                Download Yara Rule
                APIs
                • SHGetValueW.SHLWAPI(80000001,Software\ExpressFiles,?,?,?,00000000,?,?,?,00402BD6,soft_id,?,?,?), ref: 00403AF6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: Value
                • String ID: Software\ExpressFiles
                • API String ID: 3702945584-156859950
                • Opcode ID: 20405fce97bd1ac7ccf90d8dfa48947633487e1fb1647966ff93ed912ce88414
                • Instruction ID: 608e246719388f5a1aae000e54e458d4760c35a87e0defe669d5d9b9d49f80b1
                • Opcode Fuzzy Hash: 20405fce97bd1ac7ccf90d8dfa48947633487e1fb1647966ff93ed912ce88414
                • Instruction Fuzzy Hash: 38E0ECB195020CBFDF019F90CC45EEE7FBCEB00319F204155B911A2150D6B1A7889B54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404E1D Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: 489be3f4be08b020cefb301c32b67d876261a2f805ba539832233cd49025af64
                • Instruction ID: d65680495112752c7dc90d011e2f438480a1607846d799313952db2bd71e3e80
                • Opcode Fuzzy Hash: 489be3f4be08b020cefb301c32b67d876261a2f805ba539832233cd49025af64
                • Instruction Fuzzy Hash: BA414DB5A0061ADBCB18CF99D4905AEF7B2FF84320F24817AD91567B80D3799D91CF84
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040F7F2 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0040C4B3,00000000,?,00000000,00000000,00000000,?,0040AFE9,00000001,00000214,?,0040771A), ref: 0040F835
                  • Part of subcall function 00409704: __getptd_noexit.LIBCMT ref: 00409704
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: AllocateHeap__getptd_noexit
                • String ID:
                • API String ID: 328603210-0
                • Opcode ID: 8d1d494144ce96ac9ab037ead3798bbbb1d6e4c57190651d7e85f7cfa6c31290
                • Instruction ID: 99be9a6cd4f41ca11fa1f17ff044f0ae951717072ebf1a64515fa5badfe77aca
                • Opcode Fuzzy Hash: 8d1d494144ce96ac9ab037ead3798bbbb1d6e4c57190651d7e85f7cfa6c31290
                • Instruction Fuzzy Hash: 1F01B5373006159AEB34AF26DC54BE73794BB81764F04C63AE805EBAE0D738D804C688
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0042D560 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • HeapCreate.KERNEL32(00000000,00001000,00000000,?,0042A87A,?), ref: 0042D575
                Memory Dump Source
                • Source File: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: CreateHeap
                • String ID:
                • API String ID: 10892065-0
                • Opcode ID: a5a838e7fe24164372ae57fd8a80475c256e210be9bcdf24cbcb5cf11a3bf7fe
                • Instruction ID: d95a6ebd64e4a061f1d3dfde2b7553916d1fc83088e3a99c13ba90a853612b66
                • Opcode Fuzzy Hash: a5a838e7fe24164372ae57fd8a80475c256e210be9bcdf24cbcb5cf11a3bf7fe
                • Instruction Fuzzy Hash: 2BD05E72A503456EDB105F71BC08B223BDC97843A9F418436F80CC6260E675C580CA08
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0042B41A Relevance: 1.5, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • __encode_pointer.LIBCMT ref: 0042B41C
                  • Part of subcall function 0042B3A8: TlsGetValue.KERNEL32(00000000,?,0042B421,00000000,0042EADC,00435E70,00000000,00000314,?,0042B333,00435E70,Microsoft Visual C++ Runtime Library,00012010), ref: 0042B3BA
                  • Part of subcall function 0042B3A8: TlsGetValue.KERNEL32(00000005,?,0042B421,00000000,0042EADC,00435E70,00000000,00000314,?,0042B333,00435E70,Microsoft Visual C++ Runtime Library,00012010), ref: 0042B3D1
                  • Part of subcall function 0042B3A8: RtlEncodePointer.NTDLL(00000000,?,0042B421,00000000,0042EADC,00435E70,00000000,00000314,?,0042B333,00435E70,Microsoft Visual C++ Runtime Library,00012010), ref: 0042B40F
                Memory Dump Source
                • Source File: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: Value$EncodePointer__encode_pointer
                • String ID:
                • API String ID: 2585649348-0
                • Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                • Instruction ID: 0bc9c543787971e3b1d343c2b1e75351b74aa16b40d2e05a458cf4bed750fbdb
                • Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040AE87 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RtlEncodePointer.NTDLL(00000000,0040FDB2,0041C5E8,00000314,00000000,?,?,?,?,?,0040CF5B,0041C5E8,Microsoft Visual C++ Runtime Library,00012010), ref: 0040AE89
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: EncodePointer
                • String ID:
                • API String ID: 2118026453-0
                • Opcode ID: 9c47c8599279ca659e19a4a34ef5265a08438dad85874766fac4c2d4d715bbba
                • Instruction ID: d9040f0bc38fbc7d36e3751f807e54773a78b8d0ecb468e5d3b116a1ff322665
                • Opcode Fuzzy Hash: 9c47c8599279ca659e19a4a34ef5265a08438dad85874766fac4c2d4d715bbba
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00402B22 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 124COMMON
                Download Yara Rule
                APIs
                • SHGetValueA.SHLWAPI(80000001,Software\ExpressFiles,install_date,?,?,?,?,?,00000000), ref: 00402B6F
                • __time64.LIBCMT ref: 00402B7D
                  • Part of subcall function 00407846: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00402B82,?,?,?,?,?,00000000), ref: 00407851
                  • Part of subcall function 00407846: __aulldiv.LIBCMT ref: 00407871
                • __localtime64_s.LIBCMT ref: 00402B8B
                  • Part of subcall function 00407338: __make__time64_t.LIBCMT ref: 00407342
                • SHSetValueA.SHLWAPI(80000001,Software\ExpressFiles,install_date,0000000B,?,00000004,?,?,00000000), ref: 00402BB8
                • GetVersionExW.KERNEL32(?,?,?,?,?,00000000), ref: 00402BED
                • CoCreateGuid.OLE32(?,?,?,?,?,00000000), ref: 00402BF7
                • UuidToStringW.RPCRT4(?,?), ref: 00402C0C
                • __snwprintf.LIBCMT ref: 00402C3C
                • RpcStringFreeW.RPCRT4(?), ref: 00402C4B
                • SHSetValueW.SHLWAPI(80000002,Software\ExpressFiles,soft_id,00000001,?,?,?,?,?,?,00000000), ref: 00402C81
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: Value$StringTime$CreateFileFreeGuidSystemUuidVersion__aulldiv__localtime64_s__make__time64_t__snwprintf__time64
                • String ID: %d-%d-%s-%s$0.2$Software\ExpressFiles$Software\ExpressFiles$install_date$soft_id
                • API String ID: 4141727444-1856787414
                • Opcode ID: eefa653f5e7ff2f05660b9fe913b1b71eb09b473b2c03475477d67c111d02e81
                • Instruction ID: fe0587ad8c25b214b18f9572d37301a14eab849dd3bee3dc094f57e566f071e1
                • Opcode Fuzzy Hash: eefa653f5e7ff2f05660b9fe913b1b71eb09b473b2c03475477d67c111d02e81
                • Instruction Fuzzy Hash: 894151B2D00219AFDB10DF95DC49EEB77BCEB45705F14807AF504E6281EB789A448B54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004014D8 Relevance: 22.6, APIs: 15, Instructions: 96memoryCOMMON
                Download Yara Rule
                APIs
                • OpenProcess.KERNEL32(00000400,00000000,?), ref: 004014F9
                • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 00401511
                • GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040152C
                • GetLastError.KERNEL32 ref: 00401532
                • GetProcessHeap.KERNEL32(00000000,?), ref: 00401541
                • HeapAlloc.KERNEL32(00000000), ref: 00401548
                • GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00401561
                • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00401569
                • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 0040157A
                • SetLastError.KERNEL32(00000000), ref: 0040158C
                • GetLastError.KERNEL32 ref: 00401592
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004015A0
                • HeapFree.KERNEL32(00000000), ref: 004015A7
                • CloseHandle.KERNEL32(?), ref: 004015BB
                • CloseHandle.KERNEL32(?), ref: 004015C5
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: HeapProcess$ErrorLastToken$AuthorityCloseHandleInformationOpen$AllocCountFree
                • String ID:
                • API String ID: 832583064-0
                • Opcode ID: 8ddd707a23ef1381d7aa055e2e7cdc2ba439548caab8067176f016abf1882ce6
                • Instruction ID: cd06fbe20429e85700cefaa667a7ad31a008de8282c6953e1517943ff0d00095
                • Opcode Fuzzy Hash: 8ddd707a23ef1381d7aa055e2e7cdc2ba439548caab8067176f016abf1882ce6
                • Instruction Fuzzy Hash: 0A312B35A00214FFCB219FA5DC489AEBFB9EF88702B108476E506E6264D7359F40DB68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402025 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 90windowCOMMON
                Download Yara Rule
