Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ET7GnkzV1D.exe

Overview

General Information

Sample name:ET7GnkzV1D.exe
renamed because original name is a hash value
Original sample name:293da2f09c7f7c04057130f8e7d78bd6.exe
Analysis ID:1527492
MD5:293da2f09c7f7c04057130f8e7d78bd6
SHA1:8ae1886774ac2c474228175425e5811182770acc
SHA256:0df444b6fafe38d90cbe0c01b4f91d3dacf8604fb8c799a0b9723b82643bdbf5
Tags:32exe
Infos:

Detection

Score:39
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found evaded block containing many API calls
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ET7GnkzV1D.exe (PID: 6852 cmdline: "C:\Users\user\Desktop\ET7GnkzV1D.exe" MD5: 293DA2F09C7F7C04057130F8E7D78BD6)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: ET7GnkzV1D.exeReversingLabs: Detection: 71%
Machine Learning detection for sample
Source: ET7GnkzV1D.exeJoe Sandbox ML: detected
Source: ET7GnkzV1D.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ET7GnkzV1D.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: ET7GnkzV1D.exe
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005DD420 SendDlgItemMessageW,GetDlgItem,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_005DD420
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005CBA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_005CBA94
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005DB090 SetWindowLongW,NtdllDefWindowProc_W,0_2_005DB090
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005C7AAF: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_005C7AAF
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005D50110_2_005D5011
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005D82530_2_005D8253
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005C92C60_2_005C92C6
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005D02F70_2_005D02F7
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005D52820_2_005D5282
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005E62A80_2_005E62A8
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005D13FD0_2_005D13FD
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005D742E0_2_005D742E
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005E64D70_2_005E64D7
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005D55B00_2_005D55B0
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005EE6000_2_005EE600
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005D07A70_2_005D07A7
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005CD8330_2_005CD833
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005D88AF0_2_005D88AF
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005C395A0_2_005C395A
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005C4A8E0_2_005C4A8E
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005EEAAE0_2_005EEAAE
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005F2BB40_2_005F2BB4
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005CFCCC0_2_005CFCCC
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005D7DDC0_2_005D7DDC
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005C2EB60_2_005C2EB6
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: String function: 005DFEFC appears 42 times
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: String function: 005E07A0 appears 31 times
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: String function: 005DFFD0 appears 56 times
Source: ET7GnkzV1D.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: sus39.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005C7727 GetLastError,FormatMessageW,0_2_005C7727
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005DB0CE CLSIDFromString,CoCreateInstance,0_2_005DB0CE
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005DB6D2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_005DB6D2
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCommand line argument: sfxname0_2_005DF05C
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCommand line argument: sfxstime0_2_005DF05C
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCommand line argument: p0`0_2_005DF05C
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCommand line argument: STARTDLG0_2_005DF05C
Source: ET7GnkzV1D.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: ET7GnkzV1D.exeReversingLabs: Detection: 71%
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeFile read: C:\Users\user\Desktop\ET7GnkzV1D.exeJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: dxgidebug.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: msiso.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: mlang.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: thumbcache.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: samlib.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeSection loaded: networkexplorer.dllJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeAutomated click: OK
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeAutomated click: OK
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeAutomated click: OK
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeAutomated click: OK
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeAutomated click: OK
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeAutomated click: OK
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeAutomated click: OK
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeAutomated click: OK
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: ET7GnkzV1D.exeStatic file information: File size 1559368 > 1048576
Source: ET7GnkzV1D.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ET7GnkzV1D.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ET7GnkzV1D.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ET7GnkzV1D.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ET7GnkzV1D.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ET7GnkzV1D.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: ET7GnkzV1D.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: ET7GnkzV1D.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: ET7GnkzV1D.exe
Source: ET7GnkzV1D.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ET7GnkzV1D.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ET7GnkzV1D.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ET7GnkzV1D.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ET7GnkzV1D.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: ET7GnkzV1D.exeStatic PE information: real checksum: 0x53bcc should be: 0x18c252
Source: ET7GnkzV1D.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005E07F0 push ecx; ret 0_2_005E0803
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005DFEFC push eax; ret 0_2_005DFF1A
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeMemory allocated: 73E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeEvaded block: after key decisiongraph_0-24044
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005DD420 SendDlgItemMessageW,GetDlgItem,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_005DD420
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005CBA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_005CBA94
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005DF82F VirtualQuery,GetSystemInfo,0_2_005DF82F
Source: ET7GnkzV1D.exe, 00000000.00000003.2452291158.000000000BC5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:dJ
Source: ET7GnkzV1D.exe, 00000000.00000003.2729022593.000000000BC4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ET7GnkzV1D.exe, 00000000.00000002.2934766672.0000000002D09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ET7GnkzV1D.exe, 00000000.00000003.2592396114.000000000E91F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:3
Source: ET7GnkzV1D.exe, 00000000.00000003.1893705518.000000000BC55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ET7GnkzV1D.exe, 00000000.00000003.2728807838.000000000E91F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: ET7GnkzV1D.exe, 00000000.00000002.2934766672.0000000002D09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeAPI call chain: ExitProcess graph end nodegraph_0-25109
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005E0A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005E0A0A
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005E91B0 mov eax, dword ptr fs:[00000030h]0_2_005E91B0
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005ED1F0 GetProcessHeap,0_2_005ED1F0
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005E0A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005E0A0A
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005E0B9D SetUnhandledExceptionFilter,0_2_005E0B9D
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005E0D8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_005E0D8A
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005E4FEF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005E4FEF
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005E0826 cpuid 0_2_005E0826
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_005DC093
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005DF05C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,CloseHandle,0_2_005DF05C
Source: C:\Users\user\Desktop\ET7GnkzV1D.exeCode function: 0_2_005CC365 GetVersionExW,0_2_005CC365

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Deobfuscate/Decode Files or Information		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS2
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets34
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ET7GnkzV1D.exe71%ReversingLabsWin32.Virus.Mikcer
ET7GnkzV1D.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1527492
Start date and time:2024-10-07 00:57:28 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:ET7GnkzV1D.exe
renamed because original name is a hash value
Original Sample Name:293da2f09c7f7c04057130f8e7d78bd6.exe
Detection:SUS
Classification:sus39.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 97
  • Number of non-executed functions: 99
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • VT rate limit hit for: ET7GnkzV1D.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.8913255142618315
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:ET7GnkzV1D.exe
File size:1'559'368 bytes
MD5:293da2f09c7f7c04057130f8e7d78bd6
SHA1:8ae1886774ac2c474228175425e5811182770acc
SHA256:0df444b6fafe38d90cbe0c01b4f91d3dacf8604fb8c799a0b9723b82643bdbf5
SHA512:b3436599386c7f8b57f26cf05107aa2bd1a96bf9ecd454a1df9f80ea5bcb391b49f31f7ccd798e8d0b52d3f31bd3e741f36effff2c383f68bb17dfd47c3f0059
SSDEEP:24576:WubsnafAPyjmNZe5lusz8tgjVFHjOMZXRVdT+Rh7NkFHUUl7s2P5FGMNfCWngFyO:oIyobusjVIMl1T+P7W6WQ21xvngFyEF
TLSH:847523127BC1DAB2D42318734B26AF21E53D7D301F654EDFA790694EEE120C09B3A7A5
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w...w...w..<.V..w..<.T..w..<.U..w....Z..w.......w.......w.......w....$..w....4..w...w...v.......w.......w....X..w.......w.

File Icon

Icon Hash:1515d4d4442f2d2d

Static PE Info

General

Entrypoint:0x420790
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x64C8CFB2 [Tue Aug 1 09:26:10 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:0ae9e38912ff6bd742a1b9e5c003576a

Entrypoint Preview

Instruction
call 00007FB34D34C98Bh
jmp 00007FB34D34C33Dh
int3
int3
int3
int3
int3
int3
push 00423A90h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [004407A8h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FB34D33F1D1h
push 0043D14Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FB34D34EFE5h
int3
jmp 00007FB34D350EB8h
push ebp
mov ebp, esp
and dword ptr [00463D58h], 00000000h
sub esp, 24h
or dword ptr [004407A0h], 01h
push 0000000Ah
call dword ptr [004341C4h]
test eax, eax
je 00007FB34D34C672h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]

Rich Headers

Programming Language:
  • [ C ] VS2008 SP1 build 30729
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x3e3800x34.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x3e3b40x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000xd494.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x740000x23dc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x3c1b00x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x366a80x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x340000x278.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3d85c0x120.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x32dcc0x32e00bf3082787caa3b02fd9d989022806d04False0.592286355958231data6.705330880207017IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x340000xb1d00xb200ba53cf76fc539872e6fb32f5b59318a2False0.46025719803370785data5.269843738840559IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x400000x247500x120063d51bc646ae841bb4737f86d3d78592False0.4058159722222222data4.083590987791496IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat0x650000x1a40x200deb77807258e64170eadd0d48c2f3f11False0.46484375data3.5190901598372837IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x660000xe0000xd6001d1dd914a7804cf3dc94344302518b2eFalse0.6627117406542056data6.8582824561368305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x740000x23dc0x2400e49afaf69d5cac6d9ffa2d43bc30363aFalse0.7861328125data6.67388754981222IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
PNG0x666440xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedChineseTaiwan1.0027729636048528
PNG0x6718c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedChineseTaiwan0.9363390441839495
RT_ICON0x687380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsChineseTaiwan0.47832369942196534
RT_ICON0x68ca00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsChineseTaiwan0.5410649819494585
RT_ICON0x695480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsChineseTaiwan0.4933368869936034
RT_ICON0x6a3f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mChineseTaiwan0.5390070921985816
RT_ICON0x6a8580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mChineseTaiwan0.41393058161350843
RT_ICON0x6b9000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mChineseTaiwan0.3479253112033195
RT_ICON0x6dea80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedChineseTaiwan0.9809269502193401
RT_DIALOG0x71c1c0x186dataChineseTaiwan0.6871794871794872
RT_DIALOG0x71da40xe2dataChineseTaiwan0.7168141592920354
RT_DIALOG0x71e880xbedataChineseTaiwan0.7263157894736842
RT_DIALOG0x71f480x10adataChineseTaiwan0.6541353383458647
RT_DIALOG0x720540x28edataChineseTaiwan0.5030581039755352
RT_DIALOG0x722e40x1d6dataChineseTaiwan0.6829787234042554
RT_STRING0x724bc0xaedataChineseTaiwan0.7701149425287356
RT_STRING0x7256c0xdadataChineseTaiwan0.6697247706422018
RT_STRING0x726480xbadataChineseTaiwan0.7903225806451613
RT_STRING0x727040x78dataChineseTaiwan0.9416666666666667
RT_STRING0x7277c0x31cdataChineseTaiwan0.5314070351758794
RT_STRING0x72a980x82dataChineseTaiwan0.7
RT_STRING0x72b1c0x78dataChineseTaiwan0.825
RT_STRING0x72b940x7edataChineseTaiwan0.6984126984126984
RT_STRING0x72c140x56dataChineseTaiwan0.8837209302325582
RT_STRING0x72c6c0x6adataChineseTaiwan0.7075471698113207
RT_GROUP_ICON0x72cd80x68dataChineseTaiwan0.7019230769230769
RT_MANIFEST0x72d400x753XML 1.0 document, ASCII text, with CRLF line terminatorsChineseTaiwan0.3957333333333333

Imports

DLLImport
KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetTimeFormatW, GetDateFormatW, LocalFree, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapReAlloc, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation systemCountry where language is spokenMap
ChineseTaiwan

Network Behavior

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Oct 7, 2024 00:58:39.070426941 CEST53508551.1.1.1192.168.2.4

