Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5390d36a371f0598b86301961d5fdb329e368e7a.exe

Overview

General Information

Sample name:5390d36a371f0598b86301961d5fdb329e368e7a.exe
(renamed file extension from none to exe)
Original sample name:5390d36a371f0598b86301961d5fdb329e368e7a
Analysis ID:1520616
MD5:0447e67da4fb72bdde31bd7ec2b62e04
SHA1:7143740f5b7a35799398568b9606c4b1eeb9d591
SHA256:12f30a0114c0d67881f10a66cf5b848afc3d858dea34c06836113e272bad0dc5
Errors
  • Corrupt sample or wrongly selected analyzer. Details: 36b1

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to automate explorer (e.g. start an application)
Extracts suspicious resources from PE file (packer detected)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_setup.pdb source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140003050 FindFirstFileW,lstrcmpW,lstrcmpW,DeleteFileW,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0000000140003050
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400031F0 SetProcessDpiAwarenessContext,CommandLineToArgvW,CreateDirectoryW,GetCurrentDirectoryW,GetModuleHandleW,GetProcAddress,GetCurrentProcess,GetModuleFileNameW,PathStripPathW,GetModuleFileNameW,LoadStringW,MessageBoxW,AllocateAndInitializeSid,CheckTokenMembership,GetLastError,FreeSid,RegGetValueW,LoadStringW,MessageBoxW,RegDeleteKeyValueW,CreateEventW,SHGetFolderPathW,CreateDirectoryW,GetLastError,FindWindowW,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CloseHandle,GetCurrentProcess,OpenProcessToken,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,CloseHandle,SendMessageTimeoutW,CreateThread,WaitForSingleObject,CloseHandle,Sleep,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,CloseHandle,Sleep,CreateEventW,GetLastError,CloseHandle,GetLastError,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,FindWindowW,GetWindowThreadProcessId,OpenProcess,SendMessageW,TerminateProcess,CloseHandle,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,SHGetFolderPathW,RegOpenKeyExW,RegCloseKey,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,FindFirstFileW,FindClose,GetUserPreferredUILanguages,GetUserPreferredUILanguages,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegDeleteKeyW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,CreateSymbolicLinkW,FindFirstFileW,FindClose,RemoveDirectoryW,FindFirstFileW,FindClose,RemoveDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,SHGetFolderPathW,SHGetFolderPathW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,RegCreateKeyExW,RegCloseKey,RegCreateKeyExW,RegCloseKey,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,LoadStringW,MessageBoxW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetWindowsDirectoryW,Sleep,ImpersonateLoggedOnUser,DuplicateTokenEx,RevertToSelf,CreateProcessWithTokenW,CloseHandle,CloseHandle,CloseHandle,ShellExecuteW,CloseHandle,GetLastError,LoadStringW,MessageBoxW,ExitWindowsEx,ShellExecuteExW,GetLastError,_invalid_parameter_noinfo,0_2_00000001400031F0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014001D674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_000000014001D674
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeString found in binary or memory: http://www.winimage.com/zLibDll
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400031F0 SetProcessDpiAwarenessContext,CommandLineToArgvW,CreateDirectoryW,GetCurrentDirectoryW,GetModuleHandleW,GetProcAddress,GetCurrentProcess,GetModuleFileNameW,PathStripPathW,GetModuleFileNameW,LoadStringW,MessageBoxW,AllocateAndInitializeSid,CheckTokenMembership,GetLastError,FreeSid,RegGetValueW,LoadStringW,MessageBoxW,RegDeleteKeyValueW,CreateEventW,SHGetFolderPathW,CreateDirectoryW,GetLastError,FindWindowW,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CloseHandle,GetCurrentProcess,OpenProcessToken,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,CloseHandle,SendMessageTimeoutW,CreateThread,WaitForSingleObject,CloseHandle,Sleep,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,CloseHandle,Sleep,CreateEventW,GetLastError,CloseHandle,GetLastError,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,FindWindowW,GetWindowThreadProcessId,OpenProcess,SendMessageW,TerminateProcess,CloseHandle,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,SHGetFolderPathW,RegOpenKeyExW,RegCloseKey,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,FindFirstFileW,FindClose,GetUserPreferredUILanguages,GetUserPreferredUILanguages,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegDeleteKeyW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,CreateSymbolicLinkW,FindFirstFileW,FindClose,RemoveDirectoryW,FindFirstFileW,FindClose,RemoveDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,SHGetFolderPathW,SHGetFolderPathW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,RegCreateKeyExW,RegCloseKey,RegCreateKeyExW,RegCloseKey,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,LoadStringW,MessageBoxW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetWindowsDirectoryW,Sleep,ImpersonateLoggedOnUser,DuplicateTokenEx,RevertToSelf,CreateProcessWithTokenW,CloseHandle,CloseHandle,CloseHandle,ShellExecuteW,CloseHandle,GetLastError,LoadStringW,MessageBoxW,ExitWindowsEx,ShellExecuteExW,GetLastError,_invalid_parameter_noinfo,0_2_00000001400031F0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014000F4340_2_000000014000F434
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014000F8640_2_000000014000F864
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400128900_2_0000000140012890
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014000FC900_2_000000014000FC90
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400248A80_2_00000001400248A8
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400060B00_2_00000001400060B0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400190BC0_2_00000001400190BC
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140005CC00_2_0000000140005CC0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400028C00_2_00000001400028C0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140021D040_2_0000000140021D04
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014000F5400_2_000000014000F540
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400105540_2_0000000140010554
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140012D540_2_0000000140012D54
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014000F96C0_2_000000014000F96C
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400109940_2_0000000140010994
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400185A80_2_00000001400185A8
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014000B1B00_2_000000014000B1B0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400131B80_2_00000001400131B8
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140010DD40_2_0000000140010DD4
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400031F00_2_00000001400031F0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014000960B0_2_000000014000960B
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014001FE300_2_000000014001FE30
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140018A3C0_2_0000000140018A3C
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014000F64C0_2_000000014000F64C
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014001D6740_2_000000014001D674
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014000FA780_2_000000014000FA78
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400202CC0_2_00000001400202CC
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400022D00_2_00000001400022D0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140001AF00_2_0000000140001AF0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014000F3280_2_000000014000F328
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400017300_2_0000000140001730
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014000F7580_2_000000014000F758
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400107600_2_0000000140010760
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140006F600_2_0000000140006F60
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014000FB840_2_000000014000FB84
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400223A00_2_00000001400223A0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140010BA00_2_0000000140010BA0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400097A40_2_00000001400097A4
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140017BC80_2_0000000140017BC8
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140009FDD0_2_0000000140009FDD
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140010FE00_2_0000000140010FE0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: String function: 000000014001506C appears 49 times
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeBinary or memory string: OriginalFilename vs 5390d36a371f0598b86301961d5fdb329e368e7a.exe
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeBinary or memory string: OriginalFilenameep_setup.exe@ vs 5390d36a371f0598b86301961d5fdb329e368e7a.exe
Source: classification engineClassification label: mal48.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400031F0 SetProcessDpiAwarenessContext,CommandLineToArgvW,CreateDirectoryW,GetCurrentDirectoryW,GetModuleHandleW,GetProcAddress,GetCurrentProcess,GetModuleFileNameW,PathStripPathW,GetModuleFileNameW,LoadStringW,MessageBoxW,AllocateAndInitializeSid,CheckTokenMembership,GetLastError,FreeSid,RegGetValueW,LoadStringW,MessageBoxW,RegDeleteKeyValueW,CreateEventW,SHGetFolderPathW,CreateDirectoryW,GetLastError,FindWindowW,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CloseHandle,GetCurrentProcess,OpenProcessToken,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,CloseHandle,SendMessageTimeoutW,CreateThread,WaitForSingleObject,CloseHandle,Sleep,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,CloseHandle,Sleep,CreateEventW,GetLastError,CloseHandle,GetLastError,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,FindWindowW,GetWindowThreadProcessId,OpenProcess,SendMessageW,TerminateProcess,CloseHandle,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,SHGetFolderPathW,RegOpenKeyExW,RegCloseKey,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,FindFirstFileW,FindClose,GetUserPreferredUILanguages,GetUserPreferredUILanguages,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegDeleteKeyW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,CreateSymbolicLinkW,FindFirstFileW,FindClose,RemoveDirectoryW,FindFirstFileW,FindClose,RemoveDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,SHGetFolderPathW,SHGetFolderPathW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,RegCreateKeyExW,RegCloseKey,RegCreateKeyExW,RegCloseKey,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,LoadStringW,MessageBoxW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetWindowsDirectoryW,Sleep,ImpersonateLoggedOnUser,DuplicateTokenEx,RevertToSelf,CreateProcessWithTokenW,CloseHandle,CloseHandle,CloseHandle,ShellExecuteW,CloseHandle,GetLastError,LoadStringW,MessageBoxW,ExitWindowsEx,ShellExecuteExW,GetLastError,_invalid_parameter_noinfo,0_2_00000001400031F0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140001730 GetSystemDirectoryW,LoadLibraryExW,LoadStringW,SHGetFolderPathW,SHFileOperationW,CreateDirectoryW,GetSystemDirectoryW,CoInitialize,CoCreateInstance,PathRemoveFileSpecW,CoUninitialize,0_2_0000000140001730
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140002020 FindResourceW,LoadResource,LockResource,SizeofResource,0_2_0000000140002020
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic file information: File size 10525696 > 1048576
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x9d1a00
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_setup.pdb source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

barindex
Extracts suspicious resources from PE file (packer detected)
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140001AF0 RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegSetValueExW,RegSetValueExW,RegSetValueExW,PathRemoveFileSpecW,LoadLibraryExW,FindResourceW,SizeofResource,LoadResource,LockResource,LocalAlloc,FreeResource,VerQueryValueW,LocalFree,RegSetValueExW,RegSetValueExW,RegSetValueExW,FreeLibrary,GetWindowsDirectoryW,RegSetValueExW,RegOpenKeyW,RegDeleteTreeW,RegCloseKey, \explorer.exe0_2_0000000140001AF0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140003050 FindFirstFileW,lstrcmpW,lstrcmpW,DeleteFileW,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0000000140003050
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400031F0 SetProcessDpiAwarenessContext,CommandLineToArgvW,CreateDirectoryW,GetCurrentDirectoryW,GetModuleHandleW,GetProcAddress,GetCurrentProcess,GetModuleFileNameW,PathStripPathW,GetModuleFileNameW,LoadStringW,MessageBoxW,AllocateAndInitializeSid,CheckTokenMembership,GetLastError,FreeSid,RegGetValueW,LoadStringW,MessageBoxW,RegDeleteKeyValueW,CreateEventW,SHGetFolderPathW,CreateDirectoryW,GetLastError,FindWindowW,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CloseHandle,GetCurrentProcess,OpenProcessToken,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,CloseHandle,SendMessageTimeoutW,CreateThread,WaitForSingleObject,CloseHandle,Sleep,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,CloseHandle,Sleep,CreateEventW,GetLastError,CloseHandle,GetLastError,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,FindWindowW,GetWindowThreadProcessId,OpenProcess,SendMessageW,TerminateProcess,CloseHandle,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,SHGetFolderPathW,RegOpenKeyExW,RegCloseKey,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,FindFirstFileW,FindClose,GetUserPreferredUILanguages,GetUserPreferredUILanguages,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegDeleteKeyW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,CreateSymbolicLinkW,FindFirstFileW,FindClose,RemoveDirectoryW,FindFirstFileW,FindClose,RemoveDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,SHGetFolderPathW,SHGetFolderPathW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,RegCreateKeyExW,RegCloseKey,RegCreateKeyExW,RegCloseKey,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,LoadStringW,MessageBoxW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetWindowsDirectoryW,Sleep,ImpersonateLoggedOnUser,DuplicateTokenEx,RevertToSelf,CreateProcessWithTokenW,CloseHandle,CloseHandle,CloseHandle,ShellExecuteW,CloseHandle,GetLastError,LoadStringW,MessageBoxW,ExitWindowsEx,ShellExecuteExW,GetLastError,_invalid_parameter_noinfo,0_2_00000001400031F0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014001D674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_000000014001D674
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014001519C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000000014001519C
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014001F7B8 GetProcessHeap,0_2_000000014001F7B8
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140009128 SetUnhandledExceptionFilter,0_2_0000000140009128
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_000000014001519C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000000014001519C
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400086E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00000001400086E0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140008F48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0000000140008F48