                APIs
                • InitializeSecurityDescriptor.ADVAPI32(?,00000001,?,00000000,00000000), ref: 004020B2
                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,00000000,00000000), ref: 004020C0
                  • Part of subcall function 004018BE: LockResource.KERNEL32(00000000), ref: 004018F4
                  • Part of subcall function 004018BE: SizeofResource.KERNEL32(00000000,00000000), ref: 00401903
                  • Part of subcall function 004018BE: CreateFileW.KERNEL32(?,C0000000,00000001,?,00000004,00000000,00000000), ref: 0040192E
                  • Part of subcall function 004018BE: VirtualFree.KERNELBASE(?,00000000,00000000,00008000), ref: 00401957
                  • Part of subcall function 004018BE: FreeResource.KERNEL32(?), ref: 00401960
                • MessageBoxW.USER32(00000000,?,Cant install file,00000000), ref: 0040211C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: Resource$DescriptorFreeSecurity$CreateDaclFileInitializeLockMessageSizeofVirtual
                • String ID: Cant install file$EXPRESSDL$HTMLAYOUT$current_language
                • API String ID: 3206630221-1876142429
                • Opcode ID: a56b00f4c97051ca857085cc66a698f39bdd03144368d434a3644f13f3d71448
                • Instruction ID: 851dfdb07ba9541c09c6afe9adf1c76dba9b76a8b086b435370ddc23c2f46f8f
                • Opcode Fuzzy Hash: a56b00f4c97051ca857085cc66a698f39bdd03144368d434a3644f13f3d71448
                • Instruction Fuzzy Hash: 5E318F72900208AFCB00DFE8D9859EEBBB8FF08304B14447EE515BB291DB755A08CB59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004012DE Relevance: 12.1, APIs: 8, Instructions: 143fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: Find$File$CloseDirectoryRemove$DeleteErrorFirstLastNext
                • String ID:
                • API String ID: 4094345817-0
                • Opcode ID: 9f26448009e526f83ebc6f0518f015aa218cabc787c2e521b2e56f23c3433db6
                • Instruction ID: 9d3b2c5c95fc12cb8e65189a06da6644579f1a43890bd4255a4d0fc6e33bf259
                • Opcode Fuzzy Hash: 9f26448009e526f83ebc6f0518f015aa218cabc787c2e521b2e56f23c3433db6
                • Instruction Fuzzy Hash: D851A27190021A8ACF209F78CC587EA76F5EF54314F0045F6E809E32A0E7398E85CB69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401000 Relevance: 9.0, APIs: 6, Instructions: 48processCOMMON
                Download Yara Rule
                APIs
                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040101C
                • Process32FirstW.KERNEL32(00000000,?), ref: 0040103A
                • PathFindFileNameW.SHLWAPI(?), ref: 0040104A
                • StrCmpIW.SHLWAPI(00000000), ref: 00401051
                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040106E
                • CloseHandle.KERNEL32(00000000), ref: 00401079
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: Process32$CloseCreateFileFindFirstHandleNameNextPathSnapshotToolhelp32
                • String ID:
                • API String ID: 1071957298-0
                • Opcode ID: 595043d36cf4786aa7230ef8d7cb72eadc54ed786f3665149f4eed60cbc25799
                • Instruction ID: 044b20cbf957b27d40a084a7c25bcf388f2ca335a17be3ab456cbbed34d25f56
                • Opcode Fuzzy Hash: 595043d36cf4786aa7230ef8d7cb72eadc54ed786f3665149f4eed60cbc25799
                • Instruction Fuzzy Hash: 0C019231A01114ABC7209F64DD4DBEE7BBCAB09715F0042B5E911E21E0D7389F44CAA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405C10 Relevance: 8.1, Strings: 6, Instructions: 579COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID:
                • String ID: Genu$ineI$invalid distance code$invalid distance too far back$invalid literal/length code$ntel
                • API String ID: 0-3089872807
                • Opcode ID: 513ef69d99ebfe96f6b737fb9ef80941e8ad18bf52fc0e232d7b113774a9aff3
                • Instruction ID: 23372f719c00d966d0f1818c55a8ac02872f5530a4abc751a3123851786869ee
                • Opcode Fuzzy Hash: 513ef69d99ebfe96f6b737fb9ef80941e8ad18bf52fc0e232d7b113774a9aff3
                • Instruction Fuzzy Hash: 85123731A087018FDB14DE38C58421BBBE1EB88354F15863EE896E7B81D3799D59CB89
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040707A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsDebuggerPresent.KERNEL32 ref: 004086DC
                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004086F1
                • UnhandledExceptionFilter.KERNEL32(00415FA4), ref: 004086FC
                • GetCurrentProcess.KERNEL32(C0000409), ref: 00408718
                • TerminateProcess.KERNEL32(00000000), ref: 0040871F
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                • String ID:
                • API String ID: 2579439406-0
                • Opcode ID: 5b5b72d1700a22a51e411b3c2e6bb2feb723ea7ea0e438cce9ac0782e312d62d
                • Instruction ID: 16680594e438a0b59e92e78eabb9926e8ddda0bd970108a2568b24566f5cb839
                • Opcode Fuzzy Hash: 5b5b72d1700a22a51e411b3c2e6bb2feb723ea7ea0e438cce9ac0782e312d62d
                • Instruction Fuzzy Hash: 1221ADB4991304EFD741DFA5FD897843BA4BB08305F1091BAE50897671E7B49A808F0D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0042E826 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsDebuggerPresent.KERNEL32 ref: 004302AB
                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004302C0
                • UnhandledExceptionFilter.KERNEL32(00432A3C), ref: 004302CB
                • GetCurrentProcess.KERNEL32(C0000409), ref: 004302E7
                • TerminateProcess.KERNEL32(00000000), ref: 004302EE
                Memory Dump Source
                • Source File: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                • String ID:
                • API String ID: 2579439406-0
                • Opcode ID: 35d8b0a3087576b72b4237ad93d7b4cf0bbcec985a4dee296e98998e35bfda81
                • Instruction ID: dda2c53026e1a0e8fe149a03d53433f81d4cd3519b73b4c8d32149e6793a4a33
                • Opcode Fuzzy Hash: 35d8b0a3087576b72b4237ad93d7b4cf0bbcec985a4dee296e98998e35bfda81
                • Instruction Fuzzy Hash: F421FEB4900246FFC700EF2AFD8AA043BB0BB08344F52B03AE41987264E7B549848F5D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004063B0 Relevance: 2.9, Strings: 2, Instructions: 390COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID:
                • String ID: @$X>A
                • API String ID: 0-2469429838
                • Opcode ID: 0575c887382b4c9056e03da4f7b83a1774cb174f10fce066d0216b3e4764987c
                • Instruction ID: c0323352c71fd4c83f5076639bd8333173ffdf98e45b54bd3c6e0153d3c606c6
                • Opcode Fuzzy Hash: 0575c887382b4c9056e03da4f7b83a1774cb174f10fce066d0216b3e4764987c
                • Instruction Fuzzy Hash: D3F15E75E002198FCF24CFA8C5802ADBBB1FF98314F25457ED846AB384DB799956CB44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401A2A Relevance: 1.5, APIs: 1, Instructions: 37comCOMMON
                Download Yara Rule
                APIs
                • CoCreateInstance.OLE32(00418014,00000000,00000001,00418024,?,00401D3C), ref: 00401A42
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: CreateInstance
                • String ID:
                • API String ID: 542301482-0
                • Opcode ID: b59788361d556036c6ead607468fb3b27824885aa9d606312dd8889d99c14882
                • Instruction ID: 9669c3f696ff775881e3c6243a681e9f0239a2346b5aaf48d4c0b54247478413
                • Opcode Fuzzy Hash: b59788361d556036c6ead607468fb3b27824885aa9d606312dd8889d99c14882
                • Instruction Fuzzy Hash: F2F049303027029BDB248E25CC48F6376A5AF40B06F10882DA196DA6E4D7B8E980CF18
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040D057 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNEL32(Function_0000D015), ref: 0040D05C
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: c6f671298aa8306924dfdba1ad9fe3c225a693b469c98f0f13a405b2b0feebde
                • Instruction ID: 05696fe55d69e19891b1b5b984a5015ee42096844b8e7f5f1e3276c6b97f2912
                • Opcode Fuzzy Hash: c6f671298aa8306924dfdba1ad9fe3c225a693b469c98f0f13a405b2b0feebde
                • Instruction Fuzzy Hash: 8B9002646A1140569A005FB05D0D74565A45ADC70BB5144756219E8098DE644105661A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00740025 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID:
                • String ID: "
                • API String ID: 0-123907689
                • Opcode ID: e8758db0e99e8fcea7555fa9d2641066f37a2482aaa06230641a43a236fbfd4e
                • Instruction ID: b2cb2a2cde6401a48ccb7f509ef8d06b458c6a369460e00cb97887ab1918e747
                • Opcode Fuzzy Hash: e8758db0e99e8fcea7555fa9d2641066f37a2482aaa06230641a43a236fbfd4e
                • Instruction Fuzzy Hash: 4E11337550C345FEC702EB14C1826AA7F93BF90380F14844EF98527A12E6789569AB9B