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:18:58:17
Start date:06/10/2024
Path:C:\Users\user\Desktop\ET7GnkzV1D.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\ET7GnkzV1D.exe"
Imagebase:0x5c0000
File size:1'559'368 bytes
MD5 hash:293DA2F09C7F7C04057130F8E7D78BD6
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:5.8%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:5.8%
    Total number of Nodes:1083
    Total number of Limit Nodes:24
    execution_graph 25431 5ec65d 6 API calls CatchGuardHandler 23972 5dfd58 23973 5dfd62 23972->23973 23976 5df9e9 23973->23976 24002 5df747 23976->24002 23978 5df9f9 23979 5dfa7a 23978->23979 23980 5dfa56 23978->23980 23983 5dfaf2 LoadLibraryExA 23979->23983 23985 5dfb53 23979->23985 23987 5dfb65 23979->23987 23991 5dfc21 23979->23991 23981 5df987 DloadReleaseSectionWriteAccess 6 API calls 23980->23981 23982 5dfa61 RaiseException 23981->23982 23997 5dfc4f 23982->23997 23984 5dfb05 GetLastError 23983->23984 23983->23985 23988 5dfb2e 23984->23988 23989 5dfb18 23984->23989 23986 5dfb5e FreeLibrary 23985->23986 23985->23987 23986->23987 23990 5dfbc3 GetProcAddress 23987->23990 23987->23991 23992 5df987 DloadReleaseSectionWriteAccess 6 API calls 23988->23992 23989->23985 23989->23988 23990->23991 23993 5dfbd3 GetLastError 23990->23993 24011 5df987 23991->24011 23994 5dfb39 RaiseException 23992->23994 23995 5dfbe6 23993->23995 23994->23997 23995->23991 23998 5df987 DloadReleaseSectionWriteAccess 6 API calls 23995->23998 23999 5dfc07 RaiseException 23998->23999 24000 5df747 ___delayLoadHelper2@8 6 API calls 23999->24000 24001 5dfc1e 24000->24001 24001->23991 24003 5df779 24002->24003 24004 5df753 24002->24004 24003->23978 24019 5df7f0 24004->24019 24006 5df758 24007 5df774 24006->24007 24022 5df919 24006->24022 24027 5df77a GetModuleHandleW GetProcAddress GetProcAddress 24007->24027 24010 5df9c2 24010->23978 24012 5df999 24011->24012 24013 5df9bb 24011->24013 24014 5df7f0 DloadReleaseSectionWriteAccess 3 API calls 24012->24014 24013->23997 24015 5df99e 24014->24015 24016 5df9b6 24015->24016 24017 5df919 DloadProtectSection 3 API calls 24015->24017 24030 5df9bd GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 24016->24030 24017->24016 24028 5df77a GetModuleHandleW GetProcAddress GetProcAddress 24019->24028 24021 5df7f5 24021->24006 24025 5df92e DloadProtectSection 24022->24025 24023 5df934 24023->24007 24024 5df969 VirtualProtect 24024->24023 24025->24023 24025->24024 24029 5df82f VirtualQuery GetSystemInfo 24025->24029 24027->24010 24028->24021 24029->24024 24030->24013 25371 5ca850 75 API calls Concurrency::cancel_current_task 25402 5c6950 41 API calls __EH_prolog 25372 5db450 GdipCloneImage GdipAlloc 25448 5de750 67 API calls 25403 5e1550 51 API calls 2 library calls 25450 5e0747 29 API calls _abort 24665 5da540 24666 5da565 24665->24666 24667 5da54b 24665->24667 24667->24666 24669 5db191 24667->24669 24670 5db1a8 24669->24670 24671 5db19a 24669->24671 24670->24666 24671->24670 24673 5da6d1 24671->24673 24674 5da806 24673->24674 24675 5da6e0 _wcslen ___std_exception_copy 24673->24675 24674->24670 24675->24674 24684 5d3338 CompareStringW _wcslen 24675->24684 24677 5da759 _wcslen 24678 5da79b GlobalAlloc 24677->24678 24679 5da7d0 24678->24679 24680 5da7b1 WideCharToMultiByte 24678->24680 24681 5da7e4 CreateStreamOnHGlobal 24679->24681 24680->24679 24681->24674 24682 5da7f8 24681->24682 24685 5da5ab 24682->24685 24684->24677 24687 5da5d4 24685->24687 24686 5da6c0 24686->24674 24687->24686 24693 5dad1e CompareStringW _wcslen ___std_exception_copy 24687->24693 24689 5da68a 24689->24686 24690 5da690 ShowWindow SetWindowTextW 24689->24690 24692 5da6bf 24690->24692 24692->24686 24693->24689 25405 5e0540 46 API calls __RTC_Initialize 25374 5c1075 44 API calls 25410 5c2570 91 API calls 25432 5dfe61 48 API calls _unexpected 25377 5dc460 91 API calls 25378 5da460 IsWindow 25433 5eb660 71 API calls _free 25434 5f1a60 IsProcessorFeaturePresent 25452 5dc316 GetDlgItem ShowWindow SendMessageW 24859 5e0612 24860 5e061e ___scrt_is_nonwritable_in_current_image 24859->24860 24891 5e01ac 24860->24891 24862 5e0625 24863 5e0778 24862->24863 24866 5e064f 24862->24866 24962 5e0a0a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _abort 24863->24962 24865 5e077f 24963 5e931a 28 API calls _abort 24865->24963 24877 5e068e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24866->24877 24902 5e9ebd 24866->24902 24868 5e0785 24964 5e92cc 28 API calls _abort 24868->24964 24872 5e078d 24873 5e066e 24875 5e06ef 24910 5e0b25 GetStartupInfoW _abort 24875->24910 24877->24875 24958 5e8e0c 38 API calls 2 library calls 24877->24958 24878 5e06f5 24911 5e9e0e 51 API calls 24878->24911 24881 5e06fd 24912 5df05c 24881->24912 24885 5e0711 24885->24865 24886 5e0715 24885->24886 24887 5e071e 24886->24887 24960 5e92bd 28 API calls _abort 24886->24960 24961 5e031d 12 API calls ___scrt_uninitialize_crt 24887->24961 24890 5e0726 24890->24873 24892 5e01b5 24891->24892 24965 5e0826 IsProcessorFeaturePresent 24892->24965 24894 5e01c1 24966 5e3bee 24894->24966 24896 5e01c6 24897 5e01ca 24896->24897 24974 5e9d47 24896->24974 24897->24862 24900 5e01e1 24900->24862 24904 5e9ed4 24902->24904 24903 5e0d7c CatchGuardHandler 5 API calls 24905 5e0668 24903->24905 24904->24903 24905->24873 24906 5e9e61 24905->24906 24908 5e9e90 24906->24908 24907 5e0d7c CatchGuardHandler 5 API calls 24909 5e9eb9 24907->24909 24908->24907 24909->24877 24910->24878 24911->24881 25072 5d1b83 24912->25072 24916 5df07c 25121 5dbd1b 24916->25121 24918 5df085 _abort 24919 5df098 GetCommandLineW 24918->24919 24920 5df13c GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24919->24920 24921 5df0ab 24919->24921 24923 5c4a20 _swprintf 51 API calls 24920->24923 25125 5dd708 24921->25125 24925 5df1a3 SetEnvironmentVariableW GetModuleHandleW LoadIconW 24923->24925 25135 5dc8cd LoadBitmapW 24925->25135 24927 5df0b9 OpenFileMappingW 24931 5df12d CloseHandle 24927->24931 24932 5df0d1 MapViewOfFile 24927->24932 24928 5df136 25129 5ded2e 24928->25129 24931->24920 24934 5df126 UnmapViewOfFile 24932->24934 24935 5df0e2 __InternalCxxFrameHandler 24932->24935 24934->24931 24938 5ded2e 2 API calls 24935->24938 24940 5df0fe 24938->24940 25159 5d069c 77 API calls 24940->25159 24941 5da0d7 27 API calls 24943 5df203 DialogBoxParamW 24941->24943 24947 5df23d 24943->24947 24944 5df112 25160 5d0752 77 API calls _wcslen 24944->25160 24946 5df11d 24946->24934 24948 5df24f Sleep 24947->24948 24949 5df256 24947->24949 24948->24949 24953 5df264 24949->24953 25161 5dbfb3 CompareStringW SetCurrentDirectoryW _abort _wcslen 24949->25161 24951 5df2d0 25162 5ded8b WaitForSingleObject WaitForSingleObject 24951->25162 24952 5df2e2 25163 5dbd81 GdiplusShutdown 24952->25163 24953->24951 24953->24952 24955 5df2d6 CloseHandle 24955->24952 24957 5df31c 24959 5e0b5b GetModuleHandleW 24957->24959 24958->24875 24959->24885 24960->24887 24961->24890 24962->24865 24963->24868 24964->24872 24965->24894 24978 5e4c97 24966->24978 24969 5e3bf7 24969->24896 24971 5e3bff 24972 5e3c0a 24971->24972 24992 5e4cd3 DeleteCriticalSection 24971->24992 24972->24896 25019 5ed21a 24974->25019 24977 5e3c0d 7 API calls 2 library calls 24977->24897 24979 5e4ca0 24978->24979 24981 5e4cc9 24979->24981 24983 5e3bf3 24979->24983 24993 5e4edc 24979->24993 24998 5e4cd3 DeleteCriticalSection 24981->24998 24983->24969 24984 5e3d1c 24983->24984 25012 5e4ded 24984->25012 24987 5e3d31 24987->24971 24989 5e3d3f 24990 5e3d4c 24989->24990 25018 5e3d4f 6 API calls ___vcrt_FlsFree 24989->25018 24990->24971 24992->24969 24999 5e4d02 24993->24999 24996 5e4f14 InitializeCriticalSectionAndSpinCount 24997 5e4eff 24996->24997 24997->24979 24998->24983 25000 5e4d23 24999->25000 25001 5e4d1f 24999->25001 25000->25001 25002 5e4d8b GetProcAddress 25000->25002 25005 5e4d7c 25000->25005 25007 5e4da2 LoadLibraryExW 25000->25007 25001->24996 25001->24997 25002->25001 25004 5e4d99 25002->25004 25004->25001 25005->25002 25006 5e4d84 FreeLibrary 25005->25006 25006->25002 25008 5e4de9 25007->25008 25009 5e4db9 GetLastError 25007->25009 25008->25000 25009->25008 25010 5e4dc4 ___vcrt_InitializeCriticalSectionEx 25009->25010 25010->25008 25011 5e4dda LoadLibraryExW 25010->25011 25011->25000 25013 5e4d02 ___vcrt_InitializeCriticalSectionEx 5 API calls 25012->25013 25014 5e4e07 25013->25014 25015 5e4e20 TlsAlloc 25014->25015 25016 5e3d26 25014->25016 25016->24987 25017 5e4e9e 6 API calls ___vcrt_InitializeCriticalSectionEx 25016->25017 25017->24989 25018->24987 25020 5ed237 25019->25020 25023 5ed233 25019->25023 25020->25023 25025 5eb860 25020->25025 25021 5e0d7c CatchGuardHandler 5 API calls 25022 5e01d3 25021->25022 25022->24900 25022->24977 25023->25021 25026 5eb86c ___scrt_is_nonwritable_in_current_image 25025->25026 25037 5ebdf1 EnterCriticalSection 25026->25037 25028 5eb873 25038 5ed6e8 25028->25038 25030 5eb882 25031 5eb891 25030->25031 25051 5eb6e9 29 API calls 25030->25051 25053 5eb8ad LeaveCriticalSection _abort 25031->25053 25034 5eb8a2 _abort 25034->25020 25035 5eb88c 25052 5eb79f GetStdHandle GetFileType 25035->25052 25037->25028 25039 5ed6f4 ___scrt_is_nonwritable_in_current_image 25038->25039 25040 5ed718 25039->25040 25041 5ed701 25039->25041 25054 5ebdf1 EnterCriticalSection 25040->25054 25062 5ea7eb 20 API calls _abort 25041->25062 25044 5ed706 25063 5e51b9 26 API calls _abort 25044->25063 25046 5ed710 _abort 25046->25030 25047 5ed750 25064 5ed777 LeaveCriticalSection _abort 25047->25064 25050 5ed724 25050->25047 25055 5ed639 25050->25055 25051->25035 25052->25031 25053->25034 25054->25050 25056 5ec2f6 _abort 20 API calls 25055->25056 25057 5ed64b 25056->25057 25061 5ed658 25057->25061 25065 5ec0ca 25057->25065 25058 5ea66a _free 20 API calls 25060 5ed6aa 25058->25060 25060->25050 25061->25058 25062->25044 25063->25046 25064->25046 25066 5ebe58 _abort 5 API calls 25065->25066 25067 5ec0f1 25066->25067 25068 5ec10f InitializeCriticalSectionAndSpinCount 25067->25068 25069 5ec0fa 25067->25069 25068->25069 25070 5e0d7c CatchGuardHandler 5 API calls 25069->25070 25071 5ec126 25070->25071 25071->25057 25164 5dffd0 25072->25164 25075 5d1ba8 GetProcAddress 25078 5d1bd9 GetProcAddress 25075->25078 25079 5d1bc1 25075->25079 25076 5d1c07 25077 5d1f34 GetModuleFileNameW 25076->25077 25175 5e89ee 42 API calls 2 library calls 25076->25175 25088 5d1f52 25077->25088 25080 5d1beb 25078->25080 25079->25078 25080->25076 25082 5d1e74 25082->25077 25083 5d1e7f GetModuleFileNameW CreateFileW 25082->25083 25084 5d1eaf SetFilePointer 25083->25084 25085 5d1f28 CloseHandle 25083->25085 25084->25085 25086 5d1ebd ReadFile 25084->25086 25085->25077 25086->25085 25089 5d1edb 25086->25089 25091 5d1fb4 GetFileAttributesW 25088->25091 25092 5d1f7d CompareStringW 25088->25092 25093 5d1fcc 25088->25093 25166 5cc619 25088->25166 25169 5d1b3b 25088->25169 25089->25085 25094 5d1b3b 2 API calls 25089->25094 25091->25088 25091->25093 25092->25088 25095 5d1fd7 25093->25095 25097 5d200c 25093->25097 25094->25089 25098 5d1ff0 GetFileAttributesW 25095->25098 25100 5d2008 25095->25100 25096 5d211b 25120 5db65d GetCurrentDirectoryW 25096->25120 25097->25096 25099 5cc619 GetVersionExW 25097->25099 25098->25095 25098->25100 25101 5d2026 25099->25101 25100->25097 25102 5d202d 25101->25102 25103 5d2093 25101->25103 25105 5d1b3b 2 API calls 25102->25105 25104 5c4a20 _swprintf 51 API calls 25103->25104 25106 5d20bb AllocConsole 25104->25106 25107 5d2037 25105->25107 25108 5d20c8 GetCurrentProcessId AttachConsole 25106->25108 25109 5d2113 ExitProcess 25106->25109 25110 5d1b3b 2 API calls 25107->25110 25176 5e4fa3 25108->25176 25112 5d2041 25110->25112 25114 5cf937 53 API calls 25112->25114 25113 5d20e9 GetStdHandle WriteConsoleW Sleep FreeConsole 25113->25109 25115 5d205c 25114->25115 25116 5c4a20 _swprintf 51 API calls 25115->25116 25117 5d206f 25116->25117 25118 5cf937 53 API calls 25117->25118 25119 5d207e 25118->25119 25119->25109 25120->24916 25122 5d1b3b 2 API calls 25121->25122 25123 5dbd2f OleInitialize 25122->25123 25124 5dbd52 GdiplusStartup SHGetMalloc 25123->25124 25124->24918 25127 5dd712 25125->25127 25126 5dd828 25126->24927 25126->24928 25127->25126 25178 5d0752 77 API calls _wcslen 25127->25178 25130 5dffd0 25129->25130 25131 5ded3b SetEnvironmentVariableW 25130->25131 25133 5ded5e 25131->25133 25132 5ded86 25132->24920 25133->25132 25134 5ded7a SetEnvironmentVariableW 25133->25134 25134->25132 25136 5dc8ee 25135->25136 25137 5dc8fb GetObjectW 25135->25137 25179 5db6d2 FindResourceW 25136->25179 25139 5dc90a 25137->25139 25140 5db5d6 4 API calls 25139->25140 25142 5dc91d 25140->25142 25143 5dc954 25142->25143 25144 5dc92d 25142->25144 25145 5db6d2 13 API calls 25142->25145 25151 5ced62 25143->25151 25195 5db615 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25144->25195 25145->25144 25147 5dc944 25196 5db5f4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25147->25196 25149 5dc94d 25197 5db81c 7 API calls 25149->25197 25206 5ced87 25151->25206 25156 5da0d7 25157 5dfebe 27 API calls 25156->25157 25158 5da0f6 25157->25158 25158->24941 25159->24944 25160->24946 25161->24953 25162->24955 25163->24957 25165 5d1b8d GetModuleHandleW 25164->25165 25165->25075 25165->25076 25167 5cc62d GetVersionExW 25166->25167 25168 5cc669 25166->25168 25167->25168 25168->25088 25170 5dffd0 25169->25170 25171 5d1b48 GetSystemDirectoryW 25170->25171 25172 5d1b7e 25171->25172 25173 5d1b60 25171->25173 25172->25088 25174 5d1b71 LoadLibraryW 25173->25174 25174->25172 25175->25082 25177 5e4fab 25176->25177 25177->25113 25177->25177 25178->25127 25180 5db7e3 25179->25180 25181 5db6f5 SizeofResource 25179->25181 25180->25137 25180->25139 25181->25180 25182 5db70c LoadResource 25181->25182 25182->25180 25183 5db721 LockResource 25182->25183 25183->25180 25184 5db732 GlobalAlloc 25183->25184 25184->25180 25185 5db74d GlobalLock 25184->25185 25186 5db7dc GlobalFree 25185->25186 25187 5db75c __InternalCxxFrameHandler 25185->25187 25186->25180 25188 5db764 CreateStreamOnHGlobal 25187->25188 25189 5db77c 25188->25189 25190 5db7d5 GlobalUnlock 25188->25190 25198 5db636 GdipAlloc 25189->25198 25190->25186 25193 5db7aa GdipCreateHBITMAPFromBitmap 25194 5db7c0 25193->25194 25194->25190 25195->25147 25196->25149 25197->25143 25199 5db648 25198->25199 25200 5db655 25198->25200 25202 5db3c8 25199->25202 25200->25190 25200->25193 25200->25194 25203 5db3e9 GdipCreateBitmapFromStreamICM 25202->25203 25204 5db3f0 GdipCreateBitmapFromStream 25202->25204 25205 5db3f5 25203->25205 25204->25205 25205->25200 25207 5ced95 __EH_prolog 25206->25207 25208 5cedc4 GetModuleFileNameW 25207->25208 25209 5cedf5 25207->25209 25210 5cedde 25208->25210 25252 5cab40 25209->25252 25210->25209 25212 5cee51 25263 5e7730 25212->25263 25213 5ca801 75 API calls 25214 5ced6e 25213->25214 25250 5cf5be GetModuleHandleW FindResourceW 25214->25250 25216 5cee25 25216->25212 25218 5cf581 73 API calls 25216->25218 25230 5cf06a 25216->25230 25217 5cee64 25219 5e7730 26 API calls 25217->25219 25218->25216 25227 5cee76 ___vcrt_InitializeCriticalSectionEx 25219->25227 25220 5cefa5 25220->25230 25283 5cb000 74 API calls 25220->25283 25222 5cb110 74 API calls 25222->25227 25224 5cefbf ___std_exception_copy 25225 5cae60 77 API calls 25224->25225 25224->25230 25228 5cefe8 ___std_exception_copy 25225->25228 25227->25220 25227->25222 25227->25230 25277 5cae60 25227->25277 25282 5cb000 74 API calls 25227->25282 25228->25230 25247 5ceff3 _wcslen ___std_exception_copy ___vcrt_InitializeCriticalSectionEx 25228->25247 25284 5d2ed2 MultiByteToWideChar 25228->25284 25230->25213 25231 5cf479 25235 5cf4fe 25231->25235 25290 5ea09e 26 API calls 2 library calls 25231->25290 25233 5cf48e 25291 5e8a18 26 API calls 2 library calls 25233->25291 25236 5cf534 25235->25236 25240 5cf581 73 API calls 25235->25240 25241 5e7730 26 API calls 25236->25241 25238 5cf4e6 25292 5cf59c 73 API calls 25238->25292 25240->25235 25242 5cf54d 25241->25242 25243 5e7730 26 API calls 25242->25243 25243->25230 25245 5d30f5 WideCharToMultiByte 25245->25247 25247->25230 25247->25231 25247->25245 25285 5cf8d1 50 API calls __vsnprintf 25247->25285 25286 5e7571 26 API calls 3 library calls 25247->25286 25287 5ea09e 26 API calls 2 library calls 25247->25287 25288 5e8a18 26 API calls 2 library calls 25247->25288 25289 5cf59c 73 API calls 25247->25289 25251 5ced75 25250->25251 25251->25156 25253 5cab4a 25252->25253 25254 5cabab CreateFileW 25253->25254 25255 5cabcc GetLastError 25254->25255 25259 5cac1b 25254->25259 25293 5ccf32 GetCurrentDirectoryW _wcslen 25255->25293 25257 5cabec 25258 5cabf0 CreateFileW GetLastError 25257->25258 25257->25259 25258->25259 25261 5cac15 25258->25261 25260 5cac5f 25259->25260 25262 5cac45 SetFileTime 25259->25262 25260->25216 25261->25259 25262->25260 25264 5e7769 25263->25264 25265 5e776d 25264->25265 25276 5e7795 25264->25276 25294 5ea7eb 20 API calls _abort 25265->25294 25267 5e7772 25295 5e51b9 26 API calls _abort 25267->25295 25268 5e0d7c CatchGuardHandler 5 API calls 25270 5e7ac6 25268->25270 25270->25217 25271 5e777d 25272 5e0d7c CatchGuardHandler 5 API calls 25271->25272 25274 5e7789 25272->25274 25274->25217 25275 5e7ab9 25275->25268 25276->25275 25296 5e7650 5 API calls CatchGuardHandler 25276->25296 25278 5cae73 25277->25278 25279 5cae6c 25277->25279 25278->25279 25281 5ca9e5 GetStdHandle ReadFile GetLastError GetLastError GetFileType 25278->25281 25297 5c77bd 72 API calls 25278->25297 25279->25227 25281->25278 25282->25227 25283->25224 25284->25247 25285->25247 25286->25247 25287->25247 25288->25247 25289->25247 25290->25233 25291->25238 25292->25235 25293->25257 25294->25267 25295->25271 25296->25276 25297->25278 25379 5db410 GdipDisposeImage GdipFree 25311 5ed211 31 API calls CatchGuardHandler 25455 5d2f0b GetCPInfo IsDBCSLeadByte 25380 5c1800 81 API calls Concurrency::cancel_current_task 25436 5e0600 27 API calls 25382 5df002 57 API calls _swprintf 25412 5f3100 CloseHandle 25316 5c213d 25317 5c2148 25316->25317 25319 5c2150 25316->25319 25322 5c2162 27 API calls Concurrency::cancel_current_task 25317->25322 25320 5c214e 25319->25320 25321 5dfebe 27 API calls 25319->25321 25321->25320 25322->25320 25413 5d0534 FreeLibrary 25383 5c2037 137 API calls __EH_prolog 25384 5c2430 26 API calls std::bad_exception::bad_exception 25457 5e0733 20 API calls 25458 5e9330 52 API calls 3 library calls 25341 5df42c 25342 5df335 25341->25342 25343 5df9e9 ___delayLoadHelper2@8 14 API calls 25342->25343 25343->25342 25385 5d742e 132 API calls __InternalCxxFrameHandler 25439 5e962a 55 API calls _free 25345 5df32b 14 API calls ___delayLoadHelper2@8 25386 5c1025 29 API calls 25387 5dd420 88 API calls _swprintf 25352 5ea620 25360 5ebf6f 25352->25360 25355 5ea634 25357 5ea63c 25358 5ea649 25357->25358 25368 5ea650 11 API calls 25357->25368 25361 5ebe58 _abort 5 API calls 25360->25361 25362 5ebf96 25361->25362 25363 5ebfae TlsAlloc 25362->25363 25365 5ebf9f 25362->25365 25363->25365 25364 5e0d7c CatchGuardHandler 5 API calls 25366 5ea62a 25364->25366 25365->25364 25366->25355 25367 5ea599 20 API calls 2 library calls 25366->25367 25367->25357 25368->25355 24032 5cacd4 24033 5cacde 24032->24033 24034 5cacf4 24033->24034 24035 5cae2c SetFilePointer 24033->24035 24035->24034 24036 5cae49 GetLastError 24035->24036 24036->24034 25417 5f21d5 21 API calls 2 library calls 24039 5dc9d0 24040 5dc9da __EH_prolog 24039->24040 24196 5c12f6 24040->24196 24043 5dd10b 24215 5de7ee 24043->24215 24044 5dca1a 24050 5dca8b 24044->24050 24051 5dca28 24044->24051 24114 5dca31 24044->24114 24047 5dd134 24052 5dd13d SendDlgItemMessageW 24047->24052 24053 5dd14e GetDlgItem SendMessageW 24047->24053 24048 5dd126 SendMessageW 24048->24047 24049 5dcb1e 24062 5dcb70 GetDlgItem 24049->24062 24071 5dcb64 24049->24071 24049->24114 24050->24049 24054 5dcaa1 24050->24054 24051->24114 24207 5cf937 24051->24207 24052->24053 24232 5db65d GetCurrentDirectoryW 24053->24232 24057 5cf937 53 API calls 24054->24057 24060 5dcabe SetDlgItemTextW 24057->24060 24059 5dd17e GetDlgItem 24063 5dd19b 24059->24063 24064 5dd1a1 SetWindowTextW 24059->24064 24060->24114 24066 5dcb84 SendMessageW SendMessageW 24062->24066 24067 5dcba7 24062->24067 24063->24064 24233 5dbbc0 GetClassNameW 24064->24233 24066->24067 24073 5dcbb7 24067->24073 24081 5dcbc3 24067->24081 24070 5dd3f8 SetDlgItemTextW 24070->24114 24074 5cf937 53 API calls 24071->24074 24071->24114 24076 5cf937 53 API calls 24073->24076 24075 5dd061 SetDlgItemTextW 24074->24075 24077 5dd075 24075->24077 24080 5dcbc1 24076->24080 24084 5cf937 53 API calls 24077->24084 24078 5dd1ec 24083 5dd21c 24078->24083 24086 5cf937 53 API calls 24078->24086 24079 5dd1de 24303 5dd884 92 API calls 5 library calls 24079->24303 24276 5de619 11 API calls 24080->24276 24090 5cf937 53 API calls 24081->24090 24087 5dd229 24083->24087 24134 5dd2d4 24083->24134 24120 5dd098 _wcslen 24084->24120 24092 5dd1ff SetDlgItemTextW 24086->24092 24304 5dd884 92 API calls 5 library calls 24087->24304 24089 5dd384 24097 5dd3b6 24089->24097 24307 5c12b3 GetDlgItem 24089->24307 24094 5dcbfa 24090->24094 24091 5dcc1d 24099 5dcc51 24091->24099 24277 5cb4c1 GetFileAttributesW GetFileAttributesW GetCurrentDirectoryW 24091->24277 24095 5cf937 53 API calls 24092->24095 24093 5dd237 24109 5daef5 39 API calls 24093->24109 24115 5dd262 24093->24115 24273 5c4a20 24094->24273 24098 5dd213 SetDlgItemTextW 24095->24098 24105 5dd3dd 24097->24105 24112 5dd3d5 SendMessageW 24097->24112 24098->24083 24279 5cb341 8 API calls 24099->24279 24100 5dd0e9 24106 5cf937 53 API calls 24100->24106 24103 5dd2c7 24306 5dd884 92 API calls 5 library calls 24103->24306 24113 5cf937 53 API calls 24105->24113 24105->24114 24106->24114 24107 5dcc47 24107->24099 24278 5dbeff CreateDirectoryW LocalFree GetCurrentProcess