HIPS / PFW / Operating System Protection Evasion

barindex
Contains functionality to automate explorer (e.g. start an application)
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400031F0 SetProcessDpiAwarenessContext,CommandLineToArgvW,CreateDirectoryW,GetCurrentDirectoryW,GetModuleHandleW,GetProcAddress,GetCurrentProcess,GetModuleFileNameW,PathStripPathW,GetModuleFileNameW,LoadStringW,MessageBoxW,AllocateAndInitializeSid,CheckTokenMembership,GetLastError,FreeSid,RegGetValueW,LoadStringW,MessageBoxW,RegDeleteKeyValueW,CreateEventW,SHGetFolderPathW,CreateDirectoryW,GetLastError,FindWindowW,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CloseHandle,GetCurrentProcess,OpenProcessToken,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,CloseHandle,SendMessageTimeoutW,CreateThread,WaitForSingleObject,CloseHandle,Sleep,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,CloseHandle,Sleep,CreateEventW,GetLastError,CloseHandle,GetLastError,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,FindWindowW,GetWindowThreadProcessId,OpenProcess,SendMessageW,TerminateProcess,CloseHandle,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,SHGetFolderPathW,RegOpenKeyExW,RegCloseKey,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,FindFirstFileW,FindClose,GetUserPreferredUILanguages,GetUserPreferredUILanguages,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegDeleteKeyW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,CreateSymbolicLinkW,FindFirstFileW,FindClose,RemoveDirectoryW,FindFirstFileW,FindClose,RemoveDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,SHGetFolderPathW,SHGetFolderPathW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,RegCreateKeyExW,RegCloseKey,RegCreateKeyExW,RegCloseKey,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,LoadStringW,MessageBoxW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetWindowsDirectoryW,Sleep,ImpersonateLoggedOnUser,DuplicateTokenEx,RevertToSelf,CreateProcessWithTokenW,CloseHandle,CloseHandle,CloseHandle,ShellExecuteW,CloseHandle,GetLastError,LoadStringW,MessageBoxW,ExitWindowsEx,ShellExecuteExW,GetLastError,_invalid_parameter_noinfo,0_2_00000001400031F0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400010D0 GetSystemDirectoryW,GetSystemDirectoryW,SHGetFolderPathW,GetWindowsDirectoryW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,0_2_00000001400010D0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400031F0 SetProcessDpiAwarenessContext,CommandLineToArgvW,CreateDirectoryW,GetCurrentDirectoryW,GetModuleHandleW,GetProcAddress,GetCurrentProcess,GetModuleFileNameW,PathStripPathW,GetModuleFileNameW,LoadStringW,MessageBoxW,AllocateAndInitializeSid,CheckTokenMembership,GetLastError,FreeSid,RegGetValueW,LoadStringW,MessageBoxW,RegDeleteKeyValueW,CreateEventW,SHGetFolderPathW,CreateDirectoryW,GetLastError,FindWindowW,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CloseHandle,GetCurrentProcess,OpenProcessToken,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,CloseHandle,SendMessageTimeoutW,CreateThread,WaitForSingleObject,CloseHandle,Sleep,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,CloseHandle,Sleep,CreateEventW,GetLastError,CloseHandle,GetLastError,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,FindWindowW,GetWindowThreadProcessId,OpenProcess,SendMessageW,TerminateProcess,CloseHandle,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,SHGetFolderPathW,RegOpenKeyExW,RegCloseKey,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,FindFirstFileW,FindClose,GetUserPreferredUILanguages,GetUserPreferredUILanguages,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegDeleteKeyW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,CreateSymbolicLinkW,FindFirstFileW,FindClose,RemoveDirectoryW,FindFirstFileW,FindClose,RemoveDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,SHGetFolderPathW,SHGetFolderPathW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,RegCreateKeyExW,RegCloseKey,RegCreateKeyExW,RegCloseKey,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,LoadStringW,MessageBoxW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetWindowsDirectoryW,Sleep,ImpersonateLoggedOnUser,DuplicateTokenEx,RevertToSelf,CreateProcessWithTokenW,CloseHandle,CloseHandle,CloseHandle,ShellExecuteW,CloseHandle,GetLastError,LoadStringW,MessageBoxW,ExitWindowsEx,ShellExecuteExW,GetLastError,_invalid_parameter_noinfo,0_2_00000001400031F0
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeBinary or memory string: Shell_TrayWnd
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exeBinary or memory string: runasExplorerPatcherntdll.dllRtlGetVersion\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersionUBRShell_TrayWnd\explorer.exeopenep_taskbar.0.dllep_taskbar.1.dllep_taskbar.2.dllep_taskbar.3.dllep_taskbar.4.dllep_taskbar.5.dll\ExplorerFrame.dll (ExplorerPatcher).lnk\shell32.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcherUninstallStringDisplayNameVALINET Solutions SRLPublisherNoModifyNoRepair\ExplorerPatcher.amd64.dll%d.%d.%d.%dDisplayVersionVersionMajorVersionMinorDisplayIcon\ExplorerPatcher\cleanup_.tmp.preven-USmuipriep_taskbar.0.dllep_taskbar.2.dllep_taskbar.3.dllep_taskbar.4.dllep_taskbar.5.dll\*.../extractIsWow64Process2kernel32.dllx64ARM64/uninstall/uninstall_silentep_uninstall.exe/update_silentUndockingDisabledSOFTWARE\Microsoft\Windows\CurrentVersion\Shell\Update\PackagesGlobal\ep_setup_D17F1E1A-5919-4427-8F89-A1A8503CA3EB/f /im explorer.exeGlobal\ep_dwm_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBExplorerPatcher_GUI_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}Software\ExplorerPatcherOpenPropertiesAtNextStartep_setup.exeSOFTWARE\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}\InProcServer32\ExplorerPatcher\ExplorerPatcher.amd64.dll"\regsvr32.exeExplorerPatcher.IA-32.dllExplorerPatcher.IA-32.dllExplorerPatcher.amd64.dllExplorerPatcher.amd64.dllep_gui.dllep_gui.dllep_dwm.exeep_dwm.exeep_weather_host.dllep_weather_host.dllep_weather_host_stub.dllep_weather_host_stub.dllWebView2Loader.dllWebView2Loader.dllar-SAbg-BGca-EScs-CZda-DKde-DEel-GRen-GBes-ESes-MXet-EEeu-ESfi-FIfr-CAfr-FRgl-EShe-ILhr-HRhu-HUid-IDit-ITja-JPko-KRlt-LTlv-LVnb-NOnl-NLpl-PLpt-BRpt-PTro-ROru-RUsk-SKsl-SIsr-Latn-RSsv-SEth-THtr-TRuk-UAvi-VNzh-CNzh-TWprisStartUIWindows.UI.ShellCommon.pripnidui/Windows.UI.ShellCommon/pnidui.dllpnidui/pnidui.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{C2796011-81BA-4148-8FCA-C6643245113F}AutoStartdxgi.dll\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewywincorlib.dllep_startmenu.dllwincorlib_orig.dll\wincorlib.dll\wincorlib_orig.dllStartUI_.dllStartUI/StartUI.dllAppResolverLegacy.dllStartTileDataLegacy.dll\en-USStartTileDataLegacy.dll.mui\pris2Windows.UI.ShellCommon.en-US.pri\SystemApps\ShellExperienceHost_cw5n1h2txyewy\rundll32.exe "\ExplorerPatcher\ep_gui.dll",ZZGUI\ExplorerPatcher\ep_setup.exe" /uninstallstart ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBdelete ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB\ExplorerPatcher\ep_weather_host.dll"\ExplorerPatcher\ep_weather_host_stub.dll"SOFTWARE\Policies\Microsoft\Windows\ExplorerSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\cleanupSOFTWARE\Microsoft\Windows\CurrentVersion\RunOncecmd /c rmdir /s /q ""ExplorerPatcherCleanupIsUpdatePendingrbr+bwb1.3.1.1-motley unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll@
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_00000001400246F0 cpuid 0_2_00000001400246F0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exeCode function: 0_2_0000000140008E2C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0000000140008E2C

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath Interception1
Exploitation for Privilege Escalation		1
Access Token Manipulation		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Access Token Manipulation		1
Process Injection		LSASS Memory2
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Process Injection		1
Deobfuscate/Decode Files or Information		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets11
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.winimage.com/zLibDll5390d36a371f0598b86301961d5fdb329e368e7a.exefalse
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1520616
    Start date and time:2024-09-27 16:56:50 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 2m 27s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:1
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:5390d36a371f0598b86301961d5fdb329e368e7a.exe
    (renamed file extension from none to exe)
    Original Sample Name:5390d36a371f0598b86301961d5fdb329e368e7a
    Detection:MAL
    Classification:mal48.evad.winEXE@1/0@0/0
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 74
    Cookbook Comments:
    • Unable to launch sample, stop analysis

    Errors

    • Corrupt sample or wrongly selected analyzer. Details: 36b1

    Warnings

    • Execution Graph export aborted for target 5390d36a371f0598b86301961d5fdb329e368e7a.exe, PID 7564 because there are no executed function
    • VT rate limit hit for: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32+ executable (GUI) x86-64, for MS Windows
    Entropy (8bit):5.098149442449812
    TrID:
    • Win64 Executable GUI (202006/5) 92.65%
    • Win64 Executable (generic) (12005/4) 5.51%
    • Generic Win/DOS Executable (2004/3) 0.92%
    • DOS Executable Generic (2002/1) 0.92%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:5390d36a371f0598b86301961d5fdb329e368e7a.exe
    File size:10'525'696 bytes
    MD5:0447e67da4fb72bdde31bd7ec2b62e04
    SHA1:7143740f5b7a35799398568b9606c4b1eeb9d591
    SHA256:12f30a0114c0d67881f10a66cf5b848afc3d858dea34c06836113e272bad0dc5
    SHA512:c4bf3bef91e8f145272816617620cf2e357060db3a4608c92fa6270ce2a93f4b1be3e69c5b88c39838916d6b01c9a0caf9d4392c0a14af3062c49b9cfc115b05
    SSDEEP:196608:aZN5gB3uI0Bn+2N8cL0yiao2ItCC2bO+WxN:QzgN4Bz7ieTCIKN
    TLSH:DAB6335D67A10ED8F5B7E335C51A490A9BA07C190310D46F1B74C1AD1E233A0EE7EFAA
    File Content Preview:MZ......................@...............................................!..L.!22622.3880.66.6.57999ff163192946S mode....$........^uOY?..Y?..Y?...G..\?...G...?......_?..I...P?..I...I?..I...q?...G..V?...G..X?...G..L?..Y?...?......]?......X?..Y?..H?......X?.