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004BD30F Relevance: .3, Instructions: 274COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6a7f9398a2cfe3d3b7bead3f721c4cbe39a86abe3ea0e77f28ff9391eaea01d9
                • Instruction ID: e1993a3340d3fc72cad59d1c3d45e16d4d5593cdc44aa4144d82d23be8916c37
                • Opcode Fuzzy Hash: 6a7f9398a2cfe3d3b7bead3f721c4cbe39a86abe3ea0e77f28ff9391eaea01d9
                • Instruction Fuzzy Hash: 799105B6E051995FCB059F68C8A01F97BF2EF66210B0D80E9D9D0DB347D139961BCB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00427D70 Relevance: .3, Instructions: 256COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a33c0485eb41936b300fb5aad2963a1aba252e7099ae6d0aa04c09c3ff597148
                • Instruction ID: 7b0475f07a8823306a501a767e7839936b0c34f56a6fc7186211326b821bed15
                • Opcode Fuzzy Hash: a33c0485eb41936b300fb5aad2963a1aba252e7099ae6d0aa04c09c3ff597148
                • Instruction Fuzzy Hash: 4C8127B2E0519A5FDB059F68C8A01F97BF2EF66204B0D80E9D9D0DB347D139961BCB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406AA0 Relevance: .2, Instructions: 179COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9326100741b2f08c687ab723f092331b973ed24116abba679b17efeba75b6248
                • Instruction ID: 88d688d29e1a3f70c457dfcbf34bd088a50aa66e4d8e9cdd437568f1f1431993
                • Opcode Fuzzy Hash: 9326100741b2f08c687ab723f092331b973ed24116abba679b17efeba75b6248
                • Instruction Fuzzy Hash: 8561603666155357E350CF6DFCC076637A2EBCA701F1AC531DA108B6A6C739EA2386C8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00424944 Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fdc87c66b028c3d17e28a6d295e6691f78296d3e33762d35ad1643c124583432
                • Instruction ID: 5ec589f9b70ae1655e479850c9781525016180733e2f0e49920e33c2e6229f04
                • Opcode Fuzzy Hash: fdc87c66b028c3d17e28a6d295e6691f78296d3e33762d35ad1643c124583432
                • Instruction Fuzzy Hash: 4AF05E3A548399DFC711DB9084804EEFBF1AA9A311F48984DEAC413301E366AA5DD712
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402126 Relevance: 86.0, APIs: 21, Strings: 28, Instructions: 216fileCOMMON
                Download Yara Rule
                APIs
                • __snwprintf.LIBCMT ref: 00402162
                • SHSetValueW.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\ExpressFiles,DisplayName,00000001,ExpressFiles,0000001A,?,004180A0,?,00000000), ref: 00402190
                • SHSetValueW.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\ExpressFiles,UninstallString,00000001,?,?,?,004180A0,?,00000000), ref: 004021AD
                • SHSetValueW.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\ExpressFiles,DisplayIcon,00000001,?,?,?,004180A0,?,00000000), ref: 004021E6
                • SHSetValueW.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\ExpressFiles,Publisher,00000001,http://www.express-files.com/,0000003C,?,004180A0,?,00000000), ref: 004021F8
                • SHSetValueW.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\ExpressFiles,InstallLocation,00000001,?,?,?,004180A0,?,00000000), ref: 00402233
                • SHSetValueW.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\ExpressFiles,URLInfoAbout,00000001,http://www.express-files.com/,0000003C,?,004180A0,?,00000000), ref: 00402245
                • SHSetValueW.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\ExpressFiles,DisplayVersion,00000001,1.2.0,0000000C,?,004180A0,?,00000000), ref: 00402257
                • SHSetValueW.SHLWAPI(80000000,Magnets,00418054,00000001,Magnets URI,00000018,?,004180A0,?,00000000), ref: 00402272
                • SHSetValueW.SHLWAPI(80000000,Magnets,Content Type,00000001,application/x-magnets,0000002C,?,004180A0,?,00000000), ref: 00402288
                • SHSetValueW.SHLWAPI(80000000,Magnets,URL Protocol,00000001,00418054,00000000,?,004180A0,?,00000000), ref: 0040229E
                • SHSetValueW.SHLWAPI(80000000,Magnets\shell,00418054,00000001,open,0000000A,?,004180A0,?,00000000), ref: 004022B4
                • __snwprintf.LIBCMT ref: 004022CD
                • SHSetValueW.SHLWAPI(80000000,Magnets\DefaultIcon,00418054,00000001,?,?,?,?,?,?,?,004180A0,?,00000000), ref: 004022F4
                • __snwprintf.LIBCMT ref: 0040230F
                • SHSetValueW.SHLWAPI(80000000,Magnets\shell\open\command,00418054,00000001,?,?), ref: 00402336
                • __snwprintf.LIBCMT ref: 0040234F
                • SHSetValueW.SHLWAPI(80000002,Software\Microsoft\Windows\CurrentVersion\Run,ExpressFiles,00000001,?,?), ref: 0040237A
                • SHSetValueW.SHLWAPI(80000001,Software\Microsoft\Internet Explorer\ProtocolExecute\magnets,WarnOnOpen,00000004,?,00000004), ref: 0040239A
                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004023A9
                • CopyFileW.KERNEL32(?,?,00000000), ref: 004023C1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: Value$__snwprintf$File$CopyModuleName
                • String ID: "%s"$"%s" "%c1"$"%s" -tray$"%s",0$1.2.0$Content Type$DisplayIcon$DisplayName$DisplayVersion$ExpressFiles$InstallLocation$Magnets$Magnets URI$Magnets\DefaultIcon$Magnets\shell$Magnets\shell\open\command$Publisher$Software\Microsoft\Internet Explorer\ProtocolExecute\magnets$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Uninstall\ExpressFiles$URL Protocol$URLInfoAbout$UninstallString$WarnOnOpen$application/x-magnets$http://www.express-files.com/$http://www.express-files.com/$open
                • API String ID: 1960140225-1323249820
                • Opcode ID: b9ff41efca294e75e0ad7fcc8b69b57377e6f820bfab63544106d7de28dff8df
                • Instruction ID: 782461ce589b93ffc606f05bf7dd20060a5cf2829273daad732b555a9d6cb1a1
                • Opcode Fuzzy Hash: b9ff41efca294e75e0ad7fcc8b69b57377e6f820bfab63544106d7de28dff8df
                • Instruction Fuzzy Hash: 006166B1BC031D7AEB209B508C8AFDB7B6DDB14B44F10459B7604B61C2DEF95BC48A68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403CB2 Relevance: 49.1, APIs: 21, Strings: 7, Instructions: 134COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401DE8: __snwprintf.LIBCMT ref: 00401E6E
                  • Part of subcall function 00401DE8: InitializeSecurityDescriptor.ADVAPI32(?,00000001,?,00000000,00000000), ref: 00401E7F
                  • Part of subcall function 00401DE8: SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,00000000,00000000), ref: 00401E90
                  • Part of subcall function 00401DE8: SetSecurityDescriptorGroup.ADVAPI32(?,00000000,00000000,?,00000000,00000000), ref: 00401E9F
                  • Part of subcall function 00401DE8: SetSecurityDescriptorSacl.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000), ref: 00401EAF
                  • Part of subcall function 00401DE8: CreateDirectoryW.KERNEL32(?,?,?,00000000,00000000), ref: 00401EE3
                  • Part of subcall function 00401DE8: GetLastError.KERNEL32(?,00000000,00000000), ref: 00401EED
                  • Part of subcall function 00401DE8: __snwprintf.LIBCMT ref: 00401F12
                  • Part of subcall function 00401DE8: __snwprintf.LIBCMT ref: 00401F2C
                  • Part of subcall function 00401DE8: __snwprintf.LIBCMT ref: 00401F46
                • GetTempPathW.KERNEL32(00000103,?), ref: 00403CE4
                • GetTickCount.KERNEL32 ref: 00403D11
                • __snwprintf.LIBCMT ref: 00403D20
                • MoveFileExW.KERNEL32(?,?,00000001), ref: 00403D3E
                • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00403D4B
                • GetTickCount.KERNEL32 ref: 00403D4D
                • __snwprintf.LIBCMT ref: 00403D61
                • MoveFileExW.KERNEL32(?,?,00000001), ref: 00403D79
                • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00403D86
                • GetTickCount.KERNEL32 ref: 00403D88
                • __snwprintf.LIBCMT ref: 00403D9C
                • MoveFileExW.KERNEL32(?,?,00000001), ref: 00403DB4
                • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00403DC1
                • GetTickCount.KERNEL32 ref: 00403DC3
                • __snwprintf.LIBCMT ref: 00403DD7
                  • Part of subcall function 00407897: __flsbuf.LIBCMT ref: 00407941
                  • Part of subcall function 00407897: __flsbuf.LIBCMT ref: 00407959
                • MoveFileExW.KERNEL32(?,?,00000001), ref: 00403DEF
                • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00403DFC
                • GetTickCount.KERNEL32 ref: 00403DFE
                • __snwprintf.LIBCMT ref: 00403E12
                • MoveFileExW.KERNEL32(?,?,00000001), ref: 00403E2A
                • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00403E37
                  • Part of subcall function 0040108F: OpenProcess.KERNEL32(00000001,00000000,00000000,74CB40A0,00403E43), ref: 0040109E