GetLastError 24107->24278 24109->24115 24110 5dcc66 24116 5dcc75 24110->24116 24117 5dcc6a GetLastError 24110->24117 24111 5dd3ac 24308 5c12b3 GetDlgItem 24111->24308 24112->24105 24119 5dca52 24113->24119 24115->24103 24305 5dd884 92 API calls 5 library calls 24115->24305 24280 5dbc19 SetCurrentDirectoryW 24116->24280 24117->24116 24119->24070 24119->24114 24120->24100 24124 5cf937 53 API calls 24120->24124 24121 5dd365 24254 5daef5 ShowWindow 24121->24254 24127 5dd0cc 24124->24127 24126 5dcc89 24129 5dcca0 24126->24129 24130 5dcc92 GetLastError 24126->24130 24133 5c4a20 _swprintf 51 API calls 24127->24133 24128 5cf937 53 API calls 24128->24134 24132 5dcd17 24129->24132 24137 5dcd26 24129->24137 24138 5dccb0 GetTickCount 24129->24138 24130->24129 24132->24137 24139 5dcf52 24132->24139 24133->24100 24134->24089 24134->24121 24134->24128 24135 5dd29c 24135->24103 24136 5dd2a5 DialogBoxParamW 24135->24136 24136->24103 24136->24114 24142 5dceed 24137->24142 24143 5dcd3f GetModuleFileNameW 24137->24143 24141 5c4a20 _swprintf 51 API calls 24138->24141 24294 5c12d1 GetDlgItem ShowWindow 24139->24294 24145 5dcccd 24141->24145 24142->24114 24147 5cf937 53 API calls 24142->24147 24289 5d05ed 77 API calls 24143->24289 24144 5dcf62 24295 5c12d1 GetDlgItem ShowWindow 24144->24295 24281 5ca8ce CreateFileW CreateFileW GetCurrentDirectoryW 24145->24281 24150 5dcf01 24147->24150 24149 5dcd67 24152 5c4a20 _swprintf 51 API calls 24149->24152 24153 5c4a20 _swprintf 51 API calls 24150->24153 24151 5dcf6c 24154 5cf937 53 API calls 24151->24154 24156 5dcd89 CreateFileMappingW 24152->24156 24157 5dcf1f 24153->24157 24158 5dcf76 SetDlgItemTextW 24154->24158 24160 5dcde7 GetCommandLineW 24156->24160 24189 5dce5e __InternalCxxFrameHandler 24156->24189 24168 5cf937 53 API calls 24157->24168 24296 5c12d1 GetDlgItem ShowWindow 24158->24296 24159 5dccf3 24162 5dcd05 24159->24162 24163 5dccfa GetLastError 24159->24163 24164 5dcdf8 24160->24164 24282 5ca801 24162->24282 24163->24162 24290 5dc615 SHGetMalloc SHGetPathFromIDListW 24164->24290 24165 5dcf88 SetDlgItemTextW GetDlgItem 24169 5dcfbd 24165->24169 24170 5dcfa5 SetWindowLongW 24165->24170 24172 5dcf39 24168->24172 24297 5dd884 92 API calls 5 library calls 24169->24297 24170->24169 24171 5dce14 24291 5dc615 SHGetMalloc SHGetPathFromIDListW 24171->24291 24176 5dcfcb 24298 5dd884 92 API calls 5 library calls 24176->24298 24177 5dce20 24292 5dc615 SHGetMalloc SHGetPathFromIDListW 24177->24292 24180 5dcfd9 24299 5deba2 216 API calls __EH_prolog 24180->24299 24181 5dce2c 24293 5d069c 77 API calls 24181->24293 24182 5dcec7 24182->24142 24187 5dcedd UnmapViewOfFile CloseHandle 24182->24187 24185 5dce3d MapViewOfFile 24185->24189 24186 5dcfea 24300 5dd884 92 API calls 5 library calls 24186->24300 24187->24142 24189->24182 24190 5dceb3 Sleep 24189->24190 24190->24182 24190->24189 24191 5dd028 24302 5c12b3 GetDlgItem 24191->24302 24193 5dcfff 24193->24191 24301 5dd884 92 API calls 5 library calls 24193->24301 24194 5dd030 24194->24071 24197 5c12ff 24196->24197 24198 5c1358 24196->24198 24199 5c1365 24197->24199 24309 5cf608 61 API calls 2 library calls 24197->24309 24310 5cf5e1 SetWindowLongW 24198->24310 24199->24043 24199->24044 24199->24114 24202 5c1321 24202->24199 24203 5c1327 GetParent 24202->24203 24203->24199 24204 5c1334 GetDlgItem 24203->24204 24204->24199 24205 5c1344 24204->24205 24205->24199 24206 5c134a SetWindowTextW 24205->24206 24206->24199 24208 5cf947 24207->24208 24311 5cf968 24208->24311 24211 5c122f SHGetMalloc 24212 5c12a0 24211->24212 24213 5c1247 SHBrowseForFolderW 24211->24213 24212->24119 24213->24212 24214 5c127e SHGetPathFromIDListW 24213->24214 24214->24212 24216 5de7f8 24215->24216 24334 5db5d6 24216->24334 24219 5de805 GetWindow 24220 5dd111 24219->24220 24223 5de825 24219->24223 24220->24047 24220->24048 24221 5de832 GetClassNameW 24339 5d3316 CompareStringW 24221->24339 24223->24220 24223->24221 24224 5de8ba GetWindow 24223->24224 24225 5de866 SendMessageW 24223->24225 24224->24220 24224->24223 24225->24224 24226 5de87c GetObjectW 24225->24226 24340 5db615 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24226->24340 24229 5de893 24341 5db5f4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24229->24341 24342 5db81c 7 API calls 24229->24342 24231 5de8a4 SendMessageW 24231->24224 24232->24059 24234 5dbc06 24233->24234 24235 5dbbe1 24233->24235 24236 5dbc0b SHAutoComplete 24234->24236 24237 5dbc14 24234->24237 24345 5d3316 CompareStringW 24235->24345 24236->24237 24241 5dc217 24237->24241 24239 5dbbf4 24239->24234 24240 5dbbf8 FindWindowExW 24239->24240 24240->24234 24242 5dc221 __EH_prolog 24241->24242 24346 5c13f8 24242->24346 24244 5dc243 24358 5c2083 24244->24358 24247 5dc25d 24249 5c1641 81 API calls 24247->24249 24248 5dc26c 24365 5c1a7e 24248->24365 24251 5dc268 24249->24251 24251->24078 24251->24079 24253 5dc28b __InternalCxxFrameHandler ___std_exception_copy 24369 5c1641 24253->24369 24568 5dac24 LoadCursorW RegisterClassExW 24254->24568 24256 5daf1f 24257 5daf35 24256->24257 24569 5e8a18 26 API calls 2 library calls 24256->24569 24259 5daf4d GetWindowRect GetParent MapWindowPoints 24257->24259 24570 5e8a18 26 API calls 2 library calls 24257->24570 24262 5daf87 24259->24262 24263 5daf90 GetParent CreateWindowExW 24259->24263 24262->24263 24264 5db018 24263->24264 24265 5dafdb 24263->24265 24266 5db01c ShowWindow UpdateWindow 24264->24266 24267 5db02e 24264->24267 24265->24264 24268 5dafe0 24265->24268 24266->24267 24267->24089 24268->24267 24571 5dad1e CompareStringW _wcslen ___std_exception_copy 24268->24571 24270 5daff8 24270->24267 24271 5daffe ShowWindow SetWindowTextW 24270->24271 24272 5db015 24271->24272 24272->24267 24572 5c49f3 24273->24572 24276->24091 24277->24107 24278->24099 24279->24110 24280->24126 24281->24159 24283 5ca825 24282->24283 24288 5ca836 24282->24288 24284 5ca838 24283->24284 24285 5ca831 24283->24285 24283->24288 24653 5ca880 24284->24653 24652 5ca9ae DeleteFileW DeleteFileW GetCurrentDirectoryW 24285->24652 24288->24132 24289->24149 24290->24171 24291->24177 24292->24181 24293->24185 24294->24144 24295->24151 24296->24165 24297->24176 24298->24180 24299->24186 24300->24193 24301->24191 24302->24194 24303->24078 24304->24093 24305->24135 24306->24134 24307->24111 24308->24097 24309->24202 24310->24199 24317 5cecd0 24311->24317 24314 5cf98b LoadStringW 24315 5cf965 24314->24315 24316 5cf9a2 LoadStringW 24314->24316 24315->24211 24316->24315 24322 5cec0c 24317->24322 24319 5ceced 24321 5ced02 24319->24321 24330 5ced10 26 API calls 24319->24330 24321->24314 24321->24315 24323 5cec24 24322->24323 24329 5ceca4 _strncpy 24322->24329 24325 5cec48 24323->24325 24331 5d30f5 WideCharToMultiByte 24323->24331 24328 5cec79 24325->24328 24332 5cf8d1 50 API calls __vsnprintf 24325->24332 24333 5e7571 26 API calls 3 library calls 24328->24333 24329->24319 24330->24321 24331->24325 24332->24328 24333->24329 24343 5db5f4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24334->24343 24336 5db5dd 24337 5db5e9 24336->24337 24344 5db615 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24336->24344 24337->24219 24337->24220 24339->24223 24340->24229 24341->24229 24342->24231 24343->24336 24344->24337 24345->24239 24347 5c13fd __EH_prolog 24346->24347 24377 5c6891 24347->24377 24349 5c1428 24383 5ce298 24349->24383 24351 5c1437 24356 5c14ab 24351->24356 24393 5dfebe 24351->24393 24354 5c1498 24354->24356 24406 5c644d 24354->24406 24355 5c1533 _abort 24355->24244 24414 5cc1f7 24356->24414 24462 5cb1d2 24358->24462 24362 5c209c 24364 5c20ac 24362->24364 24485 5c1397 69 API calls 24362->24485 24364->24247 24364->24248 24366 5c1a8e 24365->24366 24368 5c1a8a 24365->24368 24562 5c19c5 137 API calls 24366->24562 24368->24253 24370 5c1653 24369->24370 24372 5c1665 Concurrency::cancel_current_task 24369->24372 24370->24372 24563 5c16b2 24370->24563 24373 5c2111 26 API calls 24372->24373 24374 5c1694 24373->24374 24566 5ce339 81 API calls Concurrency::cancel_current_task 24374->24566 24378 5c689b __EH_prolog 24377->24378 24420 5e0023 24378->24420 24380 5c68b7 24381 5e0023 41 API calls 24380->24381 24382 5c68d9 _abort 24381->24382 24382->24349 24384 5ce2a2 __EH_prolog 24383->24384 24385 5dfebe 27 API calls 24384->24385 24386 5ce2e5 24385->24386 24387 5ce2f8 24386->24387 24388 5c6891 41 API calls 24386->24388 24389 5dfebe 27 API calls 24387->24389 24388->24387 24390 5ce309 24389->24390 24391 5ce31c 24390->24391 24392 5c6891 41 API calls 24390->24392 24391->24351 24392->24391 24395 5dfec3 ___std_exception_copy 24393->24395 24394 5dfedd 24394->24354 24395->24394 24397 5dfedf 24395->24397 24435 5e8e5c 7 API calls 2 library calls 24395->24435 24398 5c48f5 Concurrency::cancel_current_task 24397->24398 24400 5dfee9 24397->24400 24433 5e3340 RaiseException 24398->24433 24436 5e3340 RaiseException 24400->24436 24401 5c4911 24404 5c4927 24401->24404 24434 5c136b 26 API calls Concurrency::cancel_current_task 24401->24434 24403 5e0820 24404->24354 24407 5c6457 __EH_prolog 24406->24407 24437 5cc9d8 24407->24437 24409 5c6464 24410 5d04e5 41 API calls 24409->24410 24411 5c64bb 24410->24411 24440 5c665c GetCurrentProcess GetProcessAffinityMask 24411->24440 24413 5c64d8 24413->24356 24415 5cc20d _abort 24414->24415 24450 5cc0d3 24415->24450 24421 5e002f ___scrt_is_nonwritable_in_current_image 24420->24421 24422 5e005a 24421->24422 24424 5c6920 24421->24424 24422->24380 24425 5c692a __EH_prolog 24424->24425 24428 5d04e5 24425->24428 24427 5c6936 24427->24421 24429 5d04ef __EH_prolog 24428->24429 24432 5c4846 41 API calls 24429->24432 24431 5d050b 24431->24427 24432->24431 24433->24401 24434->24404 24435->24395 24436->24403 24441 5cca2e 24437->24441 24440->24413 24442 5cca40 _abort 24441->24442 24445 5d23fb 24442->24445 24448 5d23bd GetCurrentProcess GetProcessAffinityMask 24445->24448 24449 5cca2a 24448->24449 24449->24409 24457 5cc0b4 24450->24457 24452 5cc148 24453 5c2111 24452->24453 24454 5c211c 24453->24454 24455 5c212b 24453->24455 24461 5c136b 26 API calls Concurrency::cancel_current_task 24454->24461 24455->24355 24458 5cc0bd 24457->24458 24460 5cc0c2 24457->24460 24459 5c2111 26 API calls 24458->24459 24459->24460 24460->24452 24461->24455 24463 5cb1e9 24462->24463 24464 5c208f 24463->24464 24486 5c77af 73 API calls 24463->24486 24464->24364 24466 5c1ad3 24464->24466 24467 5c1add __EH_prolog 24466->24467 24479 5c1b30 24467->24479 24482 5c1c63 24467->24482 24487 5c13d9 24467->24487 24469 5c1c9e 24511 5c1397 69 API calls 24469->24511 24473 5c1cab 24473->24482 24499 5c4264 24473->24499 24474 5c1d31 24478 5c1d64 24474->24478 24474->24482 24512 5c1397 69 API calls 24474->24512 24476 5c1ce9 24476->24474 24477 5c4264 110 API calls 24476->24477 24477->24476 24478->24482 24484 5cb110 74 API calls 24478->24484 24479->24469 24479->24473 24479->24482 24480 5c4264 110 API calls 24481 5c1db5 24480->24481 24481->24480 24481->24482 24482->24362 24484->24481 24485->24364 24486->24464 24513 5c1822 24487->24513 24490 5cb110 24491 5cb122 24490->24491 24495 5cb135 24490->24495 24494 5cb140 24491->24494 24557 5c7800 72 API calls 24491->24557 24493 5cb148 SetFilePointer 24493->24494 24496 5cb164 GetLastError 24493->24496 24494->24479 24495->24493 24495->24494 24496->24494 24497 5cb16e 24496->24497 24497->24494 24558 5c7800 72 API calls 24497->24558 24500 5c4274 24499->24500 24501 5c4270 24499->24501 24510 5cb110 74 API calls 24500->24510 24501->24476 24502 5c4286 24503 5c42af 24502->24503 24504 5c42a1 24502->24504 24560 5c2eb6 108 API calls 3 library calls 24503->24560 24505 5c42e1 24504->24505 24559 5c395a 96 API calls 3 library calls 24504->24559 24505->24476 24508 5c42ad 24508->24505 24561 5c2544 69 API calls 24508->24561 24510->24502 24511->24482 24512->24478 24514 5c1834 24513->24514 24515 5c13f2 24513->24515 24516 5c185d 24514->24516 24536 5c76e9 71 API calls __vswprintf_c_l 24514->24536 24515->24490 24523 5e521e 24516->24523 24519 5c1853 24537 5c775a 70 API calls 24519->24537 24524 5ea6a4 24523->24524 24525 5ea6bc 24524->24525 24526 5ea6b1 24524->24526 24528 5ea6c4 24525->24528 24535 5ea6cd _abort 24525->24535 24539 5ea7fe 24526->24539 24546 5ea66a 24528->24546 24529 5ea6f7 HeapReAlloc 24533 5c187a 24529->24533 24529->24535 24530 5ea6d2 24552 5ea7eb 20 API calls _abort 24530->24552 24533->24515 24538 5c775a 70 API calls 24533->24538 24535->24529 24535->24530 24553 5e8e5c 7 API calls 2 library calls 24535->24553 24536->24519 24537->24516 24538->24515 24540 5ea83c 24539->24540 24544 5ea80c _abort 24539->24544 24555 5ea7eb 20 API calls _abort 24540->24555 24542 5ea827 RtlAllocateHeap 24543 5ea83a 24542->24543 24542->24544 24543->24533 24544->24540 24544->24542 24554 5e8e5c 7 API calls 2 library calls 24544->24554 24547 5ea675 RtlFreeHeap 24546->24547 24548 5ea69e __dosmaperr 24546->24548 24547->24548 24549 5ea68a 24547->24549 24548->24533 24556 5ea7eb 20 API calls _abort 24549->24556 24551 5ea690 GetLastError 24551->24548 24552->24533 24553->24535 24554->24544 24555->24543 24556->24551 24557->24495 24558->24494 24559->24508 24560->24508 24561->24505 24562->24368 24567 5c20ed 26 API calls Concurrency::cancel_current_task 24563->24567 24565 5c16c0 24567->24565 24568->24256 24569->24257 24570->24259 24571->24270 24573 5c4a0a __vswprintf_c_l 24572->24573 24576 5e72e2 24573->24576 24579 5e53a5 24576->24579 24580 5e53cd 24579->24580 24581 5e53e5 24579->24581 24596 5ea7eb 20 API calls _abort 24580->24596 24581->24580 24583 5e53ed 24581->24583 24598 5e5944 24583->24598 24585 5e53d2 24597 5e51b9 26 API calls _abort 24585->24597 24590 5e5475 24607 5e5cf4 51 API calls 4 library calls 24590->24607 24591 5c4a14 24591->24080 24594 5e5480 24608 5e59c7 20 API calls _free 24594->24608 24595 5e53dd 24609 5e0d7c 24595->24609 24596->24585 24597->24595 24599 5e53fd 24598->24599 24600 5e5961 24598->24600 24606 5e590f 20 API calls 2 library calls 24599->24606 24600->24599 24616 5ea515 GetLastError 24600->24616 24602 5e5982 24636 5eaaf6 38 API calls __cftof 24602->24636 24604 5e599b 24637 5eab23 38 API calls __cftof 24604->24637 24606->24590 24607->24594 24608->24595 24610 5e0d84 24609->24610 24611 5e0d85 IsProcessorFeaturePresent 24609->24611 24610->24591 24613 5e0dc7 24611->24613 24651 5e0d8a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 24613->24651 24615 5e0eaa 24615->24591 24617 5ea52b 24616->24617 24618 5ea531 24616->24618 24638 5ec01b 11 API calls 2 library calls 24617->24638 24622 5ea580 SetLastError 24618->24622 24639 5ec2f6 24618->24639 24622->24602 24624 5ea66a _free 20 API calls 24626 5ea551 24624->24626 24625 5ea560 24627 5ea567 24625->24627 24628 5ea54b 24625->24628 24629 5ea58c SetLastError 24626->24629 24647 5ea380 20 API calls _abort 24627->24647 24628->24624 24648 5ea0f4 38 API calls _abort 24629->24648 24631 5ea572 24634 5ea66a _free 20 API calls 24631->24634 24635 5ea579 24634->24635 24635->24622 24635->24629 24636->24604 24637->24599 24638->24618 24640 5ec303 _abort 24639->24640 24641 5ec32e RtlAllocateHeap 24640->24641 24642 5ec343 24640->24642 24649 5e8e5c 7 API calls 2 library calls 24640->24649 24641->24640 24644 5ea543 24641->24644 24650 5ea7eb 20 API calls _abort 24642->24650 24644->24628 24646 5ec071 11 API calls 2 library calls 24644->24646 24646->24625 24647->24631 24649->24640 24650->24644 24651->24615 24652->24288 24654 5ca88c 24653->24654 24655 5ca8aa 24653->24655 24654->24655 24657 5ca898 CloseHandle 24654->24657 24656 5ca8c9 24655->24656 24659 5c7685 71 API calls 24655->24659 24656->24288 24657->24655 24659->24656 25418 5dd8d8 92 API calls 4 library calls 25461 5e4bd0 5 API calls CatchGuardHandler 25462 5dd8d8 96 API calls 4 library calls 25391 5eb8c0 21 API calls 25392 5e9cc0 7 API calls ___scrt_uninitialize_crt 25420 5f3dc0 VariantClear 25463 5f03c0 51 API calls 24698 5c13fd 43 API calls 2 library calls 25421 5dedf1 DialogBoxParamW 24707 5eccf0 24708 5ecd02 24707->24708 24709 5eccf9 24707->24709 24711 5ecbe7 24709->24711 24712 5ea515 _unexpected 38 API calls 24711->24712 24713 5ecbf4 24712->24713 24731 5ecd0e 24713->24731 24715 5ecbfc 24740 5ec97b 24715->24740 24718 5ecc13 24718->24708 24719 5ea7fe __vsnwprintf_l 21 API calls 24720 5ecc24 24719->24720 24721 5ecc56 24720->24721 24747 5ecdb0 24720->24747 24724 5ea66a _free 20 API calls 24721->24724 24724->24718 24725 5ecc51 24757 5ea7eb 20 API calls _abort 24725->24757 24727 5ecc9a 24727->24721 24758 5ec851 26 API calls 24727->24758 24728 5ecc6e 24728->24727 24729 5ea66a _free 20 API calls 24728->24729 24729->24727 24732 5ecd1a ___scrt_is_nonwritable_in_current_image 24731->24732 24733 5ea515 _unexpected 38 API calls 24732->24733 24738 5ecd24 24733->24738 24735 5ecda8 _abort 24735->24715 24738->24735 24739 5ea66a _free 20 API calls 24738->24739 24759 5ea0f4 38 API calls _abort 24738->24759 24760 5ebdf1 EnterCriticalSection 24738->24760 24761 5ecd9f LeaveCriticalSection _abort 24738->24761 24739->24738 24741 5e5944 __cftof 38 API calls 24740->24741 24742 5ec98d 24741->24742 24743 5ec9ae 24742->24743 24744 5ec99c GetOEMCP 24742->24744 24745 5ec9c5 24743->24745 24746 5ec9b3 GetACP 24743->24746 24744->24745 24745->24718 24745->24719 24746->24745 24748 5ec97b 40 API calls 24747->24748 24749 5ecdcf 24748->24749 24752 5ece20 IsValidCodePage 24749->24752 24754 5ecdd6 24749->24754 24756 5ece45 _abort 24749->24756 24750 5e0d7c CatchGuardHandler 5 API calls 24751 5ecc49 24750->24751 24751->24725 24751->24728 24753 5ece32 GetCPInfo 24752->24753 24752->24754 24753->24754 24753->24756 24754->24750 24762 5eca53 GetCPInfo 24756->24762 24757->24721 24758->24721 24760->24738 24761->24738 24763 5eca8d 24762->24763 24771 5ecb37 24762->24771 24772 5edb48 24763->24772 24766 5e0d7c CatchGuardHandler 5 API calls 24768 5ecbe3 24766->24768 24768->24754 24770 5ebd38 __vsnwprintf_l 43 API calls 24770->24771 24771->24766 24773 5e5944 __cftof 38 API calls 24772->24773 24774 5edb68 MultiByteToWideChar 24773->24774 24776 5edba6 24774->24776 24784 5edc3e 24774->24784 24779 5edbc7 _abort __vsnwprintf_l 24776->24779 24780 5ea7fe __vsnwprintf_l 21 API calls 24776->24780 24777 5e0d7c CatchGuardHandler 5 API calls 24781 5ecaee 24777->24781 24778 5edc38 24791 5ebd83 20 API calls _free 24778->24791 24779->24778 24783 5edc0c MultiByteToWideChar 24779->24783 24780->24779 24786 5ebd38 24781->24786 24783->24778 24785 5edc28 GetStringTypeW 24783->24785 24784->24777 24785->24778 24787 5e5944 __cftof 38 API calls 24786->24787 24788 5ebd4b 24787->24788 24792 5ebb1b 24788->24792 24791->24784 24793 5ebb36 __vsnwprintf_l 24792->24793 24794 5ebb5c MultiByteToWideChar 24793->24794 24795 5ebb86 24794->24795 24796 5ebd10 24794->24796 24799 5ea7fe __vsnwprintf_l 21 API calls 24795->24799 24802 5ebba7 __vsnwprintf_l 24795->24802 24797 5e0d7c CatchGuardHandler 5 API calls 24796->24797 24798 5ebd23 24797->24798 24798->24770 24799->24802 24800 5ebc5c 24828 5ebd83 20 API calls _free 24800->24828 24801 5ebbf0 MultiByteToWideChar 24801->24800 24803 5ebc09 24801->24803 24802->24800 24802->24801 24819 5ec12c 24803->24819 24807 5ebc6b 24809 5ea7fe __vsnwprintf_l 21 API calls 24807->24809 24812 5ebc8c __vsnwprintf_l 24807->24812 24808 5ebc33 24808->24800 24810 5ec12c __vsnwprintf_l 11 API calls 24808->24810 24809->24812 24810->24800 24811 5ebd01 24827 5ebd83 20 API calls _free 24811->24827 24812->24811 24813 5ec12c __vsnwprintf_l 11 API calls 24812->24813 24815 5ebce0 24813->24815 24815->24811 24816 5ebcef WideCharToMultiByte 24815->24816 24816->24811 24817 5ebd2f 24816->24817 24829 5ebd83 20 API calls _free 24817->24829 24830 5ebe58 24819->24830 24822 5ec15c 24825 5e0d7c CatchGuardHandler 5 API calls 24822->24825 24824 5ec19c LCMapStringW 24824->24822 24826 5ebc20 24825->24826 24826->24800 24826->24807 24826->24808 24827->24800 24828->24796 24829->24800 24831 5ebe88 24830->24831 24835 5ebe84 24830->24835 24831->24822 24837 5ec1b4 10 API calls 3 library calls 24831->24837 24832 5ebea8 24832->24831 24834 5ebeb4 GetProcAddress 24832->24834 24836 5ebec4 _abort 24834->24836 24835->24831 24835->24832 24838 5ebef4 24835->24838 24836->24831 24837->24824 24839 5ebf15 LoadLibraryExW 24838->24839 24843 5ebf0a 24838->24843 24840 5ebf4a 24839->24840 24841 5ebf32 GetLastError 24839->24841 24840->24843 24844 5ebf61 FreeLibrary 24840->24844 24841->24840 24842 5ebf3d LoadLibraryExW 24841->24842 24842->24840 24843->24835 24844->24843 25393 5e10f0 LocalFree 25422 5ed1f0 GetProcessHeap 25442 5dc2f3 72 API calls 25443 5ec66e 27 API calls CatchGuardHandler 25424 5dbde0 70 API calls 25465 5e73e0 QueryPerformanceFrequency QueryPerformanceCounter 25444 5dd8d8 102 API calls 4 library calls 25298 5db090 25299 5db09f SetWindowLongW 25298->25299 25300 5db0b9 NtdllDefWindowProc_W 25298->25300 25303 5da822 25299->25303 25302 5db0b8 25302->25300 25304 5dfebe 27 API calls 25303->25304 25305 5da839 25304->25305 25307 5da869 25305->25307 25308 5db0ce CLSIDFromString 25305->25308 25307->25302 25309 5db0fc 25308->25309 25309->25307 25426 5eb590 21 API calls 2 library calls 25445 5e3a90 6 API calls 4 library calls 25466 5e0790 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25447 5e3e8b 38 API calls 4 library calls 25398 5d8880 127 API calls 25427 5e1180 RaiseException _com_raise_error _com_error::_com_error 25326 5c10b5 25327 5c644d 43 API calls 25326->25327 25328 5c10ba 25327->25328 25331 5e0372 29 API calls 25328->25331 25330 5c10c4 25331->25330 25467 5dc7b0 102 API calls 25333 5ebdb0 25334 5ebdbb 25333->25334 25335 5ec0ca 11 API calls 25334->25335 25336 5ebde4 25334->25336 25337 5ebde0 25334->25337 25335->25334 25339 5ebe10 DeleteCriticalSection 25336->25339 25339->25337 25469 5e0f0f 9 API calls 2 library calls 25428 5dd8d8 103 API calls 4 library calls 25429 5df5af 14 API calls ___delayLoadHelper2@8 25400 5da4a0 GetClientRect CopyRect 25401 5ed0a0 GetCommandLineA GetCommandLineW