    File Icon

    Icon Hash:90cececece8e8eb0

    Static PE Info

    General

    Entrypoint:0x140008bd8
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x140000000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x66E2DBAB [Thu Sep 12 12:16:43 2024 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:f1499aa854493f33c80eb31e0ab8ae92

    Entrypoint Preview

    Instruction
    dec eax
    sub esp, 28h
    call 00007F76ACAE5BC0h
    dec eax
    add esp, 28h
    jmp 00007F76ACAE57EFh
    int3
    int3
    dec eax
    sub esp, 28h
    call 00007F76ACAE6258h
    test eax, eax
    je 00007F76ACAE5993h
    dec eax
    mov eax, dword ptr [00000030h]
    dec eax
    mov ecx, dword ptr [eax+08h]
    jmp 00007F76ACAE5977h
    dec eax
    cmp ecx, eax
    je 00007F76ACAE5986h
    xor eax, eax
    dec eax
    cmpxchg dword ptr [0002E460h], ecx
    jne 00007F76ACAE5960h
    xor al, al
    dec eax
    add esp, 28h
    ret
    mov al, 01h
    jmp 00007F76ACAE5969h
    int3
    int3
    int3
    dec eax
    sub esp, 28h
    test ecx, ecx
    jne 00007F76ACAE5979h
    mov byte ptr [0002E449h], 00000001h
    call 00007F76ACAE5F45h
    call 00007F76ACAE95D0h
    test al, al
    jne 00007F76ACAE5976h
    xor al, al
    jmp 00007F76ACAE5986h
    call 00007F76ACAF4DAFh
    test al, al
    jne 00007F76ACAE597Bh
    xor ecx, ecx
    call 00007F76ACAE95E0h
    jmp 00007F76ACAE595Ch
    mov al, 01h
    dec eax
    add esp, 28h
    ret
    int3
    int3
    inc eax
    push ebx
    dec eax
    sub esp, 20h
    cmp byte ptr [0002E410h], 00000000h
    mov ebx, ecx
    jne 00007F76ACAE59D9h
    cmp ecx, 01h
    jnbe 00007F76ACAE59DCh
    call 00007F76ACAE61CEh
    test eax, eax
    je 00007F76ACAE599Ah
    test ebx, ebx
    jne 00007F76ACAE5996h
    dec eax
    lea ecx, dword ptr [0002E3FAh]
    call 00007F76ACAF4BCEh
    test eax, eax
    jne 00007F76ACAE5982h
    dec eax
    lea ecx, dword ptr [0002E402h]
    call 00007F76ACAE59BEh

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x34bfc0xb4.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3a0000x9d1870.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x380000x1aac.pdata
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0c0000x6a4.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x328700x70.rdata
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x327300x140.rdata
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x260000x508.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x24f300x25000173e7f97391bc8314dd470c483309938False0.5402040223817568data6.4691102710132915IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x260000xfd200xfe009e2d4b48d9fe068301a1f9d10650bbc7False0.48297551673228345data5.364699069479192IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x360000x1f540xc0070729d2ec4f7f720830ce88e7a8defb2False0.138671875data1.9570761316523926IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .pdata0x380000x1aac0x1c00f7c2ea792d907b5dce52bcd41206cef3False0.4693080357142857PEX Binary Archive5.278111274874002IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .rsrc0x3a0000x9d18700x9d1a007ab4593ac39e13cf56146c7db4d08260unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0xa0c0000x6a40x800c99a74c555371a433d121f551d6c6398False0.01123046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_STRING0xa0b2380x13edataChineseTaiwan0.040880503144654086
    RT_STRING0xa03d180x2aedataGermanGermany0.021865889212827987
    RT_STRING0xa034980x2a2dataEnglishUnited States0.02225519287833828
    RT_STRING0xa047880x2b8dataFrenchFrance0.021551724137931036
    RT_STRING0xa051180x280dataHungarianHungary0.0234375
    RT_STRING0xa063180x1b2dataJapaneseJapan0.03225806451612903
    RT_STRING0xa068700x170dataKoreanNorth Korea0.035326086956521736
    RT_STRING0xa068700x170dataKoreanSouth Korea0.035326086956521736
    RT_STRING0xa076600x294dataDutchNetherlands0.022727272727272728
    RT_STRING0xa07f980x2acdataPolishPoland0.021929824561403508
    RT_STRING0xa089200x294dataRomanianRomania0.022727272727272728
    RT_STRING0xa092b00x2acdataRussianRussia0.021929824561403508
    RT_STRING0xa09b900x2c4dataTurkishTurkey0.0211864406779661
    RT_STRING0xa05a400x292dataIndonesianIndonesia0.022796352583586626
    RT_STRING0xa0a5580x2d4dataUkrainianUkrain0.020718232044198894
    RT_STRING0xa06d500x2c8dataLithuanianLithuania0.021067415730337078
    RT_STRING0xa0aea80x132dataChineseChina0.042483660130718956
    RT_STRING0xa0b3780x272dataChineseTaiwan0.023961661341853034
    RT_STRING0xa03fc80x7bcdataGermanGermany0.011616161616161616
    RT_STRING0xa037400x5d4dataEnglishUnited States0.013404825737265416
    RT_STRING0xa04a400x6d2dataFrenchFrance0.012600229095074456
    RT_STRING0xa053980x6a2dataHungarianHungary0.012956419316843345
    RT_STRING0xa064d00x39cdataJapaneseJapan0.0183982683982684
    RT_STRING0xa069e00x36cdataKoreanNorth Korea0.019406392694063926
    RT_STRING0xa069e00x36cdataKoreanSouth Korea0.019406392694063926
    RT_STRING0xa078f80x69adataDutchNetherlands0.01301775147928994
    RT_STRING0xa082480x6d2dataPolishPoland0.012600229095074456
    RT_STRING0xa08bb80x6f8dataRomanianRomania0.01233183856502242
    RT_STRING0xa095600x62edataRussianRussia0.01327433628318584
    RT_STRING0xa09e580x700dataTurkishTurkey0.012276785714285714
    RT_STRING0xa05cd80x63cdataIndonesianIndonesia0.013157894736842105
    RT_STRING0xa0a8300x678dataUkrainianUkrain0.012681159420289856
    RT_STRING0xa070180x648dataLithuanianLithuania0.013059701492537313
    RT_STRING0xa0afe00x258dataChineseChina0.025
    RT_RCDATA0x3a7b00x9c8ce4Zip archive data, at least v2.0 to extract, compression method=deflateEnglishUnited States0.9992465972900391
    RT_VERSION0x3a4300x380dataEnglishUnited States0.43526785714285715
    RT_MANIFEST0xa0b5f00x27edataEnglishUnited States0.023510971786833857

    Imports

    DLLImport
    KERNEL32.dllTerminateProcess, RemoveDirectoryW, GetModuleFileNameW, FindClose, K32GetProcessImageFileNameW, GetUserPreferredUILanguages, OpenProcess, MultiByteToWideChar, CreateThread, K32EnumProcesses, GetCurrentDirectoryW, GetProcAddress, GetCurrentProcessId, GetModuleHandleW, FreeLibrary, CopyFileW, CreateSymbolicLinkW, lstrcmpW, MoveFileW, GetProcessTimes, LoadLibraryExW, WriteConsoleW, SetEndOfFile, WriteFile, HeapSize, FlushFileBuffers, GetProcessHeap, GetStringTypeW, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, ReadConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FindNextFileW, SetLastError, FindFirstFileW, GetExitCodeProcess, MapViewOfFile, CreateFileMappingW, LocalFree, GetWindowsDirectoryW, FindResourceW, LoadResource, CloseHandle, DeleteFileW, LockResource, GetLastError, Sleep, CreateEventW, FreeResource, UnmapViewOfFile, GetSystemDirectoryW, CreateFileW, LocalAlloc, WaitForSingleObject, GetCurrentProcess, GetFileSizeEx, SizeofResource, ReadFile, HeapReAlloc, CreateDirectoryW, LCMapStringW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, GetFileType, HeapFree, HeapAlloc, GetStdHandle, GetModuleHandleExW, ExitProcess, RtlPcToFileHeader, RaiseException, EncodePointer, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, RtlUnwindEx, GetStartupInfoW, IsDebuggerPresent, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead
    USER32.dllExitWindowsEx, GetWindowThreadProcessId, SetProcessDpiAwarenessContext, SendMessageTimeoutW, MessageBoxW, SendMessageW, LoadStringW, FindWindowW
    ADVAPI32.dllRevertToSelf, EqualSid, RegDeleteKeyW, AllocateAndInitializeSid, RegDeleteKeyValueW, RegCreateKeyExW, CreateProcessWithTokenW, ImpersonateLoggedOnUser, RegDeleteTreeW, RegSetValueExW, FreeSid, CheckTokenMembership, DuplicateTokenEx, RegOpenKeyW, RegQueryValueExW, GetTokenInformation, LookupPrivilegeValueW, AdjustTokenPrivileges, RegCloseKey, OpenProcessToken, RegOpenKeyExW, RegGetValueW
    SHELL32.dllSHGetFolderPathW, ShellExecuteW, SHFileOperationW, CommandLineToArgvW, ShellExecuteExW
    ole32.dllCoInitialize, CoUninitialize, CoCreateInstance
    RstrtMgr.DLLRmRegisterResources, RmGetList, RmStartSession, RmShutdown
    VERSION.dllVerQueryValueW
    SHLWAPI.dllPathRemoveExtensionW, PathRemoveFileSpecW, PathStripPathW, PathFileExistsW

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    ChineseTaiwan
    GermanGermany
    EnglishUnited States
    FrenchFrance
    HungarianHungary
    JapaneseJapan
    KoreanNorth Korea
    KoreanSouth Korea
    DutchNetherlands
    PolishPoland
    RomanianRomania
    RussianRussia
    TurkishTurkey
    IndonesianIndonesia
    UkrainianUkrain
    LithuanianLithuania
    ChineseChina

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:10:57:44
    Start date:27/09/2024
    Path:C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe
    Wow64 process (32bit):false
    Commandline:"C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe"
    Imagebase:0x140000000
    File size:10'525'696 bytes
    MD5 hash:0447E67DA4FB72BDDE31BD7EC2B62E04
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    Disassembly