                  • Part of subcall function 0040108F: TerminateProcess.KERNEL32(00000000,000000FF), ref: 004010AD
                  • Part of subcall function 0040108F: CloseHandle.KERNEL32(00000000), ref: 004010B4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: FileMove$__snwprintf$CountTick$DescriptorSecurity$Process__flsbuf$CloseCreateDaclDirectoryErrorGroupHandleInitializeLastOpenPathSaclTempTerminate
                • String ID: ExpressDL.exe$ExpressFiles%u.tmp$ExpressFiles.exe$dht%u.tmp$expressdl%u.tmp$htmlayout%u.tmp$uninstall%u.tmp
                • API String ID: 1038718190-2835777480
                • Opcode ID: 5f5026c0a2fe4f820c53f64f05fb3032a8dee728c22abfa38bd4ebab12d2f3d0
                • Instruction ID: 87d98308fe2fa0717cbc295282570b70ae07b1cec1c3165c2f9ecb787386cf9f
                • Opcode Fuzzy Hash: 5f5026c0a2fe4f820c53f64f05fb3032a8dee728c22abfa38bd4ebab12d2f3d0
                • Instruction Fuzzy Hash: 61415771D4021C7ADB11EB61CC89FDA7B7CEF14704F0405A6B618A60D1DB755B908FE9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401DE8 Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 167COMMON
                Download Yara Rule
                APIs
                • __snwprintf.LIBCMT ref: 00401E6E
                • InitializeSecurityDescriptor.ADVAPI32(?,00000001,?,00000000,00000000), ref: 00401E7F
                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,00000000,00000000), ref: 00401E90
                • SetSecurityDescriptorGroup.ADVAPI32(?,00000000,00000000,?,00000000,00000000), ref: 00401E9F
                • SetSecurityDescriptorSacl.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000), ref: 00401EAF
                • CreateDirectoryW.KERNEL32(?,?,?,00000000,00000000), ref: 00401EE3
                • GetLastError.KERNEL32(?,00000000,00000000), ref: 00401EED
                • __snwprintf.LIBCMT ref: 00401F12
                • __snwprintf.LIBCMT ref: 00401F2C
                • __snwprintf.LIBCMT ref: 00401F46
                • __snwprintf.LIBCMT ref: 00401F60
                • __snwprintf.LIBCMT ref: 00401F7D
                • __snwprintf.LIBCMT ref: 00401F97
                • __snwprintf.LIBCMT ref: 00401FB1
                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00401FC2
                • GetLastError.KERNEL32 ref: 00401FCC
                • __snwprintf.LIBCMT ref: 00401FFF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: __snwprintf$DescriptorSecurity$CreateDirectoryErrorLast$DaclGroupInitializeSacl
                • String ID: %s\%s$EN.ini$ExpressDL.exe$ExpressFiles.exe$current-cloud.html$dht.dat$htmlayout.dll$language$uninstall.exe
                • API String ID: 1648615902-3264171877
                • Opcode ID: f7a9a732f28109b07b6144d35e2a22889c9252f4ae9d31a3a9022b9d9d3625f9
                • Instruction ID: 1b564ffcd36949cc2c74559874444057589e5fd4394984ec036ba2af574ed169
                • Opcode Fuzzy Hash: f7a9a732f28109b07b6144d35e2a22889c9252f4ae9d31a3a9022b9d9d3625f9
                • Instruction Fuzzy Hash: C6515E72800218BADB20DFA5DC8DEDB7BBCEB49704F0441BAB909E6052D7789684CB74
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004015CE Relevance: 42.1, APIs: 20, Strings: 4, Instructions: 144libraryloaderprocessCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 004015F4
                • GetModuleHandleA.KERNEL32(Kernel32,GetProductInfo), ref: 0040160C
                • GetProcAddress.KERNEL32(00000000), ref: 00401615
                • GetCurrentProcessId.KERNEL32(?), ref: 0040161F
                  • Part of subcall function 004014D8: OpenProcess.KERNEL32(00000400,00000000,?), ref: 004014F9
                  • Part of subcall function 004014D8: OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 00401511
                  • Part of subcall function 004014D8: GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040152C
                  • Part of subcall function 004014D8: GetLastError.KERNEL32 ref: 00401532
                  • Part of subcall function 004014D8: GetProcessHeap.KERNEL32(00000000,?), ref: 00401541
                  • Part of subcall function 004014D8: HeapAlloc.KERNEL32(00000000), ref: 00401548
                  • Part of subcall function 004014D8: GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00401561
                  • Part of subcall function 004014D8: GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00401569
                  • Part of subcall function 004014D8: GetSidSubAuthority.ADVAPI32(00000000,?), ref: 0040157A
                  • Part of subcall function 004014D8: SetLastError.KERNEL32(00000000), ref: 0040158C
                  • Part of subcall function 004014D8: GetLastError.KERNEL32 ref: 00401592
                  • Part of subcall function 004014D8: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004015A0
                  • Part of subcall function 004014D8: HeapFree.KERNEL32(00000000), ref: 004015A7
                  • Part of subcall function 004014D8: CloseHandle.KERNEL32(?), ref: 004015BB
                  • Part of subcall function 004014D8: CloseHandle.KERNEL32(?), ref: 004015C5
                • CreateProcessW.KERNEL32 ref: 0040164C
                • GetLastError.KERNEL32 ref: 00401656
                • CloseHandle.KERNEL32(?), ref: 0040166A
                • CloseHandle.KERNEL32(?), ref: 0040166F
                • GetModuleHandleA.KERNEL32(Advapi32,CreateProcessWithTokenW), ref: 0040167F
                • GetProcAddress.KERNEL32(00000000), ref: 00401682
                • GetShellWindow.USER32 ref: 0040168F
                • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040169D
                • OpenProcess.KERNEL32(00000400,00000000,?), ref: 004016AC
                • OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 004016C0
                • DuplicateTokenEx.ADVAPI32(?,000F01FF,00000000,00000002,00000001,?), ref: 004016DB
                • SetLastError.KERNEL32(00000000), ref: 004016FF
                • GetLastError.KERNEL32 ref: 00401705
                • CloseHandle.KERNEL32(?), ref: 0040171B
                • CloseHandle.KERNEL32(?), ref: 00401725
                • CloseHandle.KERNEL32(00002000), ref: 0040172F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: HandleProcess$Close$ErrorLast$Token$HeapOpen$AddressAuthorityInformationModuleProcWindow$AllocCountCreateCurrentDuplicateFreeShellThread_memset
                • String ID: Advapi32$CreateProcessWithTokenW$GetProductInfo$Kernel32
                • API String ID: 57731014-2586447327
                • Opcode ID: de440af90c9eb4138c99f53fe2eb7a1ae70592b1cc59fdca0ab05b195316246a
                • Instruction ID: 9bb44bd2211025a76b721a39ef127812c674402ab68add2ab692ccf74696313f
                • Opcode Fuzzy Hash: de440af90c9eb4138c99f53fe2eb7a1ae70592b1cc59fdca0ab05b195316246a
                • Instruction Fuzzy Hash: DD415C71900218BBCB11AFA5CC48AEFBFB8EF08742F144436F505F21A0D7759A41CBA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040B180 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004081C4), ref: 0040B188
                • __mtterm.LIBCMT ref: 0040B194
                  • Part of subcall function 0040AECD: DecodePointer.KERNEL32(00000006,0040B2F6,?,004081C4), ref: 0040AEDE
                  • Part of subcall function 0040AECD: TlsFree.KERNEL32(0000001B,0040B2F6,?,004081C4), ref: 0040AEF8
                  • Part of subcall function 0040AECD: DeleteCriticalSection.KERNEL32(00000000,00000000,778DF3A0,?,0040B2F6,?,004081C4), ref: 0040E6F4
                  • Part of subcall function 0040AECD: _free.LIBCMT ref: 0040E6F7
                  • Part of subcall function 0040AECD: DeleteCriticalSection.KERNEL32(0000001B,778DF3A0,?,0040B2F6,?,004081C4), ref: 0040E71E
                • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0040B1AA
                • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0040B1B7
                • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0040B1C4
                • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0040B1D1
                • TlsAlloc.KERNEL32(?,004081C4), ref: 0040B221
                • TlsSetValue.KERNEL32(00000000,?,004081C4), ref: 0040B23C
                • __init_pointers.LIBCMT ref: 0040B246
                • EncodePointer.KERNEL32(?,004081C4), ref: 0040B257
                • EncodePointer.KERNEL32(?,004081C4), ref: 0040B264
                • EncodePointer.KERNEL32(?,004081C4), ref: 0040B271
                • EncodePointer.KERNEL32(?,004081C4), ref: 0040B27E
                • DecodePointer.KERNEL32(0040B051,?,004081C4), ref: 0040B29F
                • __calloc_crt.LIBCMT ref: 0040B2B4
                • DecodePointer.KERNEL32(00000000,?,004081C4), ref: 0040B2CE
                • GetCurrentThreadId.KERNEL32 ref: 0040B2E0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                • API String ID: 3698121176-3819984048
                • Opcode ID: 075102baf782855bd31803b65f5c8eae9857b4110be79dbdfc8ebdd4ab477078