    Executed Functions

    Function 005DF05C Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 202filesleeptimeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 005D1B83: GetModuleHandleW.KERNEL32(kernel32), ref: 005D1B9C
      • Part of subcall function 005D1B83: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 005D1BAE
      • Part of subcall function 005D1B83: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 005D1BDF
      • Part of subcall function 005DB65D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 005DB665
      • Part of subcall function 005DBD1B: OleInitialize.OLE32(00000000), ref: 005DBD34
      • Part of subcall function 005DBD1B: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 005DBD6B
      • Part of subcall function 005DBD1B: SHGetMalloc.SHELL32(0060A460), ref: 005DBD75
    • GetCommandLineW.KERNEL32 ref: 005DF09B
    • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 005DF0C5
    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 005DF0D6
    • UnmapViewOfFile.KERNEL32(00000000), ref: 005DF127
      • Part of subcall function 005DED2E: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 005DED44
      • Part of subcall function 005DED2E: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 005DED80
      • Part of subcall function 005D0752: _wcslen.LIBCMT ref: 005D0776
    • CloseHandle.KERNEL32(00000000), ref: 005DF12E
    • GetModuleFileNameW.KERNEL32(00000000,00620CC0,00000800), ref: 005DF148
    • SetEnvironmentVariableW.KERNEL32(sfxname,00620CC0), ref: 005DF154
    • GetLocalTime.KERNEL32(?), ref: 005DF15F
    • _swprintf.LIBCMT ref: 005DF19E
    • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 005DF1B3
    • GetModuleHandleW.KERNEL32(00000000), ref: 005DF1BA
    • LoadIconW.USER32(00000000,00000064), ref: 005DF1D1
    • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001C9D0,00000000), ref: 005DF222
    • Sleep.KERNEL32(?), ref: 005DF250
    • CloseHandle.KERNEL32 ref: 005DF2DC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: EnvironmentFileHandleVariable$Module$AddressCloseProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$p0`$sfxname$sfxstime$winrarsfxmappingfile.tmp
    • API String ID: 4208810040-3390466904
    • Opcode ID: 4064cd3b81f29b44553b13d0bec7e3955d6b8837cc047ea5b76b7eebcb5c07fe
    • Instruction ID: df77f6ba16881b75c7e14c9510d58076a30eb9a84520597b68943bca0cee6dce
    • Opcode Fuzzy Hash: 4064cd3b81f29b44553b13d0bec7e3955d6b8837cc047ea5b76b7eebcb5c07fe
    • Instruction Fuzzy Hash: 4261E075540301ABD330ABA9EC4DF6B3FAEBB95344F04042BF542D6392DB788985CB62
    Function 005DB6D2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 698 5db6d2-5db6ef FindResourceW 699 5db7eb 698->699 700 5db6f5-5db706 SizeofResource 698->700 701 5db7ed-5db7f1 699->701 700->699 702 5db70c-5db71b LoadResource 700->702 702->699 703 5db721-5db72c LockResource 702->703 703->699 704 5db732-5db747 GlobalAlloc 703->704 705 5db74d-5db756 GlobalLock 704->705 706 5db7e3-5db7e9 704->706 707 5db7dc-5db7dd GlobalFree 705->707 708 5db75c-5db77a call 5e2dc0 CreateStreamOnHGlobal 705->708 706->701 707->706 711 5db77c-5db79e call 5db636 708->711 712 5db7d5-5db7d6 GlobalUnlock 708->712 711->712 717 5db7a0-5db7a8 711->717 712->707 718 5db7aa-5db7be GdipCreateHBITMAPFromBitmap 717->718 719 5db7c3-5db7d1 717->719 718->719 720 5db7c0 718->720 719->712 720->719
    APIs
    • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,005DC92D,00000066), ref: 005DB6E5
    • SizeofResource.KERNEL32(00000000,?,?,?,005DC92D,00000066), ref: 005DB6FC
    • LoadResource.KERNEL32(00000000,?,?,?,005DC92D,00000066), ref: 005DB713
    • LockResource.KERNEL32(00000000,?,?,?,005DC92D,00000066), ref: 005DB722
    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,005DC92D,00000066), ref: 005DB73D
    • GlobalLock.KERNEL32(00000000), ref: 005DB74E
    • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 005DB772
    • GlobalUnlock.KERNEL32(00000000), ref: 005DB7D6
      • Part of subcall function 005DB636: GdipAlloc.GDIPLUS(00000010), ref: 005DB63C
    • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 005DB7B7
    • GlobalFree.KERNEL32(00000000), ref: 005DB7DD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
    • String ID: PNG
    • API String ID: 211097158-364855578
    • Opcode ID: 9d10c3c70b0ce1420b42f4fee1c064be1821788bdfd7b28c137f9a4ff723f633
    • Instruction ID: 300dc13716d0f88fd6baae4ed4eb91892adab9616d55b36b018bec45fef3db34
    • Opcode Fuzzy Hash: 9d10c3c70b0ce1420b42f4fee1c064be1821788bdfd7b28c137f9a4ff723f633
    • Instruction Fuzzy Hash: 87317071600212EBE7209F25EC88D2B7FAEFF94751B06052AF906C2360EB35D845DBA0
    Function 005DB0CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77comCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 893 5db0ce-5db100 CLSIDFromString 895 5db18b-5db18e 893->895 896 5db106-5db11f 893->896 899 5db18a 896->899 900 5db121-5db162 896->900 899->895 900->899 907 5db164-5db175 900->907 909 5db177-5db188 907->909 909->899
    APIs
    • CLSIDFromString.COMBASE(?,?), ref: 005DB0DF
    • CoCreateInstance.COMBASE(?,00000000,00000005,005F64FC,?), ref: 005DB0F6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: CreateFromInstanceString
    • String ID: Pou
    • API String ID: 432265043-1565865998
    • Opcode ID: b1c54139cf7b45d4d588ed3d5189b5dca08c37e84a0df091a50ed008de0d905d
    • Instruction ID: 48dab4f1127f5f5b62e8449c37f5e0dca766e66f94b125cdfd1a80f36a6db368
    • Opcode Fuzzy Hash: b1c54139cf7b45d4d588ed3d5189b5dca08c37e84a0df091a50ed008de0d905d
    • Instruction Fuzzy Hash: 6E212779A00518AFDB14DFA8CC5896A7BB9FF48300B01046AFA02E7260CB35AD42DF90
    Function 005DB090 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON
    Download Yara Rule
    APIs
    • SetWindowLongW.USER32(?,000000EB), ref: 005DB0A8
    • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 005DB0C3
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Window$LongNtdllProc_
    • String ID:
    • API String ID: 2044268144-0
    • Opcode ID: 1e85333e74e59da539f753da681dd6d0eb3387a4df86c2d970cfa437aeead8fe
    • Instruction ID: a4a152b3b8e4abde683e9e5d15b6eb5a4561453c9a64ae2f47da6231b4bc6814
    • Opcode Fuzzy Hash: 1e85333e74e59da539f753da681dd6d0eb3387a4df86c2d970cfa437aeead8fe
    • Instruction Fuzzy Hash: 84E0E536100519BBCF21AF99DC08C9F7F6AFF89770B008012FA1956260D771A962EBA1
    Function 005D1B83 Relevance: 100.1, APIs: 23, Strings: 34, Instructions: 316libraryfileloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetModuleHandleW.KERNEL32(kernel32), ref: 005D1B9C
    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 005D1BAE
    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 005D1BDF
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 005D1E89
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005D1EA3
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005D1EB3
    • ReadFile.KERNEL32(00000000,?,00007FFE,$M_,00000000), ref: 005D1ED1
    • CloseHandle.KERNEL32(00000000), ref: 005D1F29
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 005D1F3E
    • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,$M_,?,00000000,?,00000800), ref: 005D1F92
    • GetFileAttributesW.KERNEL32(?,?,$M_,00000800,?,00000000,?,00000800), ref: 005D1FBC
    • GetFileAttributesW.KERNEL32(?,?,M_,00000800), ref: 005D1FF8
      • Part of subcall function 005D1B3B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 005D1B56
      • Part of subcall function 005D1B3B: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,005D063A,Crypt32.dll,00000000,005D06B4,00000200,?,005D0697,00000000,00000000,?), ref: 005D1B78
    • _swprintf.LIBCMT ref: 005D206A
    • _swprintf.LIBCMT ref: 005D20B6
      • Part of subcall function 005C4A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005C4A33
    • AllocConsole.KERNEL32 ref: 005D20BE
    • GetCurrentProcessId.KERNEL32 ref: 005D20C8
    • AttachConsole.KERNEL32(00000000), ref: 005D20CF
    • _wcslen.LIBCMT ref: 005D20E4
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 005D20F5
    • WriteConsoleW.KERNEL32(00000000), ref: 005D20FC
    • Sleep.KERNEL32(00002710), ref: 005D2107
    • FreeConsole.KERNEL32 ref: 005D210D
    • ExitProcess.KERNEL32 ref: 005D2115
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
    • String ID: $M_$$P_$$Q_$(N_$(R_$,O_$4Q_$<M_$<P_$@N_$DO_$DR_$DXGIDebug.dll$LQ_$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$XM_$XN_$\O_$\R_$`P_$dQ_$dwmapi.dll$kernel32$pM_$pN_$tO_$uxtheme.dll$xP_$xQ_$xR_$M_$N_
    • API String ID: 1207345701-2159295333
    • Opcode ID: 81de1b690330f66903420ad6276a9741dc2dedd2f138367029b03a276b70e9bf
    • Instruction ID: 6bfbe5bd5339f70da726781cc690326e8eec55df9b4f8fbce31fb71f1926b90d
    • Opcode Fuzzy Hash: 81de1b690330f66903420ad6276a9741dc2dedd2f138367029b03a276b70e9bf
    • Instruction Fuzzy Hash: 58D141B1008789ABD7319F54984CBAF7FECBB84704F50091EF3899A250DBB88548CF66
    Function 005DC9D0 Relevance: 84.7, APIs: 38, Strings: 10, Instructions: 734windowfilesleepCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 005DC9D5
      • Part of subcall function 005C12F6: GetParent.USER32(?), ref: 005C132A
      • Part of subcall function 005C12F6: GetDlgItem.USER32(00000000,00003021), ref: 005C133A
      • Part of subcall function 005C12F6: SetWindowTextW.USER32(00000000,005F45F4), ref: 005C1350
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 005DCAC1
    • GetDlgItem.USER32(?,00000068), ref: 005DCB73
    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 005DCB8E
    • SendMessageW.USER32(00000000,000000C2,00000000,005F45F4), ref: 005DCBA1
      • Part of subcall function 005DE598: _wcslen.LIBCMT ref: 005DE5C2
    • _swprintf.LIBCMT ref: 005DCC07
      • Part of subcall function 005C4A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005C4A33
    • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 005DCC6A
    • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 005DCC92
    • GetTickCount.KERNEL32 ref: 005DCCB0
    • _swprintf.LIBCMT ref: 005DCCC8
    • GetLastError.KERNEL32(?,00000011), ref: 005DCCFA
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 005DCD4D
    • _swprintf.LIBCMT ref: 005DCD84
    • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp), ref: 005DCDD8
    • GetCommandLineW.KERNEL32 ref: 005DCDEE
    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00611482,00000400,00000001,00000001), ref: 005DCE45
    • Sleep.KERNEL32(00000064), ref: 005DCEB5
    • UnmapViewOfFile.KERNEL32(?,?,0000421C,00611482,00000400), ref: 005DCEDE
    • CloseHandle.KERNEL32(00000000), ref: 005DCEE7
    • _swprintf.LIBCMT ref: 005DCF1A
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 005DCF79
    • SetDlgItemTextW.USER32(?,00000065,005F45F4), ref: 005DCF90
    • GetDlgItem.USER32(?,00000065), ref: 005DCF99
    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 005DCFB7
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 005DD064
    • _wcslen.LIBCMT ref: 005DD0BA
    • _swprintf.LIBCMT ref: 005DD0E4
    • SendMessageW.USER32(?,00000080,00000001,?), ref: 005DD12E
    • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 005DD148
    • GetDlgItem.USER32(?,00000068), ref: 005DD151
    • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 005DD167
    • GetDlgItem.USER32(?,00000066), ref: 005DD181
    • SetWindowTextW.USER32(00000000,0061389A), ref: 005DD1A3
    • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 005DD203
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 005DD216
    • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 005DD3D5
      • Part of subcall function 005DD884: __EH_prolog.LIBCMT ref: 005DD889
    • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001C7B0,00000000,?), ref: 005DD2B9
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 005DD3F9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Item$Text$MessageSend$_swprintf$File$ErrorLastWindow$H_prologView_wcslen$CloseCommandCountCreateDialogHandleLineLongMappingModuleNameParamParentSleepTickUnmap__vswprintf_c_l
    • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$lb_$winrarsfxmappingfile.tmp
    • API String ID: 2405341051-3283024690
    • Opcode ID: 3e223bc0e32ecfed0628ee505a36529b8171469baa7092d8e64ac86d184ecf87
    • Instruction ID: 054869cae8de447a3cc290aa0d647c818153d66cfbc3d00df545bb7a844c0684
    • Opcode Fuzzy Hash: 3e223bc0e32ecfed0628ee505a36529b8171469baa7092d8e64ac86d184ecf87
    • Instruction Fuzzy Hash: 8D42F470A44705BAEB31ABA89C4EFBE7FBEBB51700F040057F641A62D2C7B44945CB62
    Function 005CED87 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 005CED90
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 005CEDCC
      • Part of subcall function 005CD6A7: _wcslen.LIBCMT ref: 005CD6AF
      • Part of subcall function 005D1907: _wcslen.LIBCMT ref: 005D190D
      • Part of subcall function 005D2ED2: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,005CCF18,00000000,?,?), ref: 005D2EEE
    • _wcslen.LIBCMT ref: 005CF109
    • __fprintf_l.LIBCMT ref: 005CF23C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
    • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
    • API String ID: 566448164-801612888
    • Opcode ID: 85484763307c7d0fa381cb66f69df83bd10f4371628db6fd2037ce31457d78c5
    • Instruction ID: d6cc3a584d24e315600955ad5f65dc117981a8ab4fa62a3b021067897a74ace5
    • Opcode Fuzzy Hash: 85484763307c7d0fa381cb66f69df83bd10f4371628db6fd2037ce31457d78c5
    • Instruction Fuzzy Hash: 6032DF71900259AFCF28DFA8C846FEA3FA6FF48704F40056EFA4697281E7719985CB54
    Function 005DAEF5 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 116COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 666 5daef5-5daf23 ShowWindow call 5dac24 669 5daf2e-5daf33 666->669 670 5daf25-5daf2d call 5e5219 666->670 672 5daf39-5daf42 call 5e8a18 669->672 673 5daf35-5daf37 669->673 670->669 675 5daf43-5daf4b 672->675 673->675 678 5daf4d-5daf4f 675->678 679 5daf51-5daf5a call 5e8a18 675->679 680 5daf5b-5daf85 GetWindowRect GetParent MapWindowPoints 678->680 679->680 683 5daf87 680->683 684 5daf90-5dafd9 GetParent CreateWindowExW 680->684 683->684 685 5db018-5db01a 684->685 686 5dafdb-5dafde 684->686 688 5db01c-5db028 ShowWindow UpdateWindow 685->688 689 5db02e-5db034 685->689 686->685 687 5dafe0-5dafe2 686->687 687->689 690 5dafe4-5dafe7 687->690 688->689 690->689 691 5dafe9-5dafec 690->691 691->689 692 5dafee-5daffc call 5dad1e 691->692 692->689 695 5daffe-5db016 ShowWindow SetWindowTextW call 5e5219 692->695 695->689
    APIs
    • ShowWindow.USER32(?,00000000), ref: 005DAF0E
      • Part of subcall function 005DAC24: LoadCursorW.USER32(00000000,00007F00), ref: 005DAC5B
      • Part of subcall function 005DAC24: RegisterClassExW.USER32(00000030), ref: 005DAC7C
    • GetWindowRect.USER32(?,?), ref: 005DAF64
    • GetParent.USER32(?), ref: 005DAF72
    • MapWindowPoints.USER32(00000000,00000000), ref: 005DAF7B
    • GetParent.USER32(?), ref: 005DAFA7
    • CreateWindowExW.USER32(00000000,RarHtmlClassName,00000000,40000000,?,?,?,?,00000000), ref: 005DAFCB
    • ShowWindow.USER32(?,00000005,00000000), ref: 005DB001
    • SetWindowTextW.USER32(?,00000000), ref: 005DB009
    • ShowWindow.USER32(00000000,00000005), ref: 005DB01F
    • UpdateWindow.USER32(00000000), ref: 005DB028
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Window$Show$Parent$ClassCreateCursorLoadPointsRectRegisterTextUpdate
    • String ID: RarHtmlClassName
    • API String ID: 484599571-1658105358
    • Opcode ID: 293c2f6997bd5602f4af603cac7f7d44076b9730441d6af84b10fc919d13eb88
    • Instruction ID: 68451cc18cdf0ceb57b1232269e2d28c429859e83d22de3382337f6480598919
    • Opcode Fuzzy Hash: 293c2f6997bd5602f4af603cac7f7d44076b9730441d6af84b10fc919d13eb88
    • Instruction Fuzzy Hash: 0041DD71404705EFDB319F28DC4DB6B7FAAFB48310F14465AF94AAA252DB30E814CB62
    Function 005EBB1B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 722 5ebb1b-5ebb34 723 5ebb4a-5ebb4f 722->723 724 5ebb36-5ebb46 call 5f010c 722->724 726 5ebb5c-5ebb80 MultiByteToWideChar 723->726 727 5ebb51-5ebb59 723->727 724->723 734 5ebb48 724->734 728 5ebb86-5ebb92 726->728 729 5ebd13-5ebd26 call 5e0d7c 726->729 727->726 731 5ebbe6 728->731 732 5ebb94-5ebba5 728->732 738 5ebbe8-5ebbea 731->738 735 5ebba7-5ebbb6 call 5f31d0 732->735 736 5ebbc4-5ebbd5 call 5ea7fe 732->736 734->723 741 5ebd08 735->741 749 5ebbbc-5ebbc2 735->749 736->741 750 5ebbdb 736->750 738->741 742 5ebbf0-5ebc03 MultiByteToWideChar 738->742 743 5ebd0a-5ebd11 call 5ebd83 741->743 742->741 746 5ebc09-5ebc1b call 5ec12c 742->746 743->729 751 5ebc20-5ebc24 746->751 753 5ebbe1-5ebbe4 749->753 750->753 751->741 754 5ebc2a-5ebc31 751->754 753->738 755 5ebc6b-5ebc77 754->755 756 5ebc33-5ebc38 754->756 758 5ebc79-5ebc8a 755->758 759 5ebcc3 755->759 756->743 757 5ebc3e-5ebc40 756->757 757->741 760 5ebc46-5ebc60 call 5ec12c 757->760 762 5ebc8c-5ebc9b call 5f31d0 758->762 763 5ebca5-5ebcb6 call 5ea7fe 758->763 761 5ebcc5-5ebcc7 759->761 760->743 775 5ebc66 760->775 766 5ebcc9-5ebce2 call 5ec12c 761->766 767 5ebd01-5ebd07 call 5ebd83 761->767 762->767 778 5ebc9d-5ebca3 762->778 763->767 774 5ebcb8 763->774 766->767 780 5ebce4-5ebceb 766->780 767->741 779 5ebcbe-5ebcc1 774->779 775->741 778->779 779->761 781 5ebced-5ebcee 780->781 782 5ebd27-5ebd2d 780->782 783 5ebcef-5ebcff WideCharToMultiByte 781->783 782->783 783->767 784 5ebd2f-5ebd36 call 5ebd83 783->784 784->743
    APIs
    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005E69A3,005E69A3,?,?,?,005EBD6C,00000001,00000001,62E85006), ref: 005EBB75
    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,005EBD6C,00000001,00000001,62E85006,?,?,?), ref: 005EBBFB
    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,62E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005EBCF5
    • __freea.LIBCMT ref: 005EBD02
      • Part of subcall function 005EA7FE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,005EDBEC,00000000,?,005E80B1,?,00000008,?,005EA871,?,?,?), ref: 005EA830
    • __freea.LIBCMT ref: 005EBD0B
    • __freea.LIBCMT ref: 005EBD30