    Reset < >

      Non-executed Functions

      Function 00000001400031F0 Relevance: 514.9, APIs: 164, Strings: 129, Instructions: 2171registrywindowsynchronizationCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: Close$HandleProcess$Directory$ErrorLastPath$Create$File$Token$FindFolder$MessageValue$ExecuteShell$ExitLoadObjectOpenSingleStringSystemWaitWindows$Module_invalid_parameter_noinfo$CodeCurrentDeleteFirstInformationSleepWindow$NameRemoveThreadUser$AddressEventExistsLanguagesPreferredProcSend$AdjustAllocateArgvAwarenessCheckCommandContextCopyDuplicateEqualExtensionFreeImpersonateInitializeLineLinkLoggedLookupMembershipPrivilegePrivilegesQueryRevertSelfStripSymbolicTerminateTimeoutWith
      • String ID: %s$/extract$/f /im explorer.exe$/uninstall$/uninstall_silent$/update_silent$ARM64$AppResolverLegacy.dll$AutoStart$ExplorerPatcher$ExplorerPatcher.IA-32.dll$ExplorerPatcher.IA-32.dll$ExplorerPatcher.amd64.dll$ExplorerPatcher.amd64.dll$ExplorerPatcherCleanup$ExplorerPatcher_GUI_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$Global\ep_dwm_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$Global\ep_setup_D17F1E1A-5919-4427-8F89-A1A8503CA3EB$IsUpdatePending$IsWow64Process2$OpenPropertiesAtNextStart$SOFTWARE\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}\InProcServer32$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{C2796011-81BA-4148-8FCA-C6643245113F}$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$SOFTWARE\Microsoft\Windows\CurrentVersion\Shell\Update\Packages$SOFTWARE\Policies\Microsoft\Windows\Explorer$SeShutdownPrivilege$Shell_TrayWnd$Software\ExplorerPatcher$StartTileDataLegacy.dll$StartTileDataLegacy.dll.mui$StartUI$StartUI/StartUI.dll$StartUI_.dll$UndockingDisabled$WebView2Loader.dll$WebView2Loader.dll$Windows.UI.ShellCommon.en-US.pri$Windows.UI.ShellCommon.pri$Windows.UI.ShellCommon/$\ExplorerPatcher$\ExplorerPatcher\ExplorerPatcher.amd64.dll"$\ExplorerPatcher\ep_gui.dll",ZZGUI$\ExplorerPatcher\ep_setup.exe" /uninstall$\ExplorerPatcher\ep_weather_host.dll"$\ExplorerPatcher\ep_weather_host_stub.dll"$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy$\SystemApps\ShellExperienceHost_cw5n1h2txyewy$\cleanup$\en-US$\explorer.exe$\pris2$\regsvr32.exe$\rundll32.exe "$\sc.exe$\taskkill.exe$\wincorlib.dll$\wincorlib_orig.dll$ar-SA$bg-BG$ca-ES$cmd /c rmdir /s /q "$cs-CZ$da-DK$de-DE$delete ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB$dxgi.dll$el-GR$en-GB$en-US$ep_dwm.exe$ep_dwm.exe$ep_gui.dll$ep_gui.dll$ep_setup.exe$ep_startmenu.dll$ep_uninstall.exe$ep_weather_host.dll$ep_weather_host.dll$ep_weather_host_stub.dll$ep_weather_host_stub.dll$es-ES$es-MX$et-EE$eu-ES$fi-FI$fr-CA$fr-FR$gl-ES$he-IL$hr-HR$hu-HU$id-ID$it-IT$ja-JP$kernel32.dll$ko-KR$lt-LT$lv-LV$nb-NO$nl-NL$open$pl-PL$pnidui.dll$pnidui/$pnidui/pnidui.dll$pris$pt-BR$pt-PT$r+b$ro-RO$ru-RU$runas$sk-SK$sl-SI$sr-Latn-RS$start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB$stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB$sv-SE$th-TH$tr-TR$uk-UA$vi-VN$wincorlib.dll$wincorlib_orig.dll$x64$zh-CN$zh-TW
      • API String ID: 1320937782-533975668
      • Opcode ID: 92badaf76d1444339bcb6e0b275fee20644842b2f1d67e61619a0fd2de649517
      • Instruction ID: a8be6a58ef7074ece0288ed37948e92ab34d7e38fe46d666bbbb563a235ade2c
      • Opcode Fuzzy Hash: 92badaf76d1444339bcb6e0b275fee20644842b2f1d67e61619a0fd2de649517
      • Instruction Fuzzy Hash: 23333072610B8196E722DF72E8503DA33A5F78C799F404226EB5D4BAB9DF78C648C740
      Function 0000000140001AF0 Relevance: 72.0, APIs: 25, Strings: 16, Instructions: 255registrylibrarymemoryCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: Value$Resource$Free$LibraryLoadLocal$AllocCloseCreateDeleteDirectoryFileFindLockOpenPathQueryRemoveSizeofSpecTreeWindows
      • String ID: %d.%d.%d.%d$,$DisplayIcon$DisplayName$DisplayVersion$ExplorerPatcher$NoModify$NoRepair$Publisher$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcher$UninstallString$VALINET Solutions SRL$VersionMajor$VersionMinor$\ExplorerPatcher.amd64.dll$\explorer.exe
      • API String ID: 990234576-1645187887
      • Opcode ID: 16e5fae12b639ff2f9cfbc6ff1cab4733eb685664d0b35376d2b176d3570190d
      • Instruction ID: a2d997e99c745a22888bf96b9b412c85da1a9a5e65c8bfbe56f39f8f7bfaedca
      • Opcode Fuzzy Hash: 16e5fae12b639ff2f9cfbc6ff1cab4733eb685664d0b35376d2b176d3570190d
      • Instruction Fuzzy Hash: E0C11776704A9186EB22DB66E8947DE73A4F78C7D8F404225EF4A43BA4DF78C949C700
      Function 00000001400022D0 Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 237fileCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: File$CreateModulePathWrite$DeleteExistsHandleName_invalid_parameter_noinfo$CloseCopyDirectoryErrorExtensionLastMappingRemoveWindows
      • String ID: .prev$\dxgi.dll
      • API String ID: 3974626051-2124309788
      • Opcode ID: 238c940def29d534a6d424c9566e4160c9adf55c0700b5560b42f6953845b13d
      • Instruction ID: dcf6d5787a64036c72a201c59fa79bebee01c4a2856f23ff9a0bf8b790577976
      • Opcode Fuzzy Hash: 238c940def29d534a6d424c9566e4160c9adf55c0700b5560b42f6953845b13d
      • Instruction Fuzzy Hash: 3BA17E72604A9182FB22DB26F8147EA63A0FB9DBC8F445215FF4947AA4DF7DC585C700
      Function 00000001400010D0 Relevance: 42.1, APIs: 9, Strings: 15, Instructions: 131synchronizationCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: Directory$System$CloseCodeExecuteExitFolderHandleObjectPathProcessShellSingleWaitWindows_invalid_parameter_noinfo
      • String ID: %s$/c ""%s" create ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB binPath= "\"%s\" %s" DisplayName= "ExplorerPatcher Desktop Window Mana$/c ""%s" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB & "%s" delete ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB & "$@$\ExplorerPatcher$\cmd.exe$\dxgi.dll$\ep_dwm.exe$\sc.exe$\taskkill.exe$ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB Global\ep_dwm_2_D17F1E1A-5919-4427-8F89-A1A8503CA3EB$p$query$runas$start
      • API String ID: 1356752382-1354379787
      • Opcode ID: 7517d28243a27588eaee16ab6e5b8c609467f03f546937d70be0caedd981ed14
      • Instruction ID: f7a285f2b1261ce6732297dad0af0c1d1fb4bb8042ce69a98c901dd43e8ec620
      • Opcode Fuzzy Hash: 7517d28243a27588eaee16ab6e5b8c609467f03f546937d70be0caedd981ed14
      • Instruction Fuzzy Hash: 69611A32615B81DAE712DF61E8903DE3364F798388F904126EB8D47A79DF78C699C740
      Function 0000000140001730 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 218comlibraryCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: Directory$CreateFileLoadPathSystem$FolderInitializeInstanceLibraryOperationRemoveSpecStringUninitialize_invalid_parameter_noinfo
      • String ID: ExplorerPatcher$ExplorerPatcher).lnk$\ExplorerFrame.dll$\ExplorerPatcher$\shell32.dll
      • API String ID: 3513963229-1075351477
      • Opcode ID: 24eee7302e48011f24f019cb0f314dd15acea84cb6beaf79c8dc709edd34e9c0
      • Instruction ID: f601abe3c836a7dfa4fc3b6604d21552ae166da980c0d2cc1ee421b0a53ca1fd
      • Opcode Fuzzy Hash: 24eee7302e48011f24f019cb0f314dd15acea84cb6beaf79c8dc709edd34e9c0
      • Instruction Fuzzy Hash: BBA12F76710A809AEB12DF66E8507DE6361F7C8B88F444026EB4E47BB8DF79C649C740
      Function 00000001400060B0 Relevance: 27.9, APIs: 18, Instructions: 945COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: _fread_nolock$_invalid_parameter_noinfo
      • String ID:
      • API String ID: 3405171723-0
      • Opcode ID: 13a972e515993c2848c13435928e497cb901fbb0982a45878eebc1862af4eb78
      • Instruction ID: 741009573a5172281e404f149d34036e10608f5cd9dc139a1dfa2526982a0de9
      • Opcode Fuzzy Hash: 13a972e515993c2848c13435928e497cb901fbb0982a45878eebc1862af4eb78
      • Instruction Fuzzy Hash: A982A3B13046D049EB76DF3AA8543E927D1B74A7C8F444126FF9A9BBA5EE38C645C300
      Function 00000001400202CC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
      • API String ID: 808467561-2761157908
      • Opcode ID: 5f45a68d67cd0407faa8743267e1078bff50fc2d6a9b810e568b910c6f7b39ae
      • Instruction ID: c571ddf759385c4d7540e783b12a54b39029d66da8b5539dd10cebb28d02d2e1
      • Opcode Fuzzy Hash: 5f45a68d67cd0407faa8743267e1078bff50fc2d6a9b810e568b910c6f7b39ae
      • Instruction Fuzzy Hash: 70B2DF72A143908BE776CF6AD540BED77A1F3983C8F505129EB0A5BAA9D734DE40CB40
      Function 00000001400223A0 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
      • String ID:
      • API String ID: 1617910340-0
      • Opcode ID: 14bdbc42ba29ddcc7577c2fc9f5952540e1a0d43fe8eadcaffc71efbadc5f0be
      • Instruction ID: b2da713d59bce3477bea28a6b8403e28ef1624d2c724254afd768db82ac3bf31
      • Opcode Fuzzy Hash: 14bdbc42ba29ddcc7577c2fc9f5952540e1a0d43fe8eadcaffc71efbadc5f0be
      • Instruction Fuzzy Hash: 84C18A36724A4096EB12DFAAD4907EC3761E34DBE8F015619EF2A9B7A5CB38C855C340
      Function 0000000140003050 Relevance: 13.6, APIs: 9, Instructions: 83filestringCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: Find$CloseFile_invalid_parameter_noinfolstrcmp$DirectoryErrorFirstLastNextRemove
      • String ID:
      • API String ID: 2499321044-0
      • Opcode ID: b08e414de10713dca16fb08e563adc7e399fca194732592823c9bd6dcd6fc3e9
      • Instruction ID: 3ecb08e59de542a9d47e8648df1f3c99e1e09927e66f4b74384360dcdd0ace7e
      • Opcode Fuzzy Hash: b08e414de10713dca16fb08e563adc7e399fca194732592823c9bd6dcd6fc3e9