                • Instruction ID: 8ef39d3875db1831668df36e5a39cb3dc6a93f4fadec20ff4aff144fe6e17387
                • Opcode Fuzzy Hash: 075102baf782855bd31803b65f5c8eae9857b4110be79dbdfc8ebdd4ab477078
                • Instruction Fuzzy Hash: 8B318230980321FAC7116F76FC8969A3EA6EB48761711897BE414E32F1DB38A451DF9C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403E6D Relevance: 31.6, APIs: 7, Strings: 11, Instructions: 90COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00403CB2: GetTempPathW.KERNEL32(00000103,?), ref: 00403CE4
                  • Part of subcall function 00403CB2: GetTickCount.KERNEL32 ref: 00403D11
                  • Part of subcall function 00403CB2: __snwprintf.LIBCMT ref: 00403D20
                  • Part of subcall function 00403CB2: MoveFileExW.KERNEL32(?,?,00000001), ref: 00403D3E
                  • Part of subcall function 00403CB2: MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00403D4B
                  • Part of subcall function 00403CB2: GetTickCount.KERNEL32 ref: 00403D4D
                  • Part of subcall function 00403CB2: __snwprintf.LIBCMT ref: 00403D61
                  • Part of subcall function 00403CB2: MoveFileExW.KERNEL32(?,?,00000001), ref: 00403D79
                  • Part of subcall function 00403CB2: MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00403D86
                  • Part of subcall function 00403CB2: GetTickCount.KERNEL32 ref: 00403D88
                  • Part of subcall function 00403CB2: __snwprintf.LIBCMT ref: 00403D9C
                  • Part of subcall function 00403CB2: MoveFileExW.KERNEL32(?,?,00000001), ref: 00403DB4
                  • Part of subcall function 00403CB2: MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00403DC1
                  • Part of subcall function 00403CB2: GetTickCount.KERNEL32 ref: 00403DC3
                  • Part of subcall function 00403CB2: __snwprintf.LIBCMT ref: 00403DD7
                  • Part of subcall function 00403CB2: MoveFileExW.KERNEL32(?,?,00000001), ref: 00403DEF
                  • Part of subcall function 00403CB2: MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00403DFC
                  • Part of subcall function 00403CB2: GetTickCount.KERNEL32 ref: 00403DFE
                  • Part of subcall function 00402512: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000019,00000001,?,00000000), ref: 00402537
                  • Part of subcall function 00402512: __snwprintf.LIBCMT ref: 0040255E
                  • Part of subcall function 00402512: DeleteFileW.KERNEL32(?), ref: 00402572
                  • Part of subcall function 004023E3: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000016,00000001,?,?,00000000), ref: 00402408
                • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00403EAD
                • SHDeleteKeyW.SHLWAPI(80000000,Magnets), ref: 00403EC3
                • SHDeleteKeyW.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\ExpressFiles), ref: 00403ED0
                • SHDeleteValueW.SHLWAPI(80000002,Software\Microsoft\Windows\CurrentVersion\Run,ExpressFiles), ref: 00403EE1
                • SHGetValueA.SHLWAPI(80000001,Software\ExpressFiles,expressdl_starts,?,?,?), ref: 00403F12
                  • Part of subcall function 00403ACB: SHGetValueW.SHLWAPI(80000001,Software\ExpressFiles,?,?,?,00000000,?,?,?,00402BD6,soft_id,?,?,?), ref: 00403AF6
                • __snwprintf.LIBCMT ref: 00403F5C
                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00403F73
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: File$Move$__snwprintf$CountTick$Delete$PathValue$FolderSpecial$ChangeExecuteNotifyShellTemp
                • String ID: ExpressFiles$Magnets$Software\ExpressFiles$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Uninstall\ExpressFiles$default-id$expressdl_starts$http://express-files.com/uninstall/?sid=%s&aid=%s&d=%lld&s=%u$open$soft_id$LJu
                • API String ID: 2473526292-1786823547
                • Opcode ID: 8f3314ceb96532a4a09adf02fe4baa565363f1e047e6d14583b1ab5ffbcf2750
                • Instruction ID: 8cee30aa39b64c8435ba161db1776d5d81e0a050d14e0917f465dcd83a494d5c
                • Opcode Fuzzy Hash: 8f3314ceb96532a4a09adf02fe4baa565363f1e047e6d14583b1ab5ffbcf2750
                • Instruction Fuzzy Hash: FF21E9726443047BD210AF619C46FEB77ACEB88B05F10452FF954A21C1DE79AA4487AA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401BCD Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 166synchronizationwindowCOMMON
                Download Yara Rule
                APIs
                • ShowWindow.USER32(?,00000000,86AC0E8B), ref: 00401C18
                  • Part of subcall function 00403526: GetTempPathW.KERNEL32(00000103,?,?,?,00000000), ref: 00403565
                  • Part of subcall function 00403526: GetTickCount.KERNEL32 ref: 00403571
                  • Part of subcall function 00403526: __snwprintf.LIBCMT ref: 0040358A
                  • Part of subcall function 00403526: __snwprintf.LIBCMT ref: 004035C4
                  • Part of subcall function 00403526: ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000001), ref: 004035DF
                • CreateMutexW.KERNEL32(00000000,00000000,{2fd22d30-203e-11e1-8bc2-0800200c9a66}), ref: 00401C2C
                • GetLastError.KERNEL32 ref: 00401C34
                • CloseHandle.KERNEL32(00000000), ref: 00401C72
                • __snwprintf.LIBCMT ref: 00401CDD
                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00401CFA
                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00401D1E
                • MessageBoxW.USER32(00000000,ExpressFiles,error,00000000), ref: 00401DBE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: ExecuteShell__snwprintf$CloseCountCreateErrorHandleLastMessageMutexPathShowTempTickWindow
                • String ID: ExpressFiles$ExpressFilesDL$default-id$error$http://express-files.com/welcome/?sid=%s&aid=%s&b=%d&d=%lld$open${2fd22d30-203e-11e1-8bc2-0800200c9a66}$LJu
                • API String ID: 877578555-727556491
                • Opcode ID: 464f80dab1f727cc9a5419ad50761d9959ed973649888f5a3de745221c52b686
                • Instruction ID: 94b84ab5e9e7a7729e18d5922fac55ed15cb8e9bde6a94bb269485d0d21796f3
                • Opcode Fuzzy Hash: 464f80dab1f727cc9a5419ad50761d9959ed973649888f5a3de745221c52b686
                • Instruction Fuzzy Hash: 7251C071604345ABC714EF64CCC5EEBBBADFF48314F000A2EF445A32E1DB78A9458699
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0042B50F Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,004332A0,0000000C,0042B64A,00000000,00000000,?,00000001,0042B07E,0042AB2A), ref: 0042B521
                • __crt_waiting_on_module_handle.LIBCMT ref: 0042B52C
                  • Part of subcall function 0042CAF5: Sleep.KERNEL32(000003E8,00000000,?,0042B472,KERNEL32.DLL,?,0042B4BE,?,00000001,0042B07E,0042AB2A), ref: 0042CB01
                  • Part of subcall function 0042CAF5: GetModuleHandleW.KERNEL32(00000001,?,0042B472,KERNEL32.DLL,?,0042B4BE,?,00000001,0042B07E,0042AB2A), ref: 0042CB0A
                • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0042B555
                • GetProcAddress.KERNEL32(?,DecodePointer), ref: 0042B565
                • __lock.LIBCMT ref: 0042B587
                • InterlockedIncrement.KERNEL32(?), ref: 0042B594
                • __lock.LIBCMT ref: 0042B5A8
                • ___addlocaleref.LIBCMT ref: 0042B5C6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                • String ID: DecodePointer$EncodePointer$KERNEL32.DLL$WC
                • API String ID: 1028249917-1000047951
                • Opcode ID: 068befcd3704ab22be56119cbdaab9ce8b4069309a1ce007bbbfaeecaf5c9563
                • Instruction ID: 1b120451ca6417ae19f4159e3bff0f8d161a46127c804540cd555a8bc0afc345
                • Opcode Fuzzy Hash: 068befcd3704ab22be56119cbdaab9ce8b4069309a1ce007bbbfaeecaf5c9563
                • Instruction Fuzzy Hash: C2117271A00711EFD710EF66AC41B4ABBE0EF04318F90956FE499972A0CB78AA40CF5C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406E3F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 206libraryCOMMON
                Download Yara Rule
                APIs
                • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00406EB8
                • LoadLibraryA.KERNEL32(?), ref: 00406F31
                • GetLastError.KERNEL32 ref: 00406F3D
                • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00406F70
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: ExceptionRaise$ErrorLastLibraryLoad
                • String ID: $
                • API String ID: 948315288-3993045852
                • Opcode ID: 4cc751d35614a2170bcfc8ad77c587006582ec1851604b5b53bcc06281603ec1
                • Instruction ID: ce3bf21f8cd5bf5204e91e3bcffa82e38807681f1fc2b69fdaeef7a32b97048d