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ByteCharMultiWide__freea$AllocateHeap
    • String ID:
    • API String ID: 1414292761-0
    • Opcode ID: a1cfe7b274cc6832999279f73deaad27a3a170e8074e1770367c7c894ef4d5b0
    • Instruction ID: 194804098b228786028f199af6d1486c64f83a50fe18bff60657c41f233fb3fa
    • Opcode Fuzzy Hash: a1cfe7b274cc6832999279f73deaad27a3a170e8074e1770367c7c894ef4d5b0
    • Instruction Fuzzy Hash: 6651DE72600296ABEB298F66CD85FBB7EAAFF80711F244628F844D6180DB35DC40C690
    Function 005DBD1B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 005D1B3B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 005D1B56
      • Part of subcall function 005D1B3B: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,005D063A,Crypt32.dll,00000000,005D06B4,00000200,?,005D0697,00000000,00000000,?), ref: 005D1B78
    • OleInitialize.OLE32(00000000), ref: 005DBD34
    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 005DBD6B
    • SHGetMalloc.SHELL32(0060A460), ref: 005DBD75
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
    • String ID: riched20.dll$3Ro
    • API String ID: 3498096277-3613677438
    • Opcode ID: de827a7ba8088b03a29020eb3736d325d842bcdf999fd10cb049f5bd23ae16a3
    • Instruction ID: 00e5aea3b7fe5d6d68c836d17ddc36c4e24f10ff9ab5410fe1276fab23522f61
    • Opcode Fuzzy Hash: de827a7ba8088b03a29020eb3736d325d842bcdf999fd10cb049f5bd23ae16a3
    • Instruction Fuzzy Hash: 1DF04FB1C00609ABCB20AF99CC499EFFFFCEF80300F004017E501A2240D7B446458BA1
    Function 005CAB40 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 791 5cab40-5cab61 call 5dffd0 794 5cab6c 791->794 795 5cab63-5cab66 791->795 797 5cab6e-5cab7f 794->797 795->794 796 5cab68-5cab6a 795->796 796->797 798 5cab87-5cab91 797->798 799 5cab81 797->799 800 5cab96-5caba3 call 5c79e5 798->800 801 5cab93 798->801 799->798 804 5cabab-5cabca CreateFileW 800->804 805 5caba5 800->805 801->800 806 5cabcc-5cabee GetLastError call 5ccf32 804->806 807 5cac1b-5cac1f 804->807 805->804 811 5cac28-5cac2d 806->811 813 5cabf0-5cac13 CreateFileW GetLastError 806->813 809 5cac23-5cac26 807->809 809->811 812 5cac39-5cac3e 809->812 811->812 814 5cac2f 811->814 815 5cac5f-5cac70 812->815 816 5cac40-5cac43 812->816 813->809 817 5cac15-5cac19 813->817 814->812 819 5cac8e-5cac99 815->819 820 5cac72-5cac8a call 5d192f 815->820 816->815 818 5cac45-5cac59 SetFileTime 816->818 817->809 818->815 820->819
    APIs
    • CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,005C8243,?,00000005,?,00000011), ref: 005CABBF
    • GetLastError.KERNEL32(?,?,005C8243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 005CABCC
    • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,005C8243,?,00000005,?), ref: 005CAC02
    • GetLastError.KERNEL32(?,?,005C8243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 005CAC0A
    • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,005C8243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 005CAC59
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: File$CreateErrorLast$Time
    • String ID:
    • API String ID: 1999340476-0
    • Opcode ID: 147be5477a524853750cb54d7e7e70dfae6ac3571553685486e702f2bc1a3191
    • Instruction ID: 78859974fd8cd8df5a6cef575880ae6e48435aa565b54407e2018d78ba840cff
    • Opcode Fuzzy Hash: 147be5477a524853750cb54d7e7e70dfae6ac3571553685486e702f2bc1a3191
    • Instruction Fuzzy Hash: FA3123305447496FE3209B64CC49BAABFA8BB45328F100B1DF5A0861D1D7B4AC88CB96
    Function 005C122F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 823 5c122f-5c1245 SHGetMalloc 824 5c12a7 823->824 825 5c1247-5c127c SHBrowseForFolderW 823->825 826 5c12a9-5c12ab 824->826 825->824 827 5c127e-5c12a5 SHGetPathFromIDListW 825->827 827->826
    APIs
    • SHGetMalloc.SHELL32(?), ref: 005C123D
    • SHBrowseForFolderW.SHELL32(?), ref: 005C1272
    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 005C1283
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: BrowseFolderFromListMallocPath
    • String ID: A
    • API String ID: 2332185071-3554254475
    • Opcode ID: 120d29573926881eec3b336fea48918624299f5e4191a773cac9b69663cbb338
    • Instruction ID: 8aac9e9a8db372cf9043660d2632e2be71fe533c030168650a3ae9186d345d02
    • Opcode Fuzzy Hash: 120d29573926881eec3b336fea48918624299f5e4191a773cac9b69663cbb338
    • Instruction Fuzzy Hash: 7D011B79D01619AFCB24CFA5D844AEE7BF8BF09314B10416AE90AE7200D7359A45DF94
    Function 005DBBC0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 830 5dbbc0-5dbbdf GetClassNameW 831 5dbc07-5dbc09 830->831 832 5dbbe1-5dbbf6 call 5d3316 830->832 833 5dbc0b-5dbc0e SHAutoComplete 831->833 834 5dbc14-5dbc16 831->834 837 5dbbf8-5dbc04 FindWindowExW 832->837 838 5dbc06 832->838 833->834 837->838 838->831
    APIs
    • GetClassNameW.USER32(?,?,00000050), ref: 005DBBD7
    • SHAutoComplete.SHLWAPI(?,00000010), ref: 005DBC0E
      • Part of subcall function 005D3316: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013316,005CD523,00000000,.exe,?,?,00000800,?,?,?,005D9E5C), ref: 005D332C
    • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 005DBBFE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AutoClassCompareCompleteFindNameStringWindow
    • String ID: EDIT
    • API String ID: 4243998846-3080729518
    • Opcode ID: 11ef7d74a9ae981891e62839d9721821a3ab05c02f19378df433080436d8c2a6
    • Instruction ID: 2a616e964d1dcb05ae6941ea30aad266ba5f7674ca80e8440d1fe49af3fa9c9c
    • Opcode Fuzzy Hash: 11ef7d74a9ae981891e62839d9721821a3ab05c02f19378df433080436d8c2a6
    • Instruction Fuzzy Hash: ECF08932601A19BBE73056559C09F9F7A6DBB45B40F450023BE01B2190DB74DD4189F5
    Function 005DED2E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 839 5ded2e-5ded59 call 5dffd0 SetEnvironmentVariableW call 5d169e 843 5ded5e-5ded62 839->843 844 5ded64-5ded68 843->844 845 5ded86-5ded88 843->845 846 5ded71-5ded78 call 5d17ba 844->846 849 5ded6a-5ded70 846->849 850 5ded7a-5ded80 SetEnvironmentVariableW 846->850 849->846 850->845
    APIs
    • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 005DED44
    • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 005DED80
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: EnvironmentVariable
    • String ID: sfxcmd$sfxpar
    • API String ID: 1431749950-3493335439
    • Opcode ID: bd52c0f3644f34b64eaeb84250d7558eab0332f0277fcaf0edf4ecde659bba50
    • Instruction ID: b8cb7c1ad27a7f9c4521021ce70a9613cfce377325970a973e3fc3cdbc1ac32b
    • Opcode Fuzzy Hash: bd52c0f3644f34b64eaeb84250d7558eab0332f0277fcaf0edf4ecde659bba50
    • Instruction Fuzzy Hash: 8FF0A771400625B6CB303B988C0AEBB7E59FF65741B000017BD459A246EA64C840D7A0
    Function 005E4DA2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 851 5e4da2-5e4db7 LoadLibraryExW 852 5e4deb-5e4dec 851->852 853 5e4db9-5e4dc2 GetLastError 851->853 854 5e4de9 853->854 855 5e4dc4-5e4dd8 call 5e7468 853->855 854->852 855->854 858 5e4dda-5e4de8 LoadLibraryExW 855->858
    APIs
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,005E4D53,00000000,?,006240C4,?,?,?,005E4EF6,00000004,InitializeCriticalSectionEx,005F7424,InitializeCriticalSectionEx), ref: 005E4DAF
    • GetLastError.KERNEL32(?,005E4D53,00000000,?,006240C4,?,?,?,005E4EF6,00000004,InitializeCriticalSectionEx,005F7424,InitializeCriticalSectionEx,00000000,?,005E4CAD), ref: 005E4DB9
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 005E4DE1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID: api-ms-
    • API String ID: 3177248105-2084034818
    • Opcode ID: 76503e7ec9f4c12c67a4f4f19e06cbf9990d284734ea2c34f625354c725c4505
    • Instruction ID: 9e269c06d52742eed25bc252ad21dbf6cde22ace97f8c122505f00d96516c73a
    • Opcode Fuzzy Hash: 76503e7ec9f4c12c67a4f4f19e06cbf9990d284734ea2c34f625354c725c4505
    • Instruction Fuzzy Hash: 64E04F38684248B7EF102B62EC0AB7A3F98BB10B51F104030FA4DE80E0EB75A954ED84
    Function 005CA9E5 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 859 5ca9e5-5ca9f1 860 5ca9fe-5caa15 ReadFile 859->860 861 5ca9f3-5ca9fb GetStdHandle 859->861 862 5caa17-5caa20 call 5cab1c 860->862 863 5caa71 860->863 861->860 867 5caa39-5caa3d 862->867 868 5caa22-5caa2a 862->868 865 5caa74-5caa77 863->865 870 5caa4e-5caa52 867->870 871 5caa3f-5caa48 GetLastError 867->871 868->867 869 5caa2c 868->869 872 5caa2d-5caa37 call 5ca9e5 869->872 874 5caa6c-5caa6f 870->874 875 5caa54-5caa5c 870->875 871->870 873 5caa4a-5caa4c 871->873 872->865 873->865 874->865 875->874 877 5caa5e-5caa67 GetLastError 875->877 877->874 879 5caa69-5caa6a 877->879 879->872
    APIs
    • GetStdHandle.KERNEL32(000000F6), ref: 005CA9F5
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 005CAA0D
    • GetLastError.KERNEL32 ref: 005CAA3F
    • GetLastError.KERNEL32 ref: 005CAA5E
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ErrorLast$FileHandleRead
    • String ID:
    • API String ID: 2244327787-0
    • Opcode ID: 3a1a2a23d3ca21884267ae64de9fd7e012573eda7cce6cd28773ae4e3cbbb081
    • Instruction ID: e8c8ab1e34c9a5b55599a80a93fa7fa729346de24628b702a7ad399eb098317d
    • Opcode Fuzzy Hash: 3a1a2a23d3ca21884267ae64de9fd7e012573eda7cce6cd28773ae4e3cbbb081
    • Instruction Fuzzy Hash: 8E114C35500608AFCB219FE4DE08F7A3FB9BB51368F10462EE516C5190DB749E44DB52
    Function 005EBEF4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 880 5ebef4-5ebf08 881 5ebf0a-5ebf13 880->881 882 5ebf15-5ebf30 LoadLibraryExW 880->882 883 5ebf6c-5ebf6e 881->883 884 5ebf59-5ebf5f 882->884 885 5ebf32-5ebf3b GetLastError 882->885 888 5ebf68 884->888 889 5ebf61-5ebf62 FreeLibrary 884->889 886 5ebf3d-5ebf48 LoadLibraryExW 885->886 887 5ebf4a 885->887 890 5ebf4c-5ebf4e 886->890 887->890 891 5ebf6a-5ebf6b 888->891 889->888 890->884 892 5ebf50-5ebf57 890->892 891->883 892->891
    APIs
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005E5281,00000000,00000000,?,005EBE9B,005E5281,00000000,00000000,00000000,?,005EC098,00000006,FlsSetValue), ref: 005EBF26
    • GetLastError.KERNEL32(?,005EBE9B,005E5281,00000000,00000000,00000000,?,005EC098,00000006,FlsSetValue,005F8A00,FlsSetValue,00000000,00000364,?,005EA5E7), ref: 005EBF32
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,005EBE9B,005E5281,00000000,00000000,00000000,?,005EC098,00000006,FlsSetValue,005F8A00,FlsSetValue,00000000), ref: 005EBF40
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID:
    • API String ID: 3177248105-0
    • Opcode ID: 13d6eae5a30668464a4c474d7d7fc07fb2218878e3cd03f2b41060deade876cd
    • Instruction ID: fbea61e4976dd5fff2900852e006af543d146d48c0c7ffabc054d1c194a2b419
    • Opcode Fuzzy Hash: 13d6eae5a30668464a4c474d7d7fc07fb2218878e3cd03f2b41060deade876cd
    • Instruction Fuzzy Hash: 88012B362053639BDB254B7AAC44A777F98BF15BA3B150620F9AAD7190DB24DC04CEE0
    Function 005CF968 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 911 5cf968-5cf989 call 5cecd0 914 5cf98b-5cf9a0 LoadStringW 911->914 915 5cf9b5-5cf9b9 911->915 914->915 916 5cf9a2-5cf9af LoadStringW 914->916 916->915
    APIs
    • LoadStringW.USER32(?,?,00000200,?), ref: 005CF998
    • LoadStringW.USER32(?,?,00000200), ref: 005CF9AF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: LoadString
    • String ID: p0`
    • API String ID: 2948472770-960816873
    • Opcode ID: 8e316967041eb5a2afdcd1c6a261afc4f3b98f91aae63d5c720dffa7ec8dad33
    • Instruction ID: b134707acb0972436167772e27ed3ffb1c8e8bdd54f7764e442a43bfbe8759d3
    • Opcode Fuzzy Hash: 8e316967041eb5a2afdcd1c6a261afc4f3b98f91aae63d5c720dffa7ec8dad33
    • Instruction Fuzzy Hash: 8CF09836101229BFDF215F95EC09EAB7F6FFF09391B005429FD0596230D6328961EBA0
    Function 005ECA53 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
    Download Yara Rule
    APIs
    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 005ECA78
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Info
    • String ID:
    • API String ID: 1807457897-3916222277
    • Opcode ID: 7d596fbb8cb5e55594ed45358ea771769d96044cd387fda2d63409096be45fb1
    • Instruction ID: 1758fb9d2543e0dee6950e4953fb7cf625773505b0513a8d53752a4b678a57e3
    • Opcode Fuzzy Hash: 7d596fbb8cb5e55594ed45358ea771769d96044cd387fda2d63409096be45fb1
    • Instruction Fuzzy Hash: 4A41187150428C9ADB2A8F258C85BFABFADFB45304F5408EDD5CA86142D235E9468F20
    Function 005EC12C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,62E85006,00000001,?,?), ref: 005EC19D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: String
    • String ID: LCMapStringEx
    • API String ID: 2568140703-3893581201
    • Opcode ID: c9c08e0d7e948ede78d9aab3eceb76871e091198a5c7c135131a0faae0f22907
    • Instruction ID: 2d080e544f5896ff17d5101d8482f8eba851ba702c544423f50af1bc332c7eb5
    • Opcode Fuzzy Hash: c9c08e0d7e948ede78d9aab3eceb76871e091198a5c7c135131a0faae0f22907
    • Instruction Fuzzy Hash: 3A01023254124DBBDF069F91DC05DAE3FA2FB48760F044515BE4465161CA368961EB80
    Function 005EC0CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,005EB72F), ref: 005EC115
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: CountCriticalInitializeSectionSpin
    • String ID: InitializeCriticalSectionEx
    • API String ID: 2593887523-3084827643
    • Opcode ID: 5559cd9be53e0a2e6ffe8853bd1189aa2bf91905159cd992b791caf54100b4e3
    • Instruction ID: a175385e15f4305ab40bf5f6e773ff7a99d570c8438e419df500029180d1bbee
    • Opcode Fuzzy Hash: 5559cd9be53e0a2e6ffe8853bd1189aa2bf91905159cd992b791caf54100b4e3
    • Instruction Fuzzy Hash: C7F0BE31A8125CBBCF099F51DC06DBF7FA1FB687A0B004065FD495A260CF769A61EB80
    Function 005EBF6F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Alloc
    • String ID: FlsAlloc
    • API String ID: 2773662609-671089009
    • Opcode ID: 4ec8829f1e9768feb1bdbd2740fe6f1c212e2d545c5c897909b71ea0c9beeb1b
    • Instruction ID: 62ac30769aac6752fbbbc11cc8beb3ae4ce2e2b24f74998a2703e734ee268737
    • Opcode Fuzzy Hash: 4ec8829f1e9768feb1bdbd2740fe6f1c212e2d545c5c897909b71ea0c9beeb1b
    • Instruction Fuzzy Hash: 05E05C3164021C6B97046B519D0697F7F55EB54721F010015F94452250CFB41D009ACA
    Function 005DF71F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF70C
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID: Pou
    • API String ID: 1269201914-1565865998
    • Opcode ID: a46613b75a744b72b1089090de01a3d1a56c8571dfccdf8d18d53230cb905c70
    • Instruction ID: 5271d6e43b2638d75db46ba1a56b25e527c6e7485d19a8c7df87c9010efe5498
    • Opcode Fuzzy Hash: a46613b75a744b72b1089090de01a3d1a56c8571dfccdf8d18d53230cb905c70
    • Instruction Fuzzy Hash: EFB012813695017D3224562CBD1BE3E0E2DF4C0B10330883BF003C4241D4800E810231
    Function 005DF715 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF70C
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID: Pou
    • API String ID: 1269201914-1565865998
    • Opcode ID: c466a4a779756615595a68e528b8b4c46cf5177a81e3975c6fb84fc88d7e175f
    • Instruction ID: 59ec294b525162337a862d6d5f687985ad93cfeda79950f6198d85203923bdaf
    • Opcode Fuzzy Hash: c466a4a779756615595a68e528b8b4c46cf5177a81e3975c6fb84fc88d7e175f
    • Instruction Fuzzy Hash: 4EB01291369501BD3224562CBC1BE3E0F2DE4C0B14330C83BF403C0241D4400D800231
    Function 005DF733 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF70C
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID: Pou
    • API String ID: 1269201914-1565865998
    • Opcode ID: 7248ad49d17af7d7e98c941473612180e743a8e46b1426d6335b9eeddf6d3f83
    • Instruction ID: 2113c3cd4803a6ee5790cd59a4126234bf66cfcc086ab8d6da83fcd7c9d0ab4c
    • Opcode Fuzzy Hash: 7248ad49d17af7d7e98c941473612180e743a8e46b1426d6335b9eeddf6d3f83
    • Instruction Fuzzy Hash: BAB012813696017D3274562CBC1FE3E0E2DE4C0B603304D3BF003C0241D4400DC00232
    Function 005DF729 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF70C
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID: Pou
    • API String ID: 1269201914-1565865998
    • Opcode ID: 88a6ac3a85adcb37e3747224a42e0d73a7278579577224a3bd3121fc34686089
    • Instruction ID: 6936fa53859c8d9160e3d7f7a03d1bf32305457533c07f6070617b042d965aef
    • Opcode Fuzzy Hash: 88a6ac3a85adcb37e3747224a42e0d73a7278579577224a3bd3121fc34686089
    • Instruction Fuzzy Hash: 14B012813695017D3224562CBC1BE3E0E2DF4C0B10330883BF003C0241D4400D800231
    Function 005DFD58 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DFD6A
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID: 3Ro
    • API String ID: 1269201914-1492261280
    • Opcode ID: 62cc5577f010d8c0727edac58380a6a599cbfd484c76e9e7c504826e7ca08a8b
    • Instruction ID: 7b1bf26e09903b65f6ca1c5c3a9dd47c36b4e7f46658322d657825f330b62b91
    • Opcode Fuzzy Hash: 62cc5577f010d8c0727edac58380a6a599cbfd484c76e9e7c504826e7ca08a8b
    • Instruction Fuzzy Hash: F4B012912A99057D333423683D17E3A0D1EE4C0F21330893BF803C014094840C440131
    Function 005DF6FF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF70C
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID: Pou
    • API String ID: 1269201914-1565865998
    • Opcode ID: 7d8252c9362019f5833eb5c5c0382a6d5fb6e1ba18f6ae88dd0ed32107b494e4
    • Instruction ID: 21cb46879f5148afa5d81029256b002b6b390bc3e1035af465aeac935034e8cd
    • Opcode Fuzzy Hash: 7d8252c9362019f5833eb5c5c0382a6d5fb6e1ba18f6ae88dd0ed32107b494e4
    • Instruction Fuzzy Hash: CCA002956651057D31145665BD57D7E5A2DF4C0B65330492BF5029414154441D851131
    Function 005DF742 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF70C
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID: Pou
    • API String ID: 1269201914-1565865998
    • Opcode ID: 4a27bb1888582b97c965f33f6b0ebaa270452f53fc1f921af8e4a6e840d27d34
    • Instruction ID: a382287c3020efb820ae7276405b576fd2ce3f94ea64844cbd5823f6f3876fc2
    • Opcode Fuzzy Hash: 4a27bb1888582b97c965f33f6b0ebaa270452f53fc1f921af8e4a6e840d27d34
    • Instruction Fuzzy Hash: 55A002956691067D31145665BD57D7E5A2DE4C4B553304D2BF5038414154441D851131
    Function 005ECDB0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005EC97B: GetOEMCP.KERNEL32(00000000,?,?,005ECC04,?), ref: 005EC9A6
    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,005ECC49,?,00000000), ref: 005ECE24
    • GetCPInfo.KERNEL32(00000000,005ECC49,?,?,?,005ECC49,?,00000000), ref: 005ECE37
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: CodeInfoPageValid