      • Instruction Fuzzy Hash: 6C411D71208A8091FA23EB62F8943EA6365F79C7C0F844116AB9A47AF5DF39C949C741
      Function 0000000140009FDD Relevance: 12.0, Strings: 9, Instructions: 744COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
      • API String ID: 0-2665694366
      • Opcode ID: 24e8e903c70d44e3e132826a53fc6769288c5d7d158adac9be3fcc8f4f816c3b
      • Instruction ID: f6a552d2495e8dfcf0595c00fcd3832bc07a62222151eae39ee3fd0f1f252758
      • Opcode Fuzzy Hash: 24e8e903c70d44e3e132826a53fc6769288c5d7d158adac9be3fcc8f4f816c3b
      • Instruction Fuzzy Hash: 6F52C4B26106A48BE7A5CF26E598BAE3BEDF789380F054129F746877D0D739C944CB40
      Function 0000000140008F48 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
      • String ID:
      • API String ID: 3140674995-0
      • Opcode ID: f0721695cc7d0594075ed72f9eebf78c7f5f185e422523099496e37a9ac7db6e
      • Instruction ID: 5dc9a1628e4e913af29ff8c41286e84697ee7bd91de68ea850df01dacc231974
      • Opcode Fuzzy Hash: f0721695cc7d0594075ed72f9eebf78c7f5f185e422523099496e37a9ac7db6e
      • Instruction Fuzzy Hash: CD313E76205B818AEB61DF61E8407EE7375F788788F44402AEB4E47BA9DF38C648C710
      Function 000000014001519C Relevance: 9.1, APIs: 6, Instructions: 83COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
      • String ID:
      • API String ID: 1239891234-0
      • Opcode ID: 67e710f5455fcc4f3f8ffe89c79411c396812993aaadbcdb4276b5cb23678309
      • Instruction ID: 891956596e6371fd884d590d1fc9e1b7504bf099cd5ffd63ac6fd70f6d0b577f
      • Opcode Fuzzy Hash: 67e710f5455fcc4f3f8ffe89c79411c396812993aaadbcdb4276b5cb23678309
      • Instruction Fuzzy Hash: BF314D36204B8086DB61DF76E8403DE73A4F789798F50012AFB8D47BA8EF38C6458B00
      Function 00000001400028C0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 291COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: ByteCharCreateDirectoryMultiWide
      • String ID: d$mui$pri
      • API String ID: 386366709-3989872240
      • Opcode ID: ff382059e27beb3c65810147d6f478162e5abbbf53490135e17b6ddbe682491c
      • Instruction ID: af5f7ff94e25cbc3fd00f108d94c89df9166691ebfc8d7d6b9188e6c4cb543d7
      • Opcode Fuzzy Hash: ff382059e27beb3c65810147d6f478162e5abbbf53490135e17b6ddbe682491c
      • Instruction Fuzzy Hash: 4BC1B1B2300A8086FB66DF66E9507EA23A0F75D7C8F444122EF4957AE5EF78C995C300
      Function 000000014001D674 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: FileFindFirst_invalid_parameter_noinfo
      • String ID:
      • API String ID: 2227656907-0
      • Opcode ID: bc412c3c5c6b521c87464d41134863022bb210cfa6199148a49126f624fa6841
      • Instruction ID: 43c6f53634c586b9aaeb86d19334f75630b1bd83196e991a70eded3aa38a9ab0
      • Opcode Fuzzy Hash: bc412c3c5c6b521c87464d41134863022bb210cfa6199148a49126f624fa6841
      • Instruction Fuzzy Hash: 61B1A072314A9181EB62DB67A5007EA73A1E788BE4F445112FF5A4FBE9EF39C541C700
      Function 0000000140002020 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: Resource$FindLoadLockSizeof
      • String ID:
      • API String ID: 3473537107-0
      • Opcode ID: 7c1278968133910f32afa3390830732f66fb5df18a2778e2bbf4b0030b7f9f57
      • Instruction ID: 913b02d768118937c6e42de915514abf86f21481586d1c7b07290dd09babc828
      • Opcode Fuzzy Hash: 7c1278968133910f32afa3390830732f66fb5df18a2778e2bbf4b0030b7f9f57
      • Instruction Fuzzy Hash: F841D472205B81C5EA26DF26F4413EAB3A9FB887C0F584229FB8907769EF39C555C740
      Function 0000000140008E2C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
      • String ID:
      • API String ID: 2933794660-0
      • Opcode ID: d490c774242d86a4b319619409adf73b8d724b4892db60fa64681951350df607
      • Instruction ID: d4d1cd1187cf88702bc52cdbc36cc95f294f9d6634e6487e1febc41ca2fb9ec6
      • Opcode Fuzzy Hash: d490c774242d86a4b319619409adf73b8d724b4892db60fa64681951350df607
      • Instruction Fuzzy Hash: BE11E836B10B018AEB01CF71E8553A933A4F75DB98F441A25EB6D47BA4DB78C5948340
      Function 000000014001FE30 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: memcpy_s
      • String ID:
      • API String ID: 1502251526-0
      • Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
      • Instruction ID: 50d1d22436a113244acad0253e28cb4946653ae41653e4ea84576e7444c041d7
      • Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
      • Instruction Fuzzy Hash: 8BC1177271478487EB25CF5AE0887AAB7A1F39CBC4F448129EB4A47B95DB39DC05CB40
      Function 00000001400097A4 Relevance: 4.1, Strings: 3, Instructions: 398COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID: $header crc mismatch$unknown header flags set
      • API String ID: 0-1127688429
      • Opcode ID: 37229f65088c5e8a4db8581e9535b6834fca4b1ae10a7ecb7fc20935cf179ba9
      • Instruction ID: f22bc4343d1fbda14353ca578c4a1050189504862bb4b5bbca7f9ccd1ed8856f
      • Opcode Fuzzy Hash: 37229f65088c5e8a4db8581e9535b6834fca4b1ae10a7ecb7fc20935cf179ba9
      • Instruction Fuzzy Hash: 33F17FB26143D48BE7A6CF1AE488BAE7AEDFB49784F064518FB45577A1C734C940CB40
      Function 00000001400248A8 Relevance: 3.2, APIs: 2, Instructions: 227COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: ExceptionRaise_clrfp
      • String ID:
      • API String ID: 15204871-0
      • Opcode ID: b119d2541d6d00056396611086b49aeafd22b986f5490a89ec88c28437528ab1
      • Instruction ID: f0f9b28bccf3c21ed172737e67b37a550c11d731a6b3fc9acbbdc58aa47d8d12
      • Opcode Fuzzy Hash: b119d2541d6d00056396611086b49aeafd22b986f5490a89ec88c28437528ab1
      • Instruction Fuzzy Hash: 04B10F77610B888BEB56CF2AC84639C7BA0F348B98F158915EB5D87BB4CB39C851C700
      Function 0000000140012D54 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID: $
      • API String ID: 0-227171996
      • Opcode ID: cd7f2eadbe630688d0411af35c12b2db0cf59b24763147ddfaa38ceb88e411f0
      • Instruction ID: bf4bc0559cfbcdb88b5e656d3a5d00131230618379e0cb1be493e8d463948fc1
      • Opcode Fuzzy Hash: cd7f2eadbe630688d0411af35c12b2db0cf59b24763147ddfaa38ceb88e411f0
      • Instruction Fuzzy Hash: EAE1727220064486EB6ACF2AD5507AD77A0F74DBD8F145229FB864B7B4DB37C862C740
      Function 000000014000960B Relevance: 2.7, Strings: 2, Instructions: 216COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID: incorrect header check$invalid window size
      • API String ID: 0-900081337
      • Opcode ID: 75cf6dcf91aa3b70cdbfd38aaa68015b16bf46624cdc96960fd7728838876606
      • Instruction ID: 4bf581629fea9c53a9b543344852ac46d66fc3082b552f83aa7f66a658099805
      • Opcode Fuzzy Hash: 75cf6dcf91aa3b70cdbfd38aaa68015b16bf46624cdc96960fd7728838876606
      • Instruction Fuzzy Hash: F99160B26142C48BF7A6CF16E498FAE3AE9F7493D4F124129EB46477A0D739C940CB40
      Function 0000000140018A3C Relevance: 2.6, Strings: 2, Instructions: 144COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID: e+000$gfff
      • API String ID: 0-3030954782
      • Opcode ID: 237e8dd8eb571e33ddddb1f1704f5beccbc37e1ef2af885c68d6d541adf608eb
      • Instruction ID: d81db6978d0d8296c2b82b29a9b04506c24955a93035202b9a66dcbec6d92970
      • Opcode Fuzzy Hash: 237e8dd8eb571e33ddddb1f1704f5beccbc37e1ef2af885c68d6d541adf608eb
      • Instruction Fuzzy Hash: 145155727186C486E7368F36E8417D9BB91E348BD4F489222EFA44FAE5CB7AC544C700
      Function 00000001400131B8 Relevance: 1.6, Strings: 1, Instructions: 357COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID: 0
      • API String ID: 0-4108050209
      • Opcode ID: 254197f914492dcea5e4304ebf4d4a591d83eaa9d53db8a7410d0fad96215337
      • Instruction ID: c6bd0bff36b7f7b0e5f024b17d17b8ff5c1b9ae289b5eface8e5e1db7947ddd8
      • Opcode Fuzzy Hash: 254197f914492dcea5e4304ebf4d4a591d83eaa9d53db8a7410d0fad96215337
      • Instruction Fuzzy Hash: 7DE1CD72204A0482EB6A9F2B91507AE37A1F74DFD8F245215FF9A0B6B4DB37C952C740
      Function 00000001400185A8 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID: gfffffff
      • API String ID: 0-1523873471
      • Opcode ID: f42bfbaeb5921ee5ffb8002197d74df1f3d6236d5c6b703e83b481d11ccb39ff
      • Instruction ID: 66df3d0229fa366bbd8ca0ee894ad55d2efc97e9206b9f0b5c6c905fd1c9c21f
      • Opcode Fuzzy Hash: f42bfbaeb5921ee5ffb8002197d74df1f3d6236d5c6b703e83b481d11ccb39ff
      • Instruction Fuzzy Hash: B0A126727087C486EB32CF2AA4107E97B91A768BD4F158122EF894B7E5DA3EC601C701
      Function 000000014001F7B8 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: HeapProcess
      • String ID:
      • API String ID: 54951025-0
      • Opcode ID: d5eb15e4de4be8a64f23289159b3f7742dfe0b84dd31b6af755fd65ba7a3c3ca
      • Instruction ID: 24b740ef39a5f37ee334899e87db3916c695dacf3be613592b093ff7a00d19c9
      • Opcode Fuzzy Hash: d5eb15e4de4be8a64f23289159b3f7742dfe0b84dd31b6af755fd65ba7a3c3ca
      • Instruction Fuzzy Hash: B5B09230A13A00D2EA4A2B226C8274423A46F8C740FA80018920C42330DA3C14F56701
      Function 0000000140006F60 Relevance: .8, Instructions: 770COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: eb81425b22fecf541e760bb639bb244d2a19505ca7bac7f0d6522b3d5a32953e
      • Instruction ID: bc4d3e894736246f60434a5e5f07ebefa6f1c250228d8f088add9c6e83b1b523
      • Opcode Fuzzy Hash: eb81425b22fecf541e760bb639bb244d2a19505ca7bac7f0d6522b3d5a32953e
      • Instruction Fuzzy Hash: C962BEB2B04A908AEB658B7AA5547AD3BE0F348BD5F045115EF6EA3F94CB38C425C710