                • Opcode Fuzzy Hash: 4cc751d35614a2170bcfc8ad77c587006582ec1851604b5b53bcc06281603ec1
                • Instruction Fuzzy Hash: 81812D75A40209AFDB10CFA8D880AAEB7F5EF48711F15813AE905E7390DB74EA44CF59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403526 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 66COMMON
                Download Yara Rule
                APIs
                • GetTempPathW.KERNEL32(00000103,?,?,?,00000000), ref: 00403565
                • GetTickCount.KERNEL32 ref: 00403571
                • __snwprintf.LIBCMT ref: 0040358A
                  • Part of subcall function 004018BE: LockResource.KERNEL32(00000000), ref: 004018F4
                  • Part of subcall function 004018BE: SizeofResource.KERNEL32(00000000,00000000), ref: 00401903
                  • Part of subcall function 004018BE: CreateFileW.KERNEL32(?,C0000000,00000001,?,00000004,00000000,00000000), ref: 0040192E
                  • Part of subcall function 004018BE: VirtualFree.KERNELBASE(?,00000000,00000000,00008000), ref: 00401957
                  • Part of subcall function 004018BE: FreeResource.KERNEL32(?), ref: 00401960
                • __snwprintf.LIBCMT ref: 004035C4
                • ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000001), ref: 004035DF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: Resource$Free__snwprintf$CountCreateExecuteFileLockPathShellSizeofTempTickVirtual
                • String ID: /mhp /mnt /mds /babTrack="affID=%s" /s /aflt=babsst /instlref=sst /srcExt=ss$BABYLON$open$toolbar%u.exe$LJu
                • API String ID: 1741217986-4003238989
                • Opcode ID: 969bcea8e7ad96532d7f77a97b3582643035614bf12d89063f099dfb46ec4e0a
                • Instruction ID: c8430cab012f56bf22740aea0caff8f0c4f3e4d2e2727e5e06d85340c95e25f1
                • Opcode Fuzzy Hash: 969bcea8e7ad96532d7f77a97b3582643035614bf12d89063f099dfb46ec4e0a
                • Instruction Fuzzy Hash: F311CB71B402087BD710DB64CC89FE73BAC9B14709F14047FB515E21D1F9B5DB448669
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004023E3 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 97COMMON
                Download Yara Rule
                APIs
                • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000016,00000001,?,?,00000000), ref: 00402408
                • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000000), ref: 00402455
                • GetLastError.KERNEL32(?,?,00000000), ref: 0040245F
                • __snwprintf.LIBCMT ref: 0040248F
                • __snwprintf.LIBCMT ref: 004024D6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: __snwprintf$CreateDirectoryErrorFolderLastPathSpecial
                • String ID: %s\%s.lnk$ExpressFiles$Uninstall$\ExpressFiles
                • API String ID: 3668843157-709336226
                • Opcode ID: c508638348ba11594b4e8e434e808cbb48ef80d85f6b57ab3de0574f35e67c7b
                • Instruction ID: 7fe0aa0ce09214fd93cdcf71aeac9113d88b356813dbc2b8b0a2e5d478c6a899
                • Opcode Fuzzy Hash: c508638348ba11594b4e8e434e808cbb48ef80d85f6b57ab3de0574f35e67c7b
                • Instruction Fuzzy Hash: C931DDB2E4021C7ADB10DE50CD89FDB77AC9B14304F4140B6BA0DF61C1E679AA858679
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403A4F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 47fileCOMMON
                Download Yara Rule
                APIs
                • OpenFileMappingA.KERNEL32 ref: 00403A62
                • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,?,?,00000000,?,00401C6A,?,?), ref: 00403A78
                • _memset.LIBCMT ref: 00403A91
                • _memmove.LIBCMT ref: 00403A9D
                • OpenEventA.KERNEL32(00000002,00000000,ExpressFilesPipeKeyword,00401C6A,?,?), ref: 00403AAD
                • SetEvent.KERNEL32(00000000,?,?), ref: 00403ABA
                • CloseHandle.KERNEL32(00000000,?,?), ref: 00403AC1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: EventFileOpen$CloseHandleMappingView_memmove_memset
                • String ID: ExpressFilesPipe$ExpressFilesPipeKeyword
                • API String ID: 292703036-1477078467
                • Opcode ID: 46c8ae7120435698744864ace500e945a261b782131fe710388ec90a8446f2ae
                • Instruction ID: fbfab9ed65d3ae908d753507668715f51141cc322939da1c50132bc64de82bf2
                • Opcode Fuzzy Hash: 46c8ae7120435698744864ace500e945a261b782131fe710388ec90a8446f2ae
                • Instruction Fuzzy Hash: 88F081365515207BC7212F669D0DDDBBE6CDBCAB52F04803AFA48B2291DA3916018AED
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00407BED Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41COMMON
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 00407C07
                  • Part of subcall function 0040CA9F: __FF_MSGBANNER.LIBCMT ref: 0040CAB8
                  • Part of subcall function 0040CA9F: __NMSG_WRITE.LIBCMT ref: 0040CABF
                  • Part of subcall function 0040CA9F: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0040C469,00000000,00000001,00000000,?,0040E792,00000018,00419398,0000000C,0040E822), ref: 0040CAE4
                • std::exception::exception.LIBCMT ref: 00407C3C
                • std::exception::exception.LIBCMT ref: 00407C56
                • __CxxThrowException@8.LIBCMT ref: 00407C67
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                • String ID: l_A$t_A
                • API String ID: 615853336-157416012
                • Opcode ID: cc54d203c67dbeb22d690e521a74d423c97d8722b0cd321c0dfac2208916969a
                • Instruction ID: 4074200384b5878bf9638d32b00ec7341b6813f7ed76491f3cc48ce8c81626fe
                • Opcode Fuzzy Hash: cc54d203c67dbeb22d690e521a74d423c97d8722b0cd321c0dfac2208916969a
                • Instruction Fuzzy Hash: 4AF0D631D88305AADB04EB65DC42ADE77B56B41718B10407FE500B61D2DBBCAE818A4E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040AF0A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,004192C8,00000008,0040B012,00000000,00000000,?,0040771A,?,00000000), ref: 0040AF1B
                • __lock.LIBCMT ref: 0040AF4F
                  • Part of subcall function 0040E807: __mtinitlocknum.LIBCMT ref: 0040E81D
                  • Part of subcall function 0040E807: __amsg_exit.LIBCMT ref: 0040E829
                  • Part of subcall function 0040E807: EnterCriticalSection.KERNEL32(00000000,00000000,?,0040AF54,0000000D), ref: 0040E831
                • InterlockedIncrement.KERNEL32(?), ref: 0040AF5C
                • __lock.LIBCMT ref: 0040AF70
                • ___addlocaleref.LIBCMT ref: 0040AF8E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                • String ID: KERNEL32.DLL
                • API String ID: 637971194-2576044830
                • Opcode ID: b95e8310471a0d7af0ae3488fbc118d04b24ff27f898de3904f7e751e23ef46f
                • Instruction ID: 0eda4398030ca1b4ec90bf296d2e7d063c9f66be767569d8fd10f411456b15f5
                • Opcode Fuzzy Hash: b95e8310471a0d7af0ae3488fbc118d04b24ff27f898de3904f7e751e23ef46f
                • Instruction Fuzzy Hash: A2018871440700EFD710AF66D805789FBE0AF40325F20C96FE496676E1CBB8A544CB1D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00411EA3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                Download Yara Rule
                APIs
                • __getptd.LIBCMT ref: 00411EC4
                  • Part of subcall function 0040B037: __getptd_noexit.LIBCMT ref: 0040B03A
                  • Part of subcall function 0040B037: __amsg_exit.LIBCMT ref: 0040B047
                • __getptd.LIBCMT ref: 00411ED5
                • __getptd.LIBCMT ref: 00411EE3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: __getptd$__amsg_exit__getptd_noexit
                • String ID: MOC$RCC$csm
                • API String ID: 803148776-2671469338
                • Opcode ID: ac9acaba592351257c347e96db837c98b3d5d857367d5297a52c3b61fa2e2073
                • Instruction ID: ad5198425dcd16ba3a0c1d170fbc9a99a4fbbb51b7f70dae00af40d0ef6b080d
                • Opcode Fuzzy Hash: ac9acaba592351257c347e96db837c98b3d5d857367d5297a52c3b61fa2e2073
                • Instruction Fuzzy Hash: E7E01B702003045EC71497E5C049BA636A4EF48718F5500B7D91CC7372D73CDC948A4E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00430B20 Relevance: 9.3, APIs: 6, Instructions: 262COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _ValidateScopeTableHandlers.LIBCMT ref: 00430C21
                • __FindPESection.LIBCMT ref: 00430C3B
                Memory Dump Source
                • Source File: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: FindHandlersScopeSectionTableValidate
                • String ID:
                • API String ID: 876702719-0
                • Opcode ID: 18aa4dcde5ed86294210cc9b00757967397666e754d52aa27773797f2fe3308b
                • Instruction ID: b7f34a7f5440cba2b05c2b3b31467a9d1aa777794c2103d39275d7fe2a6ff009