    • String ID:
    • API String ID: 546120528-0
    • Opcode ID: 97790f9d019ac6e6081f624a0623db5efe1af358fa66f9171a65bc4522ec432d
    • Instruction ID: 372f3dfe9c6674d4a55941b4a47974adfed36356cb57d1da061a60e025771ccf
    • Opcode Fuzzy Hash: 97790f9d019ac6e6081f624a0623db5efe1af358fa66f9171a65bc4522ec432d
    • Instruction Fuzzy Hash: 5B51E2719002859EDB29CF76C8456BBBFEABF81300F14446ED0E6CB252D635D947CB90
    Function 005CACD4 Relevance: 3.1, APIs: 2, Instructions: 134COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNEL32(000000FF,?,?,?,-000018C0,00000000,00000800,?,005CACB0,?,?,00000000,?,?,005C9C8B,?), ref: 005CAE3A
    • GetLastError.KERNEL32(?,?,005C9C8B,?,?,?,-000018C0,?,-00002908,00000000,-00000880,?,00000000,?,?,00000000), ref: 005CAE49
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID:
    • API String ID: 2976181284-0
    • Opcode ID: 7efcf00e06b9b0ddf8958160f2fee76bd8418baf785aebb5779a7adb216976d8
    • Instruction ID: 2533c08e476c17685ab5c122af4658181f73cd67fe80d39d69a94eb042c4926f
    • Opcode Fuzzy Hash: 7efcf00e06b9b0ddf8958160f2fee76bd8418baf785aebb5779a7adb216976d8
    • Instruction Fuzzy Hash: 4141057460434D8FD7249EA4D884FAA7FA4FB9831AF100A2DE84787A51E774DC84CB93
    Function 005DA5AB Relevance: 3.1, APIs: 2, Instructions: 113COMMON
    Download Yara Rule
    APIs
    • ShowWindow.USER32(00000000,00000005,?,?,?,?,005DA806,00000000,?), ref: 005DA6A9
    • SetWindowTextW.USER32(00000000,00000000), ref: 005DA6B3
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Window$ShowText
    • String ID:
    • API String ID: 1551406749-0
    • Opcode ID: 15ad03192f461eaac35665bf1842ec61a84d35e45d66bfdd576d19597d3dd2e7
    • Instruction ID: 2f113c1903a292fa51fe3a8ecea813d4e1633c8e4fc95be6da8d2676e07d0dbb
    • Opcode Fuzzy Hash: 15ad03192f461eaac35665bf1842ec61a84d35e45d66bfdd576d19597d3dd2e7
    • Instruction Fuzzy Hash: DE314A35600616AFD724DF68D888A2B7FA9BF48304B09052EF645D7360DB61EC15DF92
    Function 005ECBE7 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005EA515: GetLastError.KERNEL32(?,00603070,005E5982,00603070,?,?,005E5281,00000050,?,00603070,00000200), ref: 005EA519
      • Part of subcall function 005EA515: _free.LIBCMT ref: 005EA54C
      • Part of subcall function 005EA515: SetLastError.KERNEL32(00000000,?,00603070,00000200), ref: 005EA58D
      • Part of subcall function 005EA515: _abort.LIBCMT ref: 005EA593
      • Part of subcall function 005ECD0E: _abort.LIBCMT ref: 005ECD40
      • Part of subcall function 005ECD0E: _free.LIBCMT ref: 005ECD74
      • Part of subcall function 005EC97B: GetOEMCP.KERNEL32(00000000,?,?,005ECC04,?), ref: 005EC9A6
    • _free.LIBCMT ref: 005ECC5F
    • _free.LIBCMT ref: 005ECC95
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _free$ErrorLast_abort
    • String ID:
    • API String ID: 2991157371-0
    • Opcode ID: 751aa224a0de131b7fcfdffb49eaaafc5e43674cbf66f8866627268e25f5867f
    • Instruction ID: ad7211d2e01349089fd1ebeb978d9f718b5ed0345245ad13559deb8c6483315b
    • Opcode Fuzzy Hash: 751aa224a0de131b7fcfdffb49eaaafc5e43674cbf66f8866627268e25f5867f
    • Instruction Fuzzy Hash: DF31E731900285AFDB18EF6AD544B597FF5FF80320F250099E49C9B291EB32DD42DB40
    Function 005E4D02 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(00000000,?,006240C4,?,?,?,005E4EF6,00000004,InitializeCriticalSectionEx,005F7424,InitializeCriticalSectionEx,00000000,?,005E4CAD,006240C4,00000FA0), ref: 005E4D85
    • GetProcAddress.KERNEL32(00000000,?), ref: 005E4D8F
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AddressFreeLibraryProc
    • String ID:
    • API String ID: 3013587201-0
    • Opcode ID: 82dd94e5f71cc1de1f904afa37801338814981d9ebf1d958be14e3a04903836e
    • Instruction ID: 426621cac2e51ec9ca3560fbce0a356176ae065d10ba44b6422f7cb7809d316c
    • Opcode Fuzzy Hash: 82dd94e5f71cc1de1f904afa37801338814981d9ebf1d958be14e3a04903836e
    • Instruction Fuzzy Hash: 3C112632600555AFCF2ACFA6ED848AE3BA9FF5A36071401A9E945DB210EB30DD01DFC0
    Function 005CB110 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000001), ref: 005CB157
    • GetLastError.KERNEL32 ref: 005CB164
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID:
    • API String ID: 2976181284-0
    • Opcode ID: ecd85d1b8799bb77d962bebd17e00611fe19a7cff362e1a47d90830a4ceefba8
    • Instruction ID: 279e22a1724eb33dd3e61ec57354beab9ba98f9800c72ed20f3aaedec80f2963
    • Opcode Fuzzy Hash: ecd85d1b8799bb77d962bebd17e00611fe19a7cff362e1a47d90830a4ceefba8
    • Instruction Fuzzy Hash: F811C231A00711AFE7258AA8C856F67BBE9BB44370F544B2CE152935D0E770AD45CA60
    Function 005EA6A4 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 005EA6C5
      • Part of subcall function 005EA7FE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,005EDBEC,00000000,?,005E80B1,?,00000008,?,005EA871,?,?,?), ref: 005EA830
    • HeapReAlloc.KERNEL32(00000000,?,?,?,?,006030C4,005C187A,?,?,00000007,?,?,?,005C13F2,?,00000000), ref: 005EA701
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Heap$AllocAllocate_free
    • String ID:
    • API String ID: 2447670028-0
    • Opcode ID: 1de98f48db651ca21392911d13c7ecb720c6dad423b5843ea04782dad0ac7328
    • Instruction ID: 12fd30ba21be409d1569c693c39b6bd047efa2809f75e329870a3fe7c43d009d
    • Opcode Fuzzy Hash: 1de98f48db651ca21392911d13c7ecb720c6dad423b5843ea04782dad0ac7328
    • Instruction Fuzzy Hash: 91F0A4319011E1679B293B375C05A6B2E58BFC3BA0B194025F89496191EA20BD009567
    Function 005D23BD Relevance: 3.0, APIs: 2, Instructions: 33COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(?,?), ref: 005D23CA
    • GetProcessAffinityMask.KERNEL32(00000000), ref: 005D23D1
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Process$AffinityCurrentMask
    • String ID:
    • API String ID: 1231390398-0
    • Opcode ID: ec5e89cf250259fbe2666e8f1a09cf324d28a66743a9744f10836cfcdbb4bf5c
    • Instruction ID: 82a51fb97f92363f5d8e939784025c7192f42537e62c0845b4d030ee04ba2499
    • Opcode Fuzzy Hash: ec5e89cf250259fbe2666e8f1a09cf324d28a66743a9744f10836cfcdbb4bf5c
    • Instruction Fuzzy Hash: C3E09232B14105A78F1987A8AC098EB7ADCEA64204B104577A613E3200F978DD0597A0
    Function 005D1B3B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
    Download Yara Rule
    APIs
    • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 005D1B56
    • LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,005D063A,Crypt32.dll,00000000,005D06B4,00000200,?,005D0697,00000000,00000000,?), ref: 005D1B78
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: DirectoryLibraryLoadSystem
    • String ID:
    • API String ID: 1175261203-0
    • Opcode ID: f3495b61bd69741ad75434200345ca6831fadc5dea681078e1c60f5b8ac38fbf
    • Instruction ID: 2afbf5f11eaf3e95c38c8b33cc7ab5191def8557853974d0d73e172260557935
    • Opcode Fuzzy Hash: f3495b61bd69741ad75434200345ca6831fadc5dea681078e1c60f5b8ac38fbf
    • Instruction Fuzzy Hash: C9E048765011186ADB1197A4DC0CFDB7B6CFF493C1F0400667645D2104DA74DA84DFB0
    Function 005DB3C8 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
    Download Yara Rule
    APIs
    • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 005DB3E9
    • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 005DB3F0
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: BitmapCreateFromGdipStream
    • String ID:
    • API String ID: 1918208029-0
    • Opcode ID: 5bdeb960187a41faeef2a26be75619f110f4d30c31d88a5857e211a58e2cc0c8
    • Instruction ID: d97aa984d219372e130a7427d4323017f3a977c13e424eec1344f39a9bbb06d7
    • Opcode Fuzzy Hash: 5bdeb960187a41faeef2a26be75619f110f4d30c31d88a5857e211a58e2cc0c8
    • Instruction Fuzzy Hash: 8DE06D71400208EBDB20EF89C404699BBE8FB08350F20846FE98693700E374AE449B91
    Function 005E3D1C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005E3D3A
    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 005E3D45
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Value___vcrt____vcrt_uninitialize_ptd
    • String ID:
    • API String ID: 1660781231-0
    • Opcode ID: d1569523de2c7ab5be436c6db3d2d0295360436523e14b788f5af011d61ff534
    • Instruction ID: 1be93377efd311db2933ebc861aaafefb2521a3591a6741c012565da28338cf2
    • Opcode Fuzzy Hash: d1569523de2c7ab5be436c6db3d2d0295360436523e14b788f5af011d61ff534
    • Instruction Fuzzy Hash: 25D0A935848BD3549F0C227B2E0E54A1F58BE91FF1BA06A86E1E09F0C1EE248A006822
    Function 005C1AD3 Relevance: 1.8, APIs: 1, Instructions: 319COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: b749149458b13e85105c17e28ac2203ccf0fc1190b7fb715ed6d25171ead6588
    • Instruction ID: 5a4324409a5b5533052ff3e6c7c3c014257fb61505cdf4a09f38a9f7707c7cca
    • Opcode Fuzzy Hash: b749149458b13e85105c17e28ac2203ccf0fc1190b7fb715ed6d25171ead6588
    • Instruction Fuzzy Hash: DEC18034A006559FDF25CFA88484BA97FA5BF46310F1805BDEC06DB297CB349E44CBA5
    Function 005C13FD Relevance: 1.6, APIs: 1, Instructions: 107COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 005C13FD
      • Part of subcall function 005C6891: __EH_prolog.LIBCMT ref: 005C6896
      • Part of subcall function 005CE298: __EH_prolog.LIBCMT ref: 005CE29D
      • Part of subcall function 005C644D: __EH_prolog.LIBCMT ref: 005C6452
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: e7b212bbf0523888defd52ec9e475c2c0c405c1c5cdd30e0111abc529dee1897
    • Instruction ID: dbe635e557dc02b5d84851eed289a3d592ac0959f7f521dc246f841384093a81
    • Opcode Fuzzy Hash: e7b212bbf0523888defd52ec9e475c2c0c405c1c5cdd30e0111abc529dee1897
    • Instruction Fuzzy Hash: 735123B19067808ECB18DF6995806D9BFE5BF5A300F0802BEEC59CF68BD7750214CB62
    Function 005C13F8 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 005C13FD
      • Part of subcall function 005C6891: __EH_prolog.LIBCMT ref: 005C6896
      • Part of subcall function 005CE298: __EH_prolog.LIBCMT ref: 005CE29D
      • Part of subcall function 005C644D: __EH_prolog.LIBCMT ref: 005C6452
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: 6789f9bf480b645078e9bc19156214bc38463421b2610e29624557b93efd566b
    • Instruction ID: 1963f2165bbdbb0cc1f1e31223ce720282bdca86213e68ff7269b2bd23dec1e8
    • Opcode Fuzzy Hash: 6789f9bf480b645078e9bc19156214bc38463421b2610e29624557b93efd566b
    • Instruction Fuzzy Hash: C65124B19067808ECB18DF6995806D9BFE5BF5A300F0802BEEC59CF68BD7751214CB62
    Function 005DC217 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 005DC21C
      • Part of subcall function 005C13F8: __EH_prolog.LIBCMT ref: 005C13FD
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: a3bf8360d4c198e239ff9a9e78addc795c15eabe628c4f069ac3ffd907c6fd72
    • Instruction ID: bc5e4205cd151edc8f2e475338c5efcc2a759152b6df0d4f752034585e1477f5
    • Opcode Fuzzy Hash: a3bf8360d4c198e239ff9a9e78addc795c15eabe628c4f069ac3ffd907c6fd72
    • Instruction Fuzzy Hash: E721487580425AAECF25DF98C846AEEBFB4BF45304F0004AFE846A3342D7756A45EB60
    Function 005EBE58 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(00000000,?), ref: 005EBEB8
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AddressProc
    • String ID:
    • API String ID: 190572456-0
    • Opcode ID: c4767ba1821cf454205eb5d4c8cde3b3af6d7326afe1f65fd8c2d9273e082b66
    • Instruction ID: 6e301e8028c56f44437ea5b4189fa1676d3734d3c779fe8ad1d0e837622393ab
    • Opcode Fuzzy Hash: c4767ba1821cf454205eb5d4c8cde3b3af6d7326afe1f65fd8c2d9273e082b66
    • Instruction Fuzzy Hash: 4511EB33A005A55FFB399E2ADC405DB779ABBC13217164110EE94AB254DB30EC41C7D1
    Function 005CE298 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 005CE29D
      • Part of subcall function 005C6891: __EH_prolog.LIBCMT ref: 005C6896
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: 09a8c7ee133ef39206544c7ff2757ade3998afe91189901e5a98bbf36d22449d
    • Instruction ID: e9a351c7c324b23d82dcba43a8bf9948a2056cd02a2b2b1771effea6bec54634
    • Opcode Fuzzy Hash: 09a8c7ee133ef39206544c7ff2757ade3998afe91189901e5a98bbf36d22449d
    • Instruction Fuzzy Hash: 8D115E71A042559EEB14EBF9854ABAEBFE8BF84300F14446EA446D3382DEB49E04C761
    Function 005ED639 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005EC2F6: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,005EA543,00000001,00000364,?,005E5281,00000050,?,00603070,00000200), ref: 005EC337
    • _free.LIBCMT ref: 005ED6A5
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AllocateHeap_free
    • String ID:
    • API String ID: 614378929-0
    • Opcode ID: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
    • Instruction ID: fac3e6c5f9838af66fbb817a29213cb260b9095599f4f1149db1e1475078eb2b
    • Opcode Fuzzy Hash: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
    • Instruction Fuzzy Hash: 7C01D672600385ABE3258F6ADC45D5AFFE9FBD5370F25062DE5D893280EA30A805C678
    Function 005C6891 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: d76ea1027f7ccb21dc038adb8b8704d59c0836ec8eb251645e67a01099abd5cc
    • Instruction ID: 77850ca65547fc506b1d8579254d9841f9b83989f2e2f79c448ea8dfa5f37b89
    • Opcode Fuzzy Hash: d76ea1027f7ccb21dc038adb8b8704d59c0836ec8eb251645e67a01099abd5cc
    • Instruction Fuzzy Hash: 54014FB1640741AED625DB65894AF9B7FE8FBC4B00F00412EB655A6283D7F02600C699
    Function 005EC2F6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,005EA543,00000001,00000364,?,005E5281,00000050,?,00603070,00000200), ref: 005EC337
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: cf40346ed7ea2b9a861e10f25d1a58d37c1502fc50d7c25d9f4c81ddf78ebed4
    • Instruction ID: 23ca752b021504a21c6f924499feed2f97b63de33960cd51162cdc4d4647cef3
    • Opcode Fuzzy Hash: cf40346ed7ea2b9a861e10f25d1a58d37c1502fc50d7c25d9f4c81ddf78ebed4
    • Instruction Fuzzy Hash: EBF024312002A1A6DF2C1E279C06A5B7F48BF88761B04C822E8C9D7190DA20D90282E1
    Function 005C644D Relevance: 1.5, APIs: 1, Instructions: 39COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 005C6452
      • Part of subcall function 005D04E5: __EH_prolog.LIBCMT ref: 005D04EA
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: 1b54603c11a22db252493816be8854132df8c6df39d8ac62b415798c62048525
    • Instruction ID: a128143124eca7ae66d7c2ce04dab24e4e6b58e9366578f463e0d4bdb54bd1fc
    • Opcode Fuzzy Hash: 1b54603c11a22db252493816be8854132df8c6df39d8ac62b415798c62048525
    • Instruction Fuzzy Hash: 9901DB70901B459AD725EBA8C1697EEFFE4BFA4700F10445FE46A63382CBB42708D765
    Function 005EA7FE Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,005EDBEC,00000000,?,005E80B1,?,00000008,?,005EA871,?,?,?), ref: 005EA830
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 998a71787459329d2eac8bd69ad4a45a2d72916336923cd598694327582b7e0d
    • Instruction ID: bdeaead0737c1841f1e911bb72a83937687601db0948826e70a204afce60e53b
    • Opcode Fuzzy Hash: 998a71787459329d2eac8bd69ad4a45a2d72916336923cd598694327582b7e0d
    • Instruction Fuzzy Hash: 29E0653510869256E63926779C05B6B3E48FB917B0F154531ECD9960D2DB14FC06C1F3
    Function 005DB636 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
    Download Yara Rule
    APIs
    • GdipAlloc.GDIPLUS(00000010), ref: 005DB63C
      • Part of subcall function 005DB3C8: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 005DB3E9
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Gdip$AllocBitmapCreateFromStream
    • String ID:
    • API String ID: 1915507550-0
    • Opcode ID: 67c6c0b1a9f8045d953eebf11179e7c179da5fb7bf356439fdf6af47a3be8cb5
    • Instruction ID: 8e3037008061c2149147fdfea5c18fc752be23fd867ad7aca6bfc58b172f3e0e
    • Opcode Fuzzy Hash: 67c6c0b1a9f8045d953eebf11179e7c179da5fb7bf356439fdf6af47a3be8cb5
    • Instruction Fuzzy Hash: EAD0A730204209F6EF112B688C02A7E7ED6BB40340F108433B902D5390EBB1DA60A291
    Function 005C6920 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 005C6925
      • Part of subcall function 005D04E5: __EH_prolog.LIBCMT ref: 005D04EA
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: 942f93d1c22e2d8a9cb8c0ef22ad370c9c349b0ef61a2b9c984dec6b18e9aee2
    • Instruction ID: 5fccba723c209c3e7cd0d1a24e1defe73d40c2321a8807ad6e43ec6acb95bc89
    • Opcode Fuzzy Hash: 942f93d1c22e2d8a9cb8c0ef22ad370c9c349b0ef61a2b9c984dec6b18e9aee2
    • Instruction Fuzzy Hash: 1CD05E71F108269BDB15BB8C8415BAEBAA4FB84704F00016FF012A3782CBF84A004784
    Function 005DF747 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DloadProtectSection.DELAYIMP ref: 005DF76F
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: DloadProtectSection
    • String ID:
    • API String ID: 2203082970-0
    • Opcode ID: 9a06e3cb8290dab18594c4487577af6d241f7acb9dc4c1d3f9804ad614d895dd
    • Instruction ID: cff33624e96a3681e211931b9e6bc12a07057b0bf2318079527153a5d2231df3
    • Opcode Fuzzy Hash: 9a06e3cb8290dab18594c4487577af6d241f7acb9dc4c1d3f9804ad614d895dd
    • Instruction Fuzzy Hash: 3CD01230A41625A9C331EB3CED9A7983AA1FB4834DF940D33F543C279AC7785641D711
    Function 005DF35A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 8f56884613cea87e35405bd1c1871f43e8d970ac1c54bbb3f8f2b36585a79b50
    • Instruction ID: 25d310f585e76ff3eb1ecd7085b28d8cedc4807b74771028531858cfe0c8ddee
    • Opcode Fuzzy Hash: 8f56884613cea87e35405bd1c1871f43e8d970ac1c54bbb3f8f2b36585a79b50
    • Instruction Fuzzy Hash: B0B012A62697037D3264922C7C2BF3F0E6DE0C0B64330883FF403C0240D4401C011631
    Function 005DF350 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: ce3b0877e362d68b97d0b567c8d769bbdfc20e7dda8cca44f218de87c189f020
    • Instruction ID: 1049ce1dc4c7360fabaecdaad3e282e69f3b67596dfbf95df792d7c21b27ded1
    • Opcode Fuzzy Hash: ce3b0877e362d68b97d0b567c8d769bbdfc20e7dda8cca44f218de87c189f020
    • Instruction Fuzzy Hash: 19B012822796037D3264922CFC2BF3A0E7DF0C0B60330493FF003C4240D4401C011A31
    Function 005DF346 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 2e89972ae43a68a3b711421fcf0011ea62e85321c850d881899134a629ee1f75
    • Instruction ID: 287717e39633d316ac9ebf75529068472436577e8ede53f654f6584cdc124d44
    • Opcode Fuzzy Hash: 2e89972ae43a68a3b711421fcf0011ea62e85321c850d881899134a629ee1f75
    • Instruction Fuzzy Hash: 90B012826695037D3264922CFD2BF3A0E7DE0C0B603304A3FF003C8240D4801C021631