      Function 0000000140012890 Relevance: .4, Instructions: 374COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3de013abc1ef2ea8047fb95e0bb8cfcaf48417f61b24763843b30f2f0fc269e9
      • Instruction ID: 9f7364e50f0875e2532d166c4c80c40ef25f35eba6f6420da303c9bc317d54b0
      • Opcode Fuzzy Hash: 3de013abc1ef2ea8047fb95e0bb8cfcaf48417f61b24763843b30f2f0fc269e9
      • Instruction Fuzzy Hash: 49E1AD3620464486EB6A9E2BD1803AE27A1F74DBD8F588215FF460F3F9DB36C861C741
      Function 0000000140005CC0 Relevance: .3, Instructions: 296COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6f322e3692f7395c0fb95d7d6e6d540a653f26daae58f11cfce00234cfdd5bc8
      • Instruction ID: 04354b4e768f15dca3268073fc7f8811e265ac74d71b3b17fb331ab936a971b8
      • Opcode Fuzzy Hash: 6f322e3692f7395c0fb95d7d6e6d540a653f26daae58f11cfce00234cfdd5bc8
      • Instruction Fuzzy Hash: 1DB1D3B270059049FB65DB37A8183BE2BE1A74AFE9F040512DFAE67BD8DA38C541C350
      Function 000000014000B1B0 Relevance: .3, Instructions: 287COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9d38f0ecf57df0230ae8c4d118e4a326bac671142f5f86d9032835e88d1612fa
      • Instruction ID: f7f7e6627cffee1c17ec44185d87eef198b3629526168fc70920a86220991764
      • Opcode Fuzzy Hash: 9d38f0ecf57df0230ae8c4d118e4a326bac671142f5f86d9032835e88d1612fa
      • Instruction Fuzzy Hash: C0C1BA721181E08BD299EB29E499BBA77D1F78838DFD4842AEF8B47785C63CE014D750
      Function 00000001400190BC Relevance: .2, Instructions: 198COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0488c612e68cc6a767f7269b753162e51a2f235d5021a5c5561c38606289f2da
      • Instruction ID: c8964eb10ddb07855c94fbb1440c5dcf80c3895dbc1c0cdf6485b5b9543d29c7
      • Opcode Fuzzy Hash: 0488c612e68cc6a767f7269b753162e51a2f235d5021a5c5561c38606289f2da
      • Instruction Fuzzy Hash: 7E81C87260478046E775CB1A94853EA76A1F38E7D4F544215FB9E4BBEDDB3EC5408B00
      Function 0000000140021D04 Relevance: .2, Instructions: 183COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo
      • String ID:
      • API String ID: 3215553584-0
      • Opcode ID: a06d2bb1922c492bfaa28e396db5ae80ffcea6ff06c99aacc7e0ffa10055152d
      • Instruction ID: a5ed6d3d04f7dd908cb3cbffc135d00898f2c13003a97aafeb430c6e13d48ed5
      • Opcode Fuzzy Hash: a06d2bb1922c492bfaa28e396db5ae80ffcea6ff06c99aacc7e0ffa10055152d
      • Instruction Fuzzy Hash: 3E61F43271429086FB668BAA98507FD6682A7E87F0F55423DFB29876F5E775CC018700
      Function 0000000140010760 Relevance: .2, Instructions: 157COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 02cc502c72463c9c71451e6f2fa90068ce816dba0e071cc752bc372475a9f696
      • Instruction ID: bc8e1e54953701ce4f0983fc675a342265861959203723d9a34f36335d91dc3c
      • Opcode Fuzzy Hash: 02cc502c72463c9c71451e6f2fa90068ce816dba0e071cc752bc372475a9f696
      • Instruction Fuzzy Hash: 6951927222466086F7769E2AD1147E833A0E74D7D8F145211FBC91B6FACBB7C882DB41
      Function 0000000140010BA0 Relevance: .2, Instructions: 157COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ec41bd8430a73be67ae98b95dfba8236bd75c7f66a0fa9193629d5b0446da69f
      • Instruction ID: 7b459e0e8f646a858612f6f885d73be9706a7c7d10cb7f17d499881d556b0cb1
      • Opcode Fuzzy Hash: ec41bd8430a73be67ae98b95dfba8236bd75c7f66a0fa9193629d5b0446da69f
      • Instruction Fuzzy Hash: 46518F7222066086E7668F6AE0447E873A0E74D7E8F144211FBC91B6F9DBB7D842CB41
      Function 0000000140010FE0 Relevance: .2, Instructions: 157COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e75f4ae34a1aca41c50f04f3f5d9e990e3a26fa005f86319cb1cb375c3931b4c
      • Instruction ID: 5fdd4efadb4cdd47e2eed96b4359dde7b2ad8ae828414aba6a080131b8a52aca
      • Opcode Fuzzy Hash: e75f4ae34a1aca41c50f04f3f5d9e990e3a26fa005f86319cb1cb375c3931b4c
      • Instruction Fuzzy Hash: 4551947262065096F76A8E2AD0047E873A1E78D7D8F144211FF590FAF6D777C882D701
      Function 0000000140010554 Relevance: .1, Instructions: 146COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 58c14b2a7001f9267d93b63815baa0310adde8512f89ea093c62c04dec28dbd4
      • Instruction ID: f65f46fecdedaa025af8adfac64c429c9fc3711d7a8d0b9919b1035319fd82ed
      • Opcode Fuzzy Hash: 58c14b2a7001f9267d93b63815baa0310adde8512f89ea093c62c04dec28dbd4
      • Instruction Fuzzy Hash: A5519276614A6486E7268B2AC04039D33A1E79CBE8F244211EFC95B7F5CBB7D853CB40
      Function 0000000140010994 Relevance: .1, Instructions: 146COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a177b1a66fa16d0f4978ee5472195a8832ef7a0e532e80a44ac07567670f6f53
      • Instruction ID: 64756fa0fccf2c0478e55bf6b94aa741239fb426b506134d552f8df1f68733a3
      • Opcode Fuzzy Hash: a177b1a66fa16d0f4978ee5472195a8832ef7a0e532e80a44ac07567670f6f53
      • Instruction Fuzzy Hash: FF51807622476486E7268B2AC0503A937A0E74CFACF648111EF895B7B5D7B3C853C780
      Function 0000000140010DD4 Relevance: .1, Instructions: 146COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 24381f148549d370e523ee1f08f5d712262410fb8fc90b7f99d65a4d13ac9742
      • Instruction ID: 6faeea9e86486626a55618e7a61e8c927e0260b49a1a3ac549437258f7f60d3b
      • Opcode Fuzzy Hash: 24381f148549d370e523ee1f08f5d712262410fb8fc90b7f99d65a4d13ac9742
      • Instruction Fuzzy Hash: 88518076610A6086E7368B2BC04139837A0E35DFA8F248525EFC95BBB5C7B3C843C780
      Function 0000000140017BC8 Relevance: .1, Instructions: 126COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: ErrorFreeHeapLast
      • String ID:
      • API String ID: 485612231-0
      • Opcode ID: 212d2dc37d8750c63300da31bcd00e861d7792cb9d28c733f81bd8ae887e66f3
      • Instruction ID: 1c9cfd2225b58233c0357a5f9c1919de8d79397e0698cd74be3c6c1d8c8b41ad
      • Opcode Fuzzy Hash: 212d2dc37d8750c63300da31bcd00e861d7792cb9d28c733f81bd8ae887e66f3
      • Instruction Fuzzy Hash: 8A41A172310A5482EF49CF2BD9557AA73A1B74CFD4F49A026EF0D8BB68DA3DC4428340
      Function 000000014000F434 Relevance: .1, Instructions: 71COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 96e5038b97aa36a93db02a2126431d80338949d76be0f48878feda01569565c2
      • Instruction ID: 25d98b0ddeb23747960355513a94d969c956e859f14e08ee3a44455a36bbb9f0
      • Opcode Fuzzy Hash: 96e5038b97aa36a93db02a2126431d80338949d76be0f48878feda01569565c2
      • Instruction Fuzzy Hash: BF3173B2204B84C5DB65CF2AE4407AD77A4F389B9CF548125EB8C4BB61DB76C152E704
      Function 000000014000F864 Relevance: .1, Instructions: 71COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 89cea9064945da10567e9e13df4a06216b76047860aae3b743e348f3f7388eea
      • Instruction ID: 707073e53360cfffbc23cbe2a908c258b08776cd919e889fd99b575ec864f39f
      • Opcode Fuzzy Hash: 89cea9064945da10567e9e13df4a06216b76047860aae3b743e348f3f7388eea
      • Instruction Fuzzy Hash: 933141B2204B44D6DB65CF2AE0407ED77A4F398B9CF248125EB9C4B761DB36C492E704
      Function 000000014000FC90 Relevance: .1, Instructions: 71COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5da4d9b1c4e3af63f771c87b826f4c9a8809e8fcfa793e53628d6d647f9c6565
      • Instruction ID: 23dc92ac921edea9ed563a538931aa6003ec63b0d051256cd4c7c50ba784531d
      • Opcode Fuzzy Hash: 5da4d9b1c4e3af63f771c87b826f4c9a8809e8fcfa793e53628d6d647f9c6565
      • Instruction Fuzzy Hash: D4316FB2214684C6EB659F2AE0407BD77A1F79CB8CF648126EB4C4B761DB36C192E704
      Function 000000014000F540 Relevance: .1, Instructions: 71COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: da72ac0d41f283e16bfcb526f60f48b80da3badd7955dab1a4b583c5e3db06bc
      • Instruction ID: cb38eec30ad0e034c856878aa081e3fed071f6d2f038a6d7126a900b98cd4bf1
      • Opcode Fuzzy Hash: da72ac0d41f283e16bfcb526f60f48b80da3badd7955dab1a4b583c5e3db06bc
      • Instruction Fuzzy Hash: 323171B2214B44C6DB65CF2AE4407AD77A0F398B8CF648125EB4C4BB61DB36C192E704
      Function 000000014000F96C Relevance: .1, Instructions: 71COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4b6fe8574b849ee5d0d53dabcaf2443d76e25c8fa88c33b9d66bcad370fea30d
      • Instruction ID: f38731d3380b44653bdf3fe10d2d35a6f3a2edada44ae921416a3dd8bb94f342
      • Opcode Fuzzy Hash: 4b6fe8574b849ee5d0d53dabcaf2443d76e25c8fa88c33b9d66bcad370fea30d
      • Instruction Fuzzy Hash: B6316FB2204B44C6DB25CF2AE0503AD77A4F389F8CF258125DB8C4B761DB3AC552E704
      Function 000000014000F64C Relevance: .1, Instructions: 71COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: cde428ac05052ffeba2f659272914a137cc66ae16e219662e14adbd2d80a683e
      • Instruction ID: 09362ee031c0aca08a7157cad7cd4d66cddae96ca769740106977b7d44a87584
      • Opcode Fuzzy Hash: cde428ac05052ffeba2f659272914a137cc66ae16e219662e14adbd2d80a683e
      • Instruction Fuzzy Hash: 053143B2204B44C6DB65CF2AE0507AD77A4F399B8CF248125EB8D4B761DB36C492E704
      Function 000000014000F328 Relevance: .1, Instructions: 71COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1b73882f0c1b2fabbf06d6d18c6d932e1d1ebf3365a1aa97763c2068e68929a8
      • Instruction ID: 8ab6749e50f1ed2f0df0967f7699cc070d7425a54c8f542bdd39dae0565627da
      • Opcode Fuzzy Hash: 1b73882f0c1b2fabbf06d6d18c6d932e1d1ebf3365a1aa97763c2068e68929a8
      • Instruction Fuzzy Hash: 4D3173B2214B84C6DB65CF2AE0407AD77A0F389B9CF549125EB8C0BB61DB76C592E704
      Function 000000014000F758 Relevance: .1, Instructions: 71COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a4ad20ecedf5d66cc521b978fc64a2e352bdb976ded794baaaf9d63ca7b07b8c
      • Instruction ID: 6326fdd6dba4391801125d625bee4813ef0947857400e9a174fcf3c21346847f