                • Opcode Fuzzy Hash: 18aa4dcde5ed86294210cc9b00757967397666e754d52aa27773797f2fe3308b
                • Instruction Fuzzy Hash: 0C91E471A002099BCB14CF59E8A176EB3B1EB8D714F16A73ED815973A0D739EC01CB98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00412150 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • __CreateFrameInfo.LIBCMT ref: 00412178
                  • Part of subcall function 00411C90: __getptd.LIBCMT ref: 00411C9E
                  • Part of subcall function 00411C90: __getptd.LIBCMT ref: 00411CAC
                • __getptd.LIBCMT ref: 00412182
                  • Part of subcall function 0040B037: __getptd_noexit.LIBCMT ref: 0040B03A
                  • Part of subcall function 0040B037: __amsg_exit.LIBCMT ref: 0040B047
                • __getptd.LIBCMT ref: 00412190
                • __getptd.LIBCMT ref: 0041219E
                • __getptd.LIBCMT ref: 004121A9
                • _CallCatchBlock2.LIBCMT ref: 004121CF
                  • Part of subcall function 00411D35: __CallSettingFrame@12.LIBCMT ref: 00411D81
                  • Part of subcall function 00412276: __getptd.LIBCMT ref: 00412285
                  • Part of subcall function 00412276: __getptd.LIBCMT ref: 00412293
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                • String ID:
                • API String ID: 1602911419-0
                • Opcode ID: fac1956645845d2aab68c52f96cf8e8adbe87428b721bfe6ecc864a0291af5dc
                • Instruction ID: 6c4b70974c1ffbca79b9e6e4c9d4c70a0e1cf305bb07dff78cf821ec722c29e2
                • Opcode Fuzzy Hash: fac1956645845d2aab68c52f96cf8e8adbe87428b721bfe6ecc864a0291af5dc
                • Instruction Fuzzy Hash: 9811F6B1C00309DFDB00EFA5C549AEE7BB4FF08318F50806AF814A7291DB799A519F98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040A68D Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • __getptd.LIBCMT ref: 0040A699
                  • Part of subcall function 0040B037: __getptd_noexit.LIBCMT ref: 0040B03A
                  • Part of subcall function 0040B037: __amsg_exit.LIBCMT ref: 0040B047
                • __amsg_exit.LIBCMT ref: 0040A6B9
                • __lock.LIBCMT ref: 0040A6C9
                • InterlockedDecrement.KERNEL32(?), ref: 0040A6E6
                • _free.LIBCMT ref: 0040A6F9
                • InterlockedIncrement.KERNEL32(02B01608), ref: 0040A711
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                • String ID:
                • API String ID: 3470314060-0
                • Opcode ID: 37e3f7d88e2f556bdc05ffef4599519bac1e7625fd073d1885724976562fed73
                • Instruction ID: 6971d5e3c2aac5b621cddb598357bc723a53cdb569e3354dba7bbe42c2d32aea
                • Opcode Fuzzy Hash: 37e3f7d88e2f556bdc05ffef4599519bac1e7625fd073d1885724976562fed73
                • Instruction Fuzzy Hash: A501AD32901722EBC711AB26980579A77B0AB04715F19857FE850772D0CB3DA991CBDF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402512 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53fileCOMMON
                Download Yara Rule
                APIs
                • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000019,00000001,?,00000000), ref: 00402537
                • __snwprintf.LIBCMT ref: 0040255E
                • DeleteFileW.KERNEL32(?), ref: 00402572
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: DeleteFileFolderPathSpecial__snwprintf
                • String ID: %s\%s.lnk$\ExpressFiles
                • API String ID: 3203081110-912599680
                • Opcode ID: 279e66bef23bed2c131930385371ae3957df252c151da798df29f9097843aa09
                • Instruction ID: d8160b51ce278e8b573f38284f18188846947325d4ae94ff0bca02206846ef0d
                • Opcode Fuzzy Hash: 279e66bef23bed2c131930385371ae3957df252c151da798df29f9097843aa09
                • Instruction Fuzzy Hash: 3001C4F2E0121C7AD710EB608C89EDB77AC9B08704F5440B7B605A31C1E6B99B888A69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004124FD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • ___BuildCatchObject.LIBCMT ref: 00412510
                  • Part of subcall function 0041246B: ___BuildCatchObjectHelper.LIBCMT ref: 004124A1
                • _UnwindNestedFrames.LIBCMT ref: 00412527
                • ___FrameUnwindToState.LIBCMT ref: 00412535
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                • String ID: csm$csm
                • API String ID: 2163707966-3733052814
                • Opcode ID: f58864dd28486eacc90c28f0235ace34f10543c09823e2271696a671f01b4110
                • Instruction ID: efed86584197d68df392576cf218f9e364a751352dc458e4b88a786fa1960dbb
                • Opcode Fuzzy Hash: f58864dd28486eacc90c28f0235ace34f10543c09823e2271696a671f01b4110
                • Instruction Fuzzy Hash: DF014B7100010ABBDF12AF51CD95EEB3F6AFF08348F004016BD1854261D77ADAB1DBA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0042C45A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • __getptd.LIBCMT ref: 0042C466
                  • Part of subcall function 0042B66F: __getptd_noexit.LIBCMT ref: 0042B672
                  • Part of subcall function 0042B66F: __amsg_exit.LIBCMT ref: 0042B67F
                • __getptd.LIBCMT ref: 0042C47D
                • __amsg_exit.LIBCMT ref: 0042C48B
                • __lock.LIBCMT ref: 0042C49B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                • String ID: WC
                • API String ID: 3521780317-4263399205
                • Opcode ID: 2fb8b0759eb99ea1a2c17ce6ff3653293dbba73d715f943043e0e0373a118853
                • Instruction ID: e73fcd89f32cb9bcf6c2630ad75ba8f9ee955d7973016b4d769f5e7ce728a33a
                • Opcode Fuzzy Hash: 2fb8b0759eb99ea1a2c17ce6ff3653293dbba73d715f943043e0e0373a118853
                • Instruction Fuzzy Hash: F1F09032B007309AD720FB65B852B6E73A0AF00724FD4465FA444972D2CB7C6901DB5E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401A80 Relevance: 7.6, APIs: 5, Instructions: 96memorycomCOMMON
                Download Yara Rule
                APIs
                • CoCreateInstance.OLE32(00418034,00000000,00000001,00418044,?), ref: 00401AC0
                • SysAllocString.OLEAUT32(?), ref: 00401ADB
                • SysFreeString.OLEAUT32(00000000), ref: 00401AF6
                • SysAllocString.OLEAUT32(?), ref: 00401AFB
                • SysFreeString.OLEAUT32(00000000), ref: 00401B37
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: String$AllocFree$CreateInstance
                • String ID:
                • API String ID: 1867060851-0
                • Opcode ID: d8fc38dd4b80db04442b9182fc7a30e87359efba21ac05a511a53b5363a53ebd
                • Instruction ID: 042ab65d192b565e9391c60aa070fa585c90e133bca2e214bd24dee86de6e88f
                • Opcode Fuzzy Hash: d8fc38dd4b80db04442b9182fc7a30e87359efba21ac05a511a53b5363a53ebd
                • Instruction Fuzzy Hash: 9F314375A00218FFCB10DBE5C888C9EBBB8EF8D71471145AAF905EB250DB75AE41CB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040F874 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 0040F882
                  • Part of subcall function 0040CA9F: __FF_MSGBANNER.LIBCMT ref: 0040CAB8
                  • Part of subcall function 0040CA9F: __NMSG_WRITE.LIBCMT ref: 0040CABF
                  • Part of subcall function 0040CA9F: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0040C469,00000000,00000001,00000000,?,0040E792,00000018,00419398,0000000C,0040E822), ref: 0040CAE4
                • _free.LIBCMT ref: 0040F895
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: AllocateHeap_free_malloc
                • String ID:
                • API String ID: 1020059152-0
                • Opcode ID: f1c698d943b60e1a01b7fb5ece37420387bac0d3d6533b4d33d8f44523ba3be3
                • Instruction ID: 1007cce6ced3367a689d4325fc8478d8be88f8a5dcacee1b890f5e9a067d7ad8
                • Opcode Fuzzy Hash: f1c698d943b60e1a01b7fb5ece37420387bac0d3d6533b4d33d8f44523ba3be3
                • Instruction Fuzzy Hash: 5C11BF33504215FACF317F75AC0569A3B94AF843A4B20C53BF908B66E1DB3C8C44969D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0042BCEE Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • __getptd.LIBCMT ref: 0042BCFA
                  • Part of subcall function 0042B66F: __getptd_noexit.LIBCMT ref: 0042B672
                  • Part of subcall function 0042B66F: __amsg_exit.LIBCMT ref: 0042B67F
                • __amsg_exit.LIBCMT ref: 0042BD1A
                • __lock.LIBCMT ref: 0042BD2A
                • InterlockedDecrement.KERNEL32(?), ref: 0042BD47
                • InterlockedIncrement.KERNEL32(02921608), ref: 0042BD72
                Memory Dump Source
                • Source File: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                • String ID:
                • API String ID: 4271482742-0
                • Opcode ID: 2f7acb012b993c7823a334751a51ca8ca2a9730d4eb58a4d413eb6bf6e87fcd5