    Function 005DF378 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 756a1e3d66b9ab0d7d5767cbdc5ee268d102a527fb16b1e2247b7ea8a01951bc
    • Instruction ID: 92902cae5a289b7d2f709bb298fe06c8621949ddc4217b72ab43522fa0ebfc52
    • Opcode Fuzzy Hash: 756a1e3d66b9ab0d7d5767cbdc5ee268d102a527fb16b1e2247b7ea8a01951bc
    • Instruction Fuzzy Hash: 7BB012962697077D3264922C7C2BF3B0E6DF0C0B60330483FF003C0240D4401C011731
    Function 005DF364 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: a72abcdd4248b2cdc4ec5887ba1920f7ab2f66fcbe625bb6c1735b2e35087885
    • Instruction ID: 49e3348424521aaa03007b0c1f360fc58d0bfc407c0323ec23b90bcc4f200af4
    • Opcode Fuzzy Hash: a72abcdd4248b2cdc4ec5887ba1920f7ab2f66fcbe625bb6c1735b2e35087885
    • Instruction Fuzzy Hash: B8B012962697037D36A4922C7C2BF3B0EADE0C0B70330493FF003C0240D4401C415A31
    Function 005DF32B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 84243983199ec05f0547afdbc0cc5f92b978473e218fc83f09e1558f5b870b96
    • Instruction ID: d96c08713bc2175a6f47593d2d297dfaed9faa6d819c8fef7763eb3383cb4f79
    • Opcode Fuzzy Hash: 84243983199ec05f0547afdbc0cc5f92b978473e218fc83f09e1558f5b870b96
    • Instruction Fuzzy Hash: F5B012822695077E3234562C7C2FE3A0E2DF0C0BA0330493FF003C0140E4401C011532
    Function 005DF3C8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: a190b7a80c4e50ed5283202051785b3cbac20a3370038161376ae66cd03ba535
    • Instruction ID: 1f3f6915c1d757933676948b04c4536781fff865584693007e4697631992d64f
    • Opcode Fuzzy Hash: a190b7a80c4e50ed5283202051785b3cbac20a3370038161376ae66cd03ba535
    • Instruction Fuzzy Hash: 61B012922695037D3264922D7C2BF3A0E6DF0C0B64330483FF003C4240D4401C011631
    Function 005DF3FA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 5d6038820bce00960b98cc82de5ace6544e945b8b609df289c68baaa8edee44c
    • Instruction ID: 72960a8d86f193a8beda70382487a1acce73c2f621ba6ac9ac67f404832b1425
    • Opcode Fuzzy Hash: 5d6038820bce00960b98cc82de5ace6544e945b8b609df289c68baaa8edee44c
    • Instruction Fuzzy Hash: 97B012922695137D3264923C7C2BF3E0EADE0C1B64330883FF503C0240D4401C011631
    Function 005DF3F0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 27ed562dafd00390eed93d2ed5a81a0709eccb5e3a37885c4e0ca08f3bb0a02d
    • Instruction ID: 7be085b8f528d0c28f9fc84608bbfce2b2d66b37d1a286af429d433de45ffd8b
    • Opcode Fuzzy Hash: 27ed562dafd00390eed93d2ed5a81a0709eccb5e3a37885c4e0ca08f3bb0a02d
    • Instruction Fuzzy Hash: CAB0128267A5037D3264922C7C3BF3A0EAEF4C0B60330483FF003C0240D4401C011631
    Function 005DF3E6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 491e6864204db6035d12c4cbded97239a27ecdcbf52fb6aa0d345ebfe3f959fb
    • Instruction ID: ebca829bf6c639d6955769f14d6b5b46c658ccf92880ca8f2b962e7c7b410480
    • Opcode Fuzzy Hash: 491e6864204db6035d12c4cbded97239a27ecdcbf52fb6aa0d345ebfe3f959fb
    • Instruction Fuzzy Hash: 7EB0128226B5037D3264922C7D3FF3A0E6EE0C0BA0330483FF003C4240D4801C021631
    Function 005DF396 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 89be7c100f357ac9dd87dfa5f1c817c56db9601db4d49fd5ae6ced6e7741b8bf
    • Instruction ID: 7644d9051024ad40792897e358b65d83c610b14cf8960a8983d4b390395e6c59
    • Opcode Fuzzy Hash: 89be7c100f357ac9dd87dfa5f1c817c56db9601db4d49fd5ae6ced6e7741b8bf
    • Instruction Fuzzy Hash: 57B012822695037D3264922C7D2BF3A0E6DE0C0B60330883FF003C4340D4A01C0A1631
    Function 005DF38C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 6d3fb2c8ed6bd8299e136fd035da179e90182dabeaaf9bdae5a82049a4b42e40
    • Instruction ID: 05f575248d212b1dae894258f3681dde090ca6ef5e7884f6da0f7424efaef8b8
    • Opcode Fuzzy Hash: 6d3fb2c8ed6bd8299e136fd035da179e90182dabeaaf9bdae5a82049a4b42e40
    • Instruction Fuzzy Hash: B3B012822696037D32A4922C7C2BF3A0E6DE0C0B70330893FF003C0340D4501C451631
    Function 005DF382 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 97d801bcbae5ec22ab226c14ace00111990dfa12e176cd0e94b3cf18c812bb60
    • Instruction ID: b1293a0e121e03e440d6f2858ba1e2dd0dc45230db261bb8e257dfc38e0bf83f
    • Opcode Fuzzy Hash: 97d801bcbae5ec22ab226c14ace00111990dfa12e176cd0e94b3cf18c812bb60
    • Instruction Fuzzy Hash: 12B012922695037D3264962C7C2BF3E0E6DE0C0B64330C83FF403C0340D4501C051631
    Function 005DF3BE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 62fddb393d939536fdb6e5799668452b0f1c53a1c0c66770f5c4abe1833dc3bb
    • Instruction ID: acc67f41a9ec45c00cfa10c8eefe8f28169a51f455339c233c25f3f982c094f1
    • Opcode Fuzzy Hash: 62fddb393d939536fdb6e5799668452b0f1c53a1c0c66770f5c4abe1833dc3bb
    • Instruction Fuzzy Hash: 8FB012922695037D3264922C7D2BF3A0E6DE0C0B64330483FF003C4240D4801D021631
    Function 005DF3AA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: a592860686c9655961a62d921804156d06f3e255cfe37994f32f034d51ed727c
    • Instruction ID: 6c33ee81f90cb3af12b4636ec86bf1560d3a72320777f0ecffe34541ebf60c68
    • Opcode Fuzzy Hash: a592860686c9655961a62d921804156d06f3e255cfe37994f32f034d51ed727c
    • Instruction Fuzzy Hash: 54B012A22695037D3264922C7C2BF3E0E6DE0C0B68330883FF403C0240D4401C011631
    Function 005DF418 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 5c3f488868ec52ca23e1310ca7222e45703293ca6d5e33d2dcd94adcd02e1312
    • Instruction ID: 3b62299f22addd720ee3de85ac49cf13aabe2bc2f3ce38f62655c17eb3bc9d85
    • Opcode Fuzzy Hash: 5c3f488868ec52ca23e1310ca7222e45703293ca6d5e33d2dcd94adcd02e1312
    • Instruction Fuzzy Hash: D9B012832695177D3264922C7C2BF3A0EADF0C0B60330493FF003C0240D4401C011631
    Function 005DF404 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 09f7d0e30b8610620b710b268c5c4b781ca18688343e9516ed22a027b1fa3221
    • Instruction ID: e5b3d39cbd8e315e1b8ffe93f49645b62940fdb6f0886c449149d526c8fbbc2c
    • Opcode Fuzzy Hash: 09f7d0e30b8610620b710b268c5c4b781ca18688343e9516ed22a027b1fa3221
    • Instruction Fuzzy Hash: 97B012822697137D32A4922C7C2BF3A0EADE0C0B70330493FF003C0240D4401C411631
    Function 005DF42C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 8056f7a1899d1b26d488cd3a130f29aeb6c58b5a79d3c8d9f1388d103f106c73
    • Instruction ID: 80648756f149ad5393ff9d59ce5d4590c1eeb15f6bb67e7a72a8eebfd0dba161
    • Opcode Fuzzy Hash: 8056f7a1899d1b26d488cd3a130f29aeb6c58b5a79d3c8d9f1388d103f106c73
    • Instruction Fuzzy Hash: 2BB012826796037D32B4922C7C2BF3A0E6DE0C0B70330C93FF003C0240D4401C411631
    Function 005DF422 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 24535ff90cd1c77d428db56429cd98ec5963cb50e9f2c1bbd3eeeb6efb59cc20
    • Instruction ID: 0f97ac87e1b9ed80cc59c757e84ba026e1669c6c491da0e8392d8aed4689d29a
    • Opcode Fuzzy Hash: 24535ff90cd1c77d428db56429cd98ec5963cb50e9f2c1bbd3eeeb6efb59cc20
    • Instruction Fuzzy Hash: 34B012922795037D3274922C7C2BF3E0E6DE0C0B64330C83FF403C0240D4401C012631
    Function 005DF57D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF556
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 509da7c1b20db8a10815ebab62ee005af28bd5d8b46a249383f87114fafd7cf7
    • Instruction ID: af15fb2c711a266944b3564599ca7810c5572f6558fcbec7045622f0c6e568cd
    • Opcode Fuzzy Hash: 509da7c1b20db8a10815ebab62ee005af28bd5d8b46a249383f87114fafd7cf7
    • Instruction Fuzzy Hash: 29B012D12E96067F3364572C7C27E3A0D1DF0C4B50330483BF003C1240D4404C400331
    Function 005DF5A5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF556
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: f2d2fc996cebc7684b737955483b88efd108ea0e6a654ad0a2168e57ad78afc1
    • Instruction ID: fae3f0bfab3effb671034e152bf9b7526c10a38e1649fa4e67ffc1dd519aa5c2
    • Opcode Fuzzy Hash: f2d2fc996cebc7684b737955483b88efd108ea0e6a654ad0a2168e57ad78afc1
    • Instruction Fuzzy Hash: 07B012D12B94017F3364572CBC27E3A0D1DF0C4B503304A3BF003C5240D4404C000631
    Function 005DF699 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF6AB
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 361339ca9cd6ec5d6e0d5f7be887857dfc255b3876326993c4613c1657149700
    • Instruction ID: e6a1eefea24d70ee1cdb9bfb5ce01531f26125c843c8b1d7e8b817be3657236a
    • Opcode Fuzzy Hash: 361339ca9cd6ec5d6e0d5f7be887857dfc255b3876326993c4613c1657149700
    • Instruction Fuzzy Hash: FFB0128527A4017D32245228FD17C3A0D1DE8C0F14330843BF603D418194514C420632
    Function 005DF6BE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF6AB
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 3fc6e95a42f5fe6eabf534055622094a54d3aa4fc1e198f6862ad631154c3b86
    • Instruction ID: de2657f38b2e87b46b0cba2129637062a6afa8ab66eddd0aa924f11c9f157a7a
    • Opcode Fuzzy Hash: 3fc6e95a42f5fe6eabf534055622094a54d3aa4fc1e198f6862ad631154c3b86
    • Instruction Fuzzy Hash: DEB012812794017D3224923C7D17D3A0D1DF0C4F14330C43BF103C4284D4414C460731
    Function 005DF6B4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF6AB
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: b73a73bf1ec46d631f67100ebd87a2f52a3b5a38f12b35c603641b5b1e87d915
    • Instruction ID: 4623d858caf9ed09290ce86f91024d1f04d73dc5d4d1c3c21646faf45db05ff3
    • Opcode Fuzzy Hash: b73a73bf1ec46d631f67100ebd87a2f52a3b5a38f12b35c603641b5b1e87d915
    • Instruction Fuzzy Hash: BEB012812795017D3324923C7C17D3A0D1DE4C4F24330853BF003C0384D4414C890731
    Function 005DF373 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 9360b3f748f3268af60bd750b84f0ea040b5e0e04d7e3c194d56a04d6a27127e
    • Instruction ID: c448ba4210ec1731b552820c0810534b7ae825b3b4837ced52299c32a3f2287a
    • Opcode Fuzzy Hash: 9360b3f748f3268af60bd750b84f0ea040b5e0e04d7e3c194d56a04d6a27127e
    • Instruction Fuzzy Hash: 82A002965691077D355452696D27D3A0A6DE4C4BA53314D2FF5038414194441C455531
    Function 005DF3D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: a55e3a0dbc274a68882c8f4372183bdea1c563a4382a27c6e03a03b90a0d7782
    • Instruction ID: c448ba4210ec1731b552820c0810534b7ae825b3b4837ced52299c32a3f2287a
    • Opcode Fuzzy Hash: a55e3a0dbc274a68882c8f4372183bdea1c563a4382a27c6e03a03b90a0d7782
    • Instruction Fuzzy Hash: 82A002965691077D355452696D27D3A0A6DE4C4BA53314D2FF5038414194441C455531
    Function 005DF3E1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 9741e3b0134385ddf2ec54f407e81a9401450161f96449fcdc046946b6a66d75
    • Instruction ID: c448ba4210ec1731b552820c0810534b7ae825b3b4837ced52299c32a3f2287a
    • Opcode Fuzzy Hash: 9741e3b0134385ddf2ec54f407e81a9401450161f96449fcdc046946b6a66d75
    • Instruction Fuzzy Hash: 82A002965691077D355452696D27D3A0A6DE4C4BA53314D2FF5038414194441C455531
    Function 005DF3B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 8fb26b0815a31229e4875063828254c8a40f1134c35fb38b9e16c5668cedfa25
    • Instruction ID: c448ba4210ec1731b552820c0810534b7ae825b3b4837ced52299c32a3f2287a
    • Opcode Fuzzy Hash: 8fb26b0815a31229e4875063828254c8a40f1134c35fb38b9e16c5668cedfa25
    • Instruction Fuzzy Hash: 82A002965691077D355452696D27D3A0A6DE4C4BA53314D2FF5038414194441C455531
    Function 005DF3A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 9b0ff0789b6fe3c498fda9d0f9f19949378a04b5588a89acf5bed209a9b92bbf
    • Instruction ID: c448ba4210ec1731b552820c0810534b7ae825b3b4837ced52299c32a3f2287a
    • Opcode Fuzzy Hash: 9b0ff0789b6fe3c498fda9d0f9f19949378a04b5588a89acf5bed209a9b92bbf
    • Instruction Fuzzy Hash: 82A002965691077D355452696D27D3A0A6DE4C4BA53314D2FF5038414194441C455531
    Function 005DF413 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF33D
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: fafa03c877c8ff7cac59ed0ef7b4482f52a16a3f8d8a10d00621e89db80f9525
    • Instruction ID: c448ba4210ec1731b552820c0810534b7ae825b3b4837ced52299c32a3f2287a
    • Opcode Fuzzy Hash: fafa03c877c8ff7cac59ed0ef7b4482f52a16a3f8d8a10d00621e89db80f9525
    • Instruction Fuzzy Hash: 82A002965691077D355452696D27D3A0A6DE4C4BA53314D2FF5038414194441C455531
    Function 005DF549 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF556
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 6fffe7a7b5ada3d75b030304727be088ad5ed9cbcd09ce591eaedc611fe085d2
    • Instruction ID: 1ef9eb92de0ec4fc556bcdacf61f70263ef0f6625cbe43ce8988dfe17b6c1eef
    • Opcode Fuzzy Hash: 6fffe7a7b5ada3d75b030304727be088ad5ed9cbcd09ce591eaedc611fe085d2
    • Instruction Fuzzy Hash: 0BA012D11A50053E331417247D17C3A091DE0C0B50330482BF0029014054400C000130
    Function 005DF578 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF556
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 011b5a1612a3381d268da2aa7f04cc14ea674b0a633c232730e64eae6b009760
    • Instruction ID: 6fe4927a18cbe6aff1d6088d12032b437901cf2ef7f7af1ec82ec71417177fcf
    • Opcode Fuzzy Hash: 011b5a1612a3381d268da2aa7f04cc14ea674b0a633c232730e64eae6b009760
    • Instruction Fuzzy Hash: 7EA001E66AA106BE33686769BD2BD3A0A2DE4C8BA53308D2BF54395281A9845C551231
    Function 005DF56E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF556
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 985e24443b22eee4b6a9928b11ffd99ebd0f573aeedc96f3160304422a3433df
    • Instruction ID: 6fe4927a18cbe6aff1d6088d12032b437901cf2ef7f7af1ec82ec71417177fcf
    • Opcode Fuzzy Hash: 985e24443b22eee4b6a9928b11ffd99ebd0f573aeedc96f3160304422a3433df
    • Instruction Fuzzy Hash: 7EA001E66AA106BE33686769BD2BD3A0A2DE4C8BA53308D2BF54395281A9845C551231
    Function 005DF564 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF556
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 6bfc9a1f14bd73e97fa743f6f810727d380ecef39128b8228efd09d6b5ab01e3
    • Instruction ID: 6fe4927a18cbe6aff1d6088d12032b437901cf2ef7f7af1ec82ec71417177fcf
    • Opcode Fuzzy Hash: 6bfc9a1f14bd73e97fa743f6f810727d380ecef39128b8228efd09d6b5ab01e3
    • Instruction Fuzzy Hash: 7EA001E66AA106BE33686769BD2BD3A0A2DE4C8BA53308D2BF54395281A9845C551231
    Function 005DF596 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF556
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 51ea2c828ca474915504278b2a369cc84cbe23c2fee673ead8272aa1c63239c7
    • Instruction ID: 6fe4927a18cbe6aff1d6088d12032b437901cf2ef7f7af1ec82ec71417177fcf
    • Opcode Fuzzy Hash: 51ea2c828ca474915504278b2a369cc84cbe23c2fee673ead8272aa1c63239c7
    • Instruction Fuzzy Hash: 7EA001E66AA106BE33686769BD2BD3A0A2DE4C8BA53308D2BF54395281A9845C551231
    Function 005DF58C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF556
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: ca67e5847aeb3c4b1ec6c52c22234ea70d40efed4c12b4ce20957d725b2c3cb3
    • Instruction ID: 6fe4927a18cbe6aff1d6088d12032b437901cf2ef7f7af1ec82ec71417177fcf
    • Opcode Fuzzy Hash: ca67e5847aeb3c4b1ec6c52c22234ea70d40efed4c12b4ce20957d725b2c3cb3
    • Instruction Fuzzy Hash: 7EA001E66AA106BE33686769BD2BD3A0A2DE4C8BA53308D2BF54395281A9845C551231
    Function 005DF5A0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF556
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: dbbdbe65ff477a8d7888f701fb965e96e02c0d09f237d01f570884a4f6955c87
    • Instruction ID: 6fe4927a18cbe6aff1d6088d12032b437901cf2ef7f7af1ec82ec71417177fcf
    • Opcode Fuzzy Hash: dbbdbe65ff477a8d7888f701fb965e96e02c0d09f237d01f570884a4f6955c87
    • Instruction Fuzzy Hash: 7EA001E66AA106BE33686769BD2BD3A0A2DE4C8BA53308D2BF54395281A9845C551231
    Function 005DF6D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF6AB
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 0e6a7ca8a39fd8e5bedd8e3fa22d3e8e0c4b390a0e6dfcfeeafc0a9598f2d1e5
    • Instruction ID: 48163e96c2207125a7eb59b683fe801e1012c431e0db56f84a32851b07435726
    • Opcode Fuzzy Hash: 0e6a7ca8a39fd8e5bedd8e3fa22d3e8e0c4b390a0e6dfcfeeafc0a9598f2d1e5
    • Instruction Fuzzy Hash: 91A012811790027C311452246C17C3A091CE0C4F54330482BF0038018054400C410230
    Function 005DF6CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF6AB
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 95b4f2daf058848d61128af0b89b066698b38b2dbddf40af350b36a1a403639a
    • Instruction ID: 48163e96c2207125a7eb59b683fe801e1012c431e0db56f84a32851b07435726
    • Opcode Fuzzy Hash: 95b4f2daf058848d61128af0b89b066698b38b2dbddf40af350b36a1a403639a
    • Instruction Fuzzy Hash: 91A012811790027C311452246C17C3A091CE0C4F54330482BF0038018054400C410230
    Function 005DF6F5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF6AB
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 1aa58a6f9ec474f34fdf060333ef7f9ddf9a943ece5635286921d11b12fdf6fe
    • Instruction ID: 48163e96c2207125a7eb59b683fe801e1012c431e0db56f84a32851b07435726
    • Opcode Fuzzy Hash: 1aa58a6f9ec474f34fdf060333ef7f9ddf9a943ece5635286921d11b12fdf6fe
    • Instruction Fuzzy Hash: 91A012811790027C311452246C17C3A091CE0C4F54330482BF0038018054400C410230
    Function 005DF6EB Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF6AB
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: be0b8c94178416b559eec6058d0a64f049eab285f75e851fe52385c313efd794
    • Instruction ID: 48163e96c2207125a7eb59b683fe801e1012c431e0db56f84a32851b07435726
    • Opcode Fuzzy Hash: be0b8c94178416b559eec6058d0a64f049eab285f75e851fe52385c313efd794
    • Instruction Fuzzy Hash: 91A012811790027C311452246C17C3A091CE0C4F54330482BF0038018054400C410230
    Function 005DF6E1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 005DF6AB
      • Part of subcall function 005DF9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005DFA5C
      • Part of subcall function 005DF9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005DFA6D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 25d6d6d7e729cd05ca730dba8e82f4c6d89a676e8ace1ccfb1c8804c4f0bb8dd
    • Instruction ID: 48163e96c2207125a7eb59b683fe801e1012c431e0db56f84a32851b07435726
    • Opcode Fuzzy Hash: 25d6d6d7e729cd05ca730dba8e82f4c6d89a676e8ace1ccfb1c8804c4f0bb8dd
    • Instruction Fuzzy Hash: 91A012811790027C311452246C17C3A091CE0C4F54330482BF0038018054400C410230
    Function 005CA880 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(000000FF,?,?,005CA83D,?,?,?,?,?,005F380F,000000FF), ref: 005CA89B
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 92bc9a0bfc9984510990d7ae0127b05a271117bb247e01aaf4f782d2a62ef29e
    • Instruction ID: d9ae2062ac48f2ef0a47ef1a49b9e7aaad45c4fb8516d95513390341bef0e657
    • Opcode Fuzzy Hash: 92bc9a0bfc9984510990d7ae0127b05a271117bb247e01aaf4f782d2a62ef29e
    • Instruction Fuzzy Hash: EFF0E931081B198FEB308A64C44CB92BFE8BB1132DF040B5DC0E3439E4D364698ECB51