      • Opcode Fuzzy Hash: a4ad20ecedf5d66cc521b978fc64a2e352bdb976ded794baaaf9d63ca7b07b8c
      • Instruction Fuzzy Hash: BD3161B2204B44C6DB65CF2AE0807ED77A0F388B8CF648129EB4C4B761DB36C056E704
      Function 000000014000FB84 Relevance: .1, Instructions: 71COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b9b08c80dfbef8b6d4f342d79ef88ae45e7fe059b3ad85de2f7bad37315b6a89
      • Instruction ID: d3f7cdfd72e4dfcea6ec2d52decb148182df0c70886db827e136d47ea7d77465
      • Opcode Fuzzy Hash: b9b08c80dfbef8b6d4f342d79ef88ae45e7fe059b3ad85de2f7bad37315b6a89
      • Instruction Fuzzy Hash: 503182B2205B44C6EB65CF2AE1417AD77A0F38CB8CF248125DB8C4BB61DB36C152EB04
      Function 000000014000FA78 Relevance: .1, Instructions: 70COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e803a5b8944fc947032c093ebb0a742b6cb699866a37532a5284c3aff788bc2d
      • Instruction ID: e7f52c5b2517ebb0d1b28cce6f8c9c88ab05f1bc0c94d07173e32c818e7adc71
      • Opcode Fuzzy Hash: e803a5b8944fc947032c093ebb0a742b6cb699866a37532a5284c3aff788bc2d
      • Instruction Fuzzy Hash: 8A3184B2204B84C6DB65CF2AE0507AD77A4F79DB8CF248125EB4C4BB60DB36C052EB04
      Function 00000001400246F0 Relevance: .0, Instructions: 32COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e343e4c796b764a73e414d0d990304497188ecdb83542b7e66a8b6573aa65c28
      • Instruction ID: 72f13190c128e644ff13aea5c38c236c8afd06360fdab77e8af30e68642497b1
      • Opcode Fuzzy Hash: e343e4c796b764a73e414d0d990304497188ecdb83542b7e66a8b6573aa65c28
      • Instruction Fuzzy Hash: 8DF012717156958ADBA79F29A842B6A7BE0F74C3C4F908059E68D83B54D63C8461CF04
      Function 0000000140009128 Relevance: .0, Instructions: 2COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 7b04df465fa63aa68e1f555a025a17f3f764badc0d6b632f1f96a1aecd26d865
      • Instruction ID: e6f1604fbba2463c1bc75514c33ccd616bb63c9f451326ff38a1893e26ed5176
      • Opcode Fuzzy Hash: 7b04df465fa63aa68e1f555a025a17f3f764badc0d6b632f1f96a1aecd26d865
      • Instruction Fuzzy Hash: D4A00271204D11D0E606CB12F8543D02330E358BC0F404055F30987470DB789A80C300
      Function 000000014000FDDC Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo
      • String ID: f$f$p$p$f
      • API String ID: 3215553584-1325933183
      • Opcode ID: ce6d67f256a4032def3af1d8cd7b7d82e53083e9764f5716966e02bb4bb54323
      • Instruction ID: eae4e5beebcff4c13a09cb51c0507b335b081adb13b4dc267a6e42aa49d80cca
      • Opcode Fuzzy Hash: ce6d67f256a4032def3af1d8cd7b7d82e53083e9764f5716966e02bb4bb54323
      • Instruction Fuzzy Hash: 431207726041A186FB66AB16E0447FA76A2F3487D4FC48116F7D14FAE8D7BEC980DB10
      Function 00000001400014F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73threadtimeCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: Process$Window$CloseEnumFileFindHandleImageNameOpenProcessesThreadTimes
      • String ID: Shell_TrayWnd
      • API String ID: 205820467-2988720461
      • Opcode ID: 4e8f9a3a30018f2568b96e6e18a362f6acf6222118c55bfd0528eb782fd80a1a
      • Instruction ID: 24243209e553496c561a6bcc162cc4dab644d59db49bc4f7d8e28691a245c59b
      • Opcode Fuzzy Hash: 4e8f9a3a30018f2568b96e6e18a362f6acf6222118c55bfd0528eb782fd80a1a
      • Instruction Fuzzy Hash: 79312D32205B8496EB61DF66F8483CA73A5F7C8B90F454126EB9E47BA4DF38C546CB00
      Function 00000001400013D0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64registrylibraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: AddressHandleModuleOpenProcQueryValue
      • String ID: RtlGetVersion$UBR$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion$ntdll.dll
      • API String ID: 3749297518-2374052841
      • Opcode ID: d6e4fe2ee83aa2db2239d9ddc1ade4e41f5e1932f62eb9226598db175b26306b
      • Instruction ID: 77d8cd97db81aae3ea5f108a6abd0beefcb39b2f46e14cef257f89e36ee0a703
      • Opcode Fuzzy Hash: d6e4fe2ee83aa2db2239d9ddc1ade4e41f5e1932f62eb9226598db175b26306b
      • Instruction Fuzzy Hash: F2212C71315A4086EA52DF26F4A17EA73A0FB8CB94F845515BB9E477B5EF38C504CB00
      Function 000000014000DA34 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
      • String ID: csm$csm$csm
      • API String ID: 849930591-393685449
      • Opcode ID: edbbe840a8373cdb4e31518621074600ba3a50fb2ec30f6d92b98c6fc6b9991a
      • Instruction ID: b93237a8a0b7f978a52c184d53e9b9678d0b6093d20d145ac237bbf22ababeca
      • Opcode Fuzzy Hash: edbbe840a8373cdb4e31518621074600ba3a50fb2ec30f6d92b98c6fc6b9991a
      • Instruction Fuzzy Hash: FDD17DB2604B808AEB22DF66E4813DD7BA0F7597D8F100116FF8957BAADB34D591C710
      Function 000000014001A350 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: AddressFreeLibraryProc
      • String ID: api-ms-$ext-ms-
      • API String ID: 3013587201-537541572
      • Opcode ID: ef3bc35623a80c0a12a9e26fd304a124d70bac3035df805c9076772035344ea9
      • Instruction ID: 421c8aa36f0f870adfdd09176a97bc8531082e9382ab659a74de8d5308c6cca0
      • Opcode Fuzzy Hash: ef3bc35623a80c0a12a9e26fd304a124d70bac3035df805c9076772035344ea9
      • Instruction Fuzzy Hash: 1E419671311A1046FA27DB27A8087D62395B78EBE0F594229BF1D8B7A4DF7DC8458340
      Function 000000014001CF2C Relevance: 10.8, APIs: 7, Instructions: 290COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo
      • String ID:
      • API String ID: 3215553584-0
      • Opcode ID: 7c38f0de54f05d91ad9688a111f71bc95857195be8fd5b9b417f7bb6bca439c6
      • Instruction ID: 72b53005d01e9f081890ddc90d598b893b9d021276935dee9e2c1206bb09d84f
      • Opcode Fuzzy Hash: 7c38f0de54f05d91ad9688a111f71bc95857195be8fd5b9b417f7bb6bca439c6
      • Instruction Fuzzy Hash: 33C1FF32204B84A1EB239B17A4407EE7BA1F399BC0F554116FB9A0F7B1DB7AC949C301
      Function 000000014000CCF4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMON
      Download Yara Rule
      APIs
      • LoadLibraryExW.KERNEL32(?,?,?,000000014000CFA6,?,?,?,000000014000CC98,?,?,?,000000014000C8A5), ref: 000000014000CD79
      • GetLastError.KERNEL32(?,?,?,000000014000CFA6,?,?,?,000000014000CC98,?,?,?,000000014000C8A5), ref: 000000014000CD87
      • LoadLibraryExW.KERNEL32(?,?,?,000000014000CFA6,?,?,?,000000014000CC98,?,?,?,000000014000C8A5), ref: 000000014000CDB1
      • FreeLibrary.KERNEL32(?,?,?,000000014000CFA6,?,?,?,000000014000CC98,?,?,?,000000014000C8A5), ref: 000000014000CE1F
      • GetProcAddress.KERNEL32(?,?,?,000000014000CFA6,?,?,?,000000014000CC98,?,?,?,000000014000C8A5), ref: 000000014000CE2B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: Library$Load$AddressErrorFreeLastProc
      • String ID: api-ms-
      • API String ID: 2559590344-2084034818
      • Opcode ID: d7f8f216c4f4acd89432c313c5ad7c34ea41a0a7d90c31f2b5c21f717bcf4ecd
      • Instruction ID: a9e6d6a9a213f0e6a530655c5c2d1fb5dfc325bc71444162a6cf6d3da5126b42
      • Opcode Fuzzy Hash: d7f8f216c4f4acd89432c313c5ad7c34ea41a0a7d90c31f2b5c21f717bcf4ecd
      • Instruction Fuzzy Hash: 8D319CB1223A4091EE63DB17B800BD66798BB4CBE0F59062ABF1D4B3A1DF38C4458300
      Function 0000000140019D7C Relevance: 10.6, APIs: 7, Instructions: 62COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: Value$ErrorLast
      • String ID:
      • API String ID: 2506987500-0
      • Opcode ID: 4f1a363b4ef79b4fe80f310dd69b37d0e9153a5f980327ddc9d2c0b0c49e9305
      • Instruction ID: c2ca184d2297498b1b1fb0ce9e135d9206655c26193302bf39a4498c7496ba80
      • Opcode Fuzzy Hash: 4f1a363b4ef79b4fe80f310dd69b37d0e9153a5f980327ddc9d2c0b0c49e9305
      • Instruction Fuzzy Hash: B9213030304A4082FA6BA777A6513F962969B4E7F0F144725BB3A4F6FEEE3A94414341
      Function 00000001400021A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62fileCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: CreateCurrentDirectoryFileFolderMovePathProcess_invalid_parameter_noinfo
      • String ID: .tmp$\ExplorerPatcher\cleanup
      • API String ID: 2244147495-4034946036
      • Opcode ID: 43d739f71f4796e592c7b873a627809dc5218c47c2bce855b23fce3350d37e82
      • Instruction ID: 3d616fdd7000eef0a2d1635f9adfd164e87507abcf6d15d7b835761e8114038d
      • Opcode Fuzzy Hash: 43d739f71f4796e592c7b873a627809dc5218c47c2bce855b23fce3350d37e82
      • Instruction Fuzzy Hash: 1D312E75714B84D2EB12EB62F4917DA6321F79C780F804022BB8A47AB5DF3DD549CB41
      Function 0000000140024094 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
      • String ID: CONOUT$
      • API String ID: 3230265001-3130406586
      • Opcode ID: 2aaf0c93eb0f03fa1c4988c9d2d282cd952ed87f484f1aa6c752a8c663537c20
      • Instruction ID: 305e8b8ddbcda1bb958e86c043d74b4ff97d029e51d9471c6fea92d43a2422bd
      • Opcode Fuzzy Hash: 2aaf0c93eb0f03fa1c4988c9d2d282cd952ed87f484f1aa6c752a8c663537c20
      • Instruction Fuzzy Hash: 91115B31310A8086E7528B63E84479AB7A4F78DBE4F448228FB5A87BB5DB78C8548740
      Function 0000000140019EF4 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
      Download Yara Rule
      APIs
      • GetLastError.KERNEL32(?,?,?,00000001400159C1,?,?,?,?,000000014001824B,?,?,00000000,000000014001A012,?,?,?), ref: 0000000140019F03
      • FlsSetValue.KERNEL32(?,?,?,00000001400159C1,?,?,?,?,000000014001824B,?,?,00000000,000000014001A012,?,?,?), ref: 0000000140019F39
      • FlsSetValue.KERNEL32(?,?,?,00000001400159C1,?,?,?,?,000000014001824B,?,?,00000000,000000014001A012,?,?,?), ref: 0000000140019F66
      • FlsSetValue.KERNEL32(?,?,?,00000001400159C1,?,?,?,?,000000014001824B,?,?,00000000,000000014001A012,?,?,?), ref: 0000000140019F77