                • Instruction ID: eaa4c4c19f1c49c9ef8c2465360922452589263ce0e8834dbe8ce725df6ce1f4
                • Opcode Fuzzy Hash: 2f7acb012b993c7823a334751a51ca8ca2a9730d4eb58a4d413eb6bf6e87fcd5
                • Instruction Fuzzy Hash: A401A131F01A359BDB21AB25B44A79E77A0EF04711FD4111BE800673A1CB3C6941CBDD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040AE0E Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • __getptd.LIBCMT ref: 0040AE1A
                  • Part of subcall function 0040B037: __getptd_noexit.LIBCMT ref: 0040B03A
                  • Part of subcall function 0040B037: __amsg_exit.LIBCMT ref: 0040B047
                • __getptd.LIBCMT ref: 0040AE31
                • __amsg_exit.LIBCMT ref: 0040AE3F
                • __lock.LIBCMT ref: 0040AE4F
                • __updatetlocinfoEx_nolock.LIBCMT ref: 0040AE63
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                • String ID:
                • API String ID: 938513278-0
                • Opcode ID: b0fd1c1240593f422da0f5b28273b644d7123647a41d3ee9d3015b79e4b7528e
                • Instruction ID: 424285a83d9546143265bdbdc22f4b29bc8671e2fdc3f1256984bbbe06ae4149
                • Opcode Fuzzy Hash: b0fd1c1240593f422da0f5b28273b644d7123647a41d3ee9d3015b79e4b7528e
                • Instruction Fuzzy Hash: 13F06D33940310DBD621BB66984AB4A3690AF00729F20827FF415766D2CB7C59518A9E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004032CF Relevance: 6.3, APIs: 5, Instructions: 51COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(?), ref: 004032DC
                • LeaveCriticalSection.KERNEL32(?), ref: 004032E9
                • LeaveCriticalSection.KERNEL32(?), ref: 00403333
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: CriticalSection$Leave$Enter
                • String ID:
                • API String ID: 2978645861-0
                • Opcode ID: 6e5eb49f077cd20f1b82ff2ff0886e574cbdb812f3da21859e1f2eeadf4dcb1f
                • Instruction ID: d365970a083996fae6e0d921307bbfe83d62e2b099e5b71f45186992904f1c63
                • Opcode Fuzzy Hash: 6e5eb49f077cd20f1b82ff2ff0886e574cbdb812f3da21859e1f2eeadf4dcb1f
                • Instruction Fuzzy Hash: 0C011775600602EFC711CF59C98596AFBF9EF887623208479E996A3250EB34EE019B18
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040EC5D Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040EC91
                • __isleadbyte_l.LIBCMT ref: 0040ECC4
                • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,00000000,00000000,?,?,?,?,?,00000000), ref: 0040ECF5
                • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,?,?,?,?,00000000), ref: 0040ED63
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                • String ID:
                • API String ID: 3058430110-0
                • Opcode ID: a61a06b1782ba220943d48ab2f3a940656767fe8c701612f1cba7b037531efb9
                • Instruction ID: c3d9b9972b721db3156ebc635dc6c36b122a72e72c22a10a8b28f571f0cfce3e
                • Opcode Fuzzy Hash: a61a06b1782ba220943d48ab2f3a940656767fe8c701612f1cba7b037531efb9
                • Instruction Fuzzy Hash: AF31F331A04246EFEB20CF65C984ABA7BB5EF00310F1849BEE461AB2D1D335DD61DB59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00424BE0 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: __wcstoui64
                • String ID:
                • API String ID: 3882282163-0
                • Opcode ID: 48a9d02a2a255a56e310ec030c2647d3611f476ce6f4ed9a71b4a49d4e63c871
                • Instruction ID: 63cf5923bd6d8ef4116eb5826b35e6478a2e61ef5b3fc16d38349cf8837eb262
                • Opcode Fuzzy Hash: 48a9d02a2a255a56e310ec030c2647d3611f476ce6f4ed9a71b4a49d4e63c871
                • Instruction Fuzzy Hash: 1F01F5727056712BFB74463EBC4AF6B2AD4CBC5730F500276F509CA3DCD6A8C8818219
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00424B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: __wcstoui64
                • String ID: #
                • API String ID: 3882282163-1885708031
                • Opcode ID: eb7aa83ba5c3124ead1835b4fa6fa7da76206446a146ae3038961ff377352247
                • Instruction ID: 468054b4e726eabdcc46a198d71a2cbdefb55da6187b9aff75bbb4fd320c834e
                • Opcode Fuzzy Hash: eb7aa83ba5c3124ead1835b4fa6fa7da76206446a146ae3038961ff377352247
                • Instruction Fuzzy Hash: 4311E3767002145FEB148A39EC81BA7779DEBC9324F448566F80DCB385E676EC508250
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0064188E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42threadCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: NextThread32
                • String ID: 4$LoadStringA
                • API String ID: 1159766829-504894296
                • Opcode ID: 946a94c4654a0e0b7c4c44976c00a5e3d2a71a208f68bb5685a5bbde897e4bfc
                • Instruction ID: 102119b48a9b1fc2e875bf96d5421f5e033de199a7086512a1440ad18668bda2
                • Opcode Fuzzy Hash: 946a94c4654a0e0b7c4c44976c00a5e3d2a71a208f68bb5685a5bbde897e4bfc
                • Instruction Fuzzy Hash: A501247180C394DBC711EB29C8854AEBFD1AEA9358F408B4EB9D467242C33A8525C76B
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00412276 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00411CE3: __getptd.LIBCMT ref: 00411CE9
                  • Part of subcall function 00411CE3: __getptd.LIBCMT ref: 00411CF9
                • __getptd.LIBCMT ref: 00412285
                  • Part of subcall function 0040B037: __getptd_noexit.LIBCMT ref: 0040B03A
                  • Part of subcall function 0040B037: __amsg_exit.LIBCMT ref: 0040B047
                • __getptd.LIBCMT ref: 00412293
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: __getptd$__amsg_exit__getptd_noexit
                • String ID: csm
                • API String ID: 803148776-1018135373
                • Opcode ID: 33ea2d12ab7dc44aea22babadc710a3016c4c562faffb84bd6d9781517db58c0
                • Instruction ID: 683f82ba9f5097aa5b3d5a58c68e0e1af530cf830ac5d278b4fcbe3391924061
                • Opcode Fuzzy Hash: 33ea2d12ab7dc44aea22babadc710a3016c4c562faffb84bd6d9781517db58c0
                • Instruction Fuzzy Hash: 07018F349002008BCF349F61CA44AEEB7B4BF00314F54046FE440D6791EB7889E1DBAC
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403635 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                Download Yara Rule
                APIs
                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00403657
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497460012.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497439983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497516449.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497536976.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497555314.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497569556.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497626413.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497638746.0000000000432000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497648108.0000000000435000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.497657400.0000000000437000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498696061.000000000083A000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498701332.000000000083B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498709695.000000000083C000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498715684.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498721815.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498741268.0000000000848000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498747688.0000000000849000.00000080.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498759236.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498771591.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498782650.0000000000857000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498791418.0000000000859000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498807246.0000000000863000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498825505.000000000086F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.498840310.000000000087B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PR.jbxd
                Similarity
                • API ID: ExecuteShell
                • String ID: open$LJu
                • API String ID: 587946157-2137115434
                • Opcode ID: ff93cf5a5f8a3cb8ed78bb3713a611243565e5d2c441a9d071bd69586460c9e3
                • Instruction ID: 6402367d08045e7231259dd9f7946bd533ae551f9e8a49ab8281ea4c466a65d9
                • Opcode Fuzzy Hash: ff93cf5a5f8a3cb8ed78bb3713a611243565e5d2c441a9d071bd69586460c9e3
                • Instruction Fuzzy Hash: 09E09A31340B006AE630CE65CC81FA37BE86B10B41F048829B65A9A7C1C6A4F648C728
                Uniqueness

                Uniqueness Score: -1.00%