      • FlsSetValue.KERNEL32(?,?,?,00000001400159C1,?,?,?,?,000000014001824B,?,?,00000000,000000014001A012,?,?,?), ref: 0000000140019F88
      • SetLastError.KERNEL32(?,?,?,00000001400159C1,?,?,?,?,000000014001824B,?,?,00000000,000000014001A012,?,?,?), ref: 0000000140019FA3
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: Value$ErrorLast
      • String ID:
      • API String ID: 2506987500-0
      • Opcode ID: cbf32f40b136062e831555fe37e04a9ac5161bb1b0b9df2c43726de1ca525ddc
      • Instruction ID: fc6533a7eadcb58c62316ee46a5882631e98ab4a30aa9fb13b72f165e74da184
      • Opcode Fuzzy Hash: cbf32f40b136062e831555fe37e04a9ac5161bb1b0b9df2c43726de1ca525ddc
      • Instruction Fuzzy Hash: 4A111F30304A4051FA57A73356513EA62965B8D7F0F144728BB3A4F7FAEE3AD4428350
      Function 0000000140015C18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: AddressFreeHandleLibraryModuleProc
      • String ID: CorExitProcess$mscoree.dll
      • API String ID: 4061214504-1276376045
      • Opcode ID: 2fe9a94c2fe644671029ac37c15ed6fb7c67ef7466292b436900c0f81140d220
      • Instruction ID: 992e2c6c955670a42a87ed77767c64da7316bc92c55e50d6022aeccaa046f06f
      • Opcode Fuzzy Hash: 2fe9a94c2fe644671029ac37c15ed6fb7c67ef7466292b436900c0f81140d220
      • Instruction Fuzzy Hash: 97F06D71211B0482FA129F36E4543E96360AB8D7E2F540219EB6A4B6F4CF3DC848CB40
      Function 00000001400244E4 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: _set_statfp
      • String ID:
      • API String ID: 1156100317-0
      • Opcode ID: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
      • Instruction ID: 8f90881aff7626fbfae5045e7286655964a7faafe8119efb3e57c7c24203fde5
      • Opcode Fuzzy Hash: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
      • Instruction Fuzzy Hash: 85117032A10E2113F796576BE8463E911446B9D3F8F99462CFBEA0B6F7CB388C854200
      Function 0000000140019FBC Relevance: 7.6, APIs: 5, Instructions: 54COMMON
      Download Yara Rule
      APIs
      • FlsGetValue.KERNEL32(?,?,?,000000014001512B,?,?,00000000,00000001400153C6), ref: 0000000140019FDB
      • FlsSetValue.KERNEL32(?,?,?,000000014001512B,?,?,00000000,00000001400153C6), ref: 0000000140019FFA
      • FlsSetValue.KERNEL32(?,?,?,000000014001512B,?,?,00000000,00000001400153C6), ref: 000000014001A022
      • FlsSetValue.KERNEL32(?,?,?,000000014001512B,?,?,00000000,00000001400153C6), ref: 000000014001A033
      • FlsSetValue.KERNEL32(?,?,?,000000014001512B,?,?,00000000,00000001400153C6), ref: 000000014001A044
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: Value
      • String ID:
      • API String ID: 3702945584-0
      • Opcode ID: 20a217e5f7b1fd7e04476b23f45b7e75b0484d2c701f49fe81b5adafe2b2e052
      • Instruction ID: 454c44a23ba6dc94f713653a5e9d3871d7fdefc62b408010bf2e1ef03600eb52
      • Opcode Fuzzy Hash: 20a217e5f7b1fd7e04476b23f45b7e75b0484d2c701f49fe81b5adafe2b2e052
      • Instruction Fuzzy Hash: 7D11423170464041FA6B973766513EA62865B4E7F0F084725BB394F7FAEE3ED8418310
      Function 0000000140019E50 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: Value
      • String ID:
      • API String ID: 3702945584-0
      • Opcode ID: e0c5a45514b846f4a6ec6a9b48552eb247e5f22168bf80840f25492ef7d229c4
      • Instruction ID: 47925c27e073974393f567cd6b2499197dc85acecaeb1e07eb156dfd53d4287d
      • Opcode Fuzzy Hash: e0c5a45514b846f4a6ec6a9b48552eb247e5f22168bf80840f25492ef7d229c4
      • Instruction Fuzzy Hash: A811ED3060560445FE6BE37394613EA22C64B4E7F0F185B24BF3A0F2FBEE3A98519251
      Function 000000014001AD8C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 212COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo
      • String ID: UTF-16LEUNICODE$UTF-8$ccs
      • API String ID: 3215553584-1196891531
      • Opcode ID: 74f2196a5011264ed8a8e946d85585914cc6389b25c9f2c12ebab23af57cbe04
      • Instruction ID: da88d3ede3ff0fb336b269a1c00cc3b6749ddc7636e938e83905d51e5fb7c453
      • Opcode Fuzzy Hash: 74f2196a5011264ed8a8e946d85585914cc6389b25c9f2c12ebab23af57cbe04
      • Instruction Fuzzy Hash: 9D819EB250424089FB674A6B82543F92BE0A71F7C8F599229FB068F6B5D73FC846D701
      Function 000000014000C684 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
      • String ID: csm
      • API String ID: 2395640692-1018135373
      • Opcode ID: b4b4c45ed593a6338064cb329936eb953ba7f5b8f73c8cf3fd25acb91a00e38a
      • Instruction ID: b645d5b75bcce2bf045b93560bc920a81bb8470b32f96f24c936187819169ae2
      • Opcode Fuzzy Hash: b4b4c45ed593a6338064cb329936eb953ba7f5b8f73c8cf3fd25acb91a00e38a
      • Instruction Fuzzy Hash: 2A51A0727266008AEB26CF16F448FAC37A1F758BD8F558125FB5A477A8DB78C841CB00
      Function 000000014000E2B4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
      • String ID: csm$csm
      • API String ID: 3896166516-3733052814
      • Opcode ID: 55493a1d86d6d1c2829dd98f020e7f26503b2bafe26ce91d32a5800163ceb3f4
      • Instruction ID: 9de8db9001e5947b5fcf325f776269607a77082389067d1369ed0c2d1cd3c5e1
      • Opcode Fuzzy Hash: 55493a1d86d6d1c2829dd98f020e7f26503b2bafe26ce91d32a5800163ceb3f4
      • Instruction Fuzzy Hash: 8E516BB22016C08AEB76CF23A54839C7BA0F359BD4F144126FB9967BE5CB38D591C701
      Function 000000014000DF04 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: CallEncodePointerTranslator
      • String ID: MOC$RCC
      • API String ID: 3544855599-2084237596
      • Opcode ID: 9d36d8f63facf9072972825a8f25b270afb3395b8e3db92c428a1bad71ce0201
      • Instruction ID: d4b281d36677d89da739050f216b3beefb6a5eff75b06c9b461b7a3acb9d6c21
      • Opcode Fuzzy Hash: 9d36d8f63facf9072972825a8f25b270afb3395b8e3db92c428a1bad71ce0201
      • Instruction Fuzzy Hash: 60618E72508BC486EB22DB26F4407DAB7A0F788BD4F044216FB9917BA5DB78D194CB00
      Function 000000014001B390 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: FileWrite$ConsoleErrorLastOutput
      • String ID:
      • API String ID: 2718003287-0
      • Opcode ID: 39341f6b071083c389d27ca145af769374f106796cb9e101150d78112becc34c
      • Instruction ID: b78d2afece67ddad1d73ac527de83f5fa5e4cb5ad3c4344bcfec7d96c5dab103
      • Opcode Fuzzy Hash: 39341f6b071083c389d27ca145af769374f106796cb9e101150d78112becc34c
      • Instruction Fuzzy Hash: 9FD1AC72714A848AE712CFAAD4403EC37A6F7587D8F588216EF5D9BBA9DB35C406C340
      Function 000000014001BD50 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
      Download Yara Rule
      APIs
      • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,000000014001BD3B), ref: 000000014001BE6C
      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,000000014001BD3B), ref: 000000014001BEF7
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: ConsoleErrorLastMode
      • String ID:
      • API String ID: 953036326-0
      • Opcode ID: 6a903a98531a6a38120dd5fe8925782221f2e8c9167dc9779352e6ff04d461fe
      • Instruction ID: a52073535675b5fde1d0ee2bd10db1dc1a6f87a10f206263cd2f01bacdf8d842
      • Opcode Fuzzy Hash: 6a903a98531a6a38120dd5fe8925782221f2e8c9167dc9779352e6ff04d461fe
      • Instruction Fuzzy Hash: 5491CE72710A5485F7669F7B98807ED2BA1F74CBC8F184119FF4A5BAA5DB36C882C700
      Function 0000000140001640 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: Process$Window$CloseEnumFileFindHandleImageListNameOpenProcessesRegisterResourcesSessionShutdownStartThreadTimes
      • String ID:
      • API String ID: 1342731755-0
      • Opcode ID: 81b8fef60b8062452498f576b742c1cf9c03d130e5caf3934e5e65250f2dafe8
      • Instruction ID: 9401fa184fec3f216bb66152d0c2785968d878a10459c93b99832138b2235596
      • Opcode Fuzzy Hash: 81b8fef60b8062452498f576b742c1cf9c03d130e5caf3934e5e65250f2dafe8
      • Instruction Fuzzy Hash: 6421D576614A808AE722DF66F8557DAB3A1F7CD784F808226B68943A74DF7CC545CB00
      Function 000000014001BA28 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: ErrorFileLastWrite
      • String ID: U
      • API String ID: 442123175-4171548499
      • Opcode ID: 06faa7f65e1d0a517bc6756e51b41b3e3b8168a71d08826b51c2e36264805c12
      • Instruction ID: dd9d123131406edfad40deee3851c9712fd8bb55e904486bc1615e5a90a3c07f
      • Opcode Fuzzy Hash: 06faa7f65e1d0a517bc6756e51b41b3e3b8168a71d08826b51c2e36264805c12
      • Instruction Fuzzy Hash: 4641A032718A8081EB21CF26E4453EA67A1F7887D4F844125FF8D8BBA8EB79C441C740
      Function 000000014000ED58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1707273607.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
      • Associated: 00000000.00000002.1707238627.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707314394.0000000140026000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707335345.0000000140036000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1707352520.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_140000000_5390d36a371f0598b86301961d5fdb329e368e7a.jbxd
      Similarity
      • API ID: ExceptionFileHeaderRaise
      • String ID: csm
      • API String ID: 2573137834-1018135373
      • Opcode ID: 3beb58d024089605d881be079b21a95fd86c6b3659aa545b441cc55ce2b955c4
      • Instruction ID: 2535b7959cbd0a52874b9944eb2be6fbeda090ed1e63f97b147250077050750e
      • Opcode Fuzzy Hash: 3beb58d024089605d881be079b21a95fd86c6b3659aa545b441cc55ce2b955c4
      • Instruction Fuzzy Hash: 3411B972215B8082EB62CB26F440399B7E5F78CB94F584625EB8D17769DF39C951CB00