    Non-executed Functions

    Function 005DD420 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 233windowfileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005C12F6: GetParent.USER32(?), ref: 005C132A
      • Part of subcall function 005C12F6: GetDlgItem.USER32(00000000,00003021), ref: 005C133A
      • Part of subcall function 005C12F6: SetWindowTextW.USER32(00000000,005F45F4), ref: 005C1350
    • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 005DD4B1
    • GetDlgItem.USER32(?,0000006C), ref: 005DD4E0
    • SetDlgItemTextW.USER32(?,00000065,?), ref: 005DD521
    • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 005DD558
    • FindFirstFileW.KERNEL32(?,?), ref: 005DD56E
      • Part of subcall function 005DBC2B: FileTimeToSystemTime.KERNEL32(?,?), ref: 005DBC3F
      • Part of subcall function 005DBC2B: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 005DBC50
      • Part of subcall function 005DBC2B: SystemTimeToFileTime.KERNEL32(?,?), ref: 005DBC5E
      • Part of subcall function 005DBC2B: FileTimeToSystemTime.KERNEL32(?,?), ref: 005DBC6C
      • Part of subcall function 005DBC2B: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 005DBC87
      • Part of subcall function 005DBC2B: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 005DBCAE
      • Part of subcall function 005DBC2B: _swprintf.LIBCMT ref: 005DBCD4
    • _swprintf.LIBCMT ref: 005DD5B7
      • Part of subcall function 005C4A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005C4A33
    • SetDlgItemTextW.USER32(?,0000006A,?), ref: 005DD5CA
    • FindClose.KERNEL32(00000000), ref: 005DD5D1
    • _swprintf.LIBCMT ref: 005DD620
    • SetDlgItemTextW.USER32(?,00000068,?), ref: 005DD633
    • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 005DD650
    • _swprintf.LIBCMT ref: 005DD683
    • SetDlgItemTextW.USER32(?,0000006B,?), ref: 005DD696
    • _swprintf.LIBCMT ref: 005DD6E0
    • SetDlgItemTextW.USER32(?,00000069,?), ref: 005DD6F3
      • Part of subcall function 005DC093: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 005DC0B9
      • Part of subcall function 005DC093: GetNumberFormatW.KERNEL32(00000400,00000000,?,0060072C,?,?), ref: 005DC108
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateFirstInfoLocalLocaleNumberParentSpecificWindow__vswprintf_c_l
    • String ID: %s %s$REPLACEFILEDLG
    • API String ID: 415862220-439456425
    • Opcode ID: 572d1bb2e7a67116a8e1d3493b3566dff567346e136bcdd3f85f1ee2fc0fa638
    • Instruction ID: af3ea70a6acf0f036b6147e2f74b285989fd56ba7fd90216d63631dc2399b2aa
    • Opcode Fuzzy Hash: 572d1bb2e7a67116a8e1d3493b3566dff567346e136bcdd3f85f1ee2fc0fa638
    • Instruction Fuzzy Hash: C271F8721447047BE731ABA8CC4DFFB7BADFB85700F04081BB64AD2181D6B5A5058772
    Function 005C7AAF Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 337fileCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 005C7AB4
    • _wcslen.LIBCMT ref: 005C7B1D
    • _wcslen.LIBCMT ref: 005C7B8E
      • Part of subcall function 005C8704: GetCurrentProcess.KERNEL32(00000020,?), ref: 005C8713
      • Part of subcall function 005C8704: GetLastError.KERNEL32 ref: 005C8759
      • Part of subcall function 005C8704: CloseHandle.KERNEL32(?), ref: 005C8768
      • Part of subcall function 005CB470: DeleteFileW.KERNEL32(?,00000000,?,005CA438,?,?,?,?,005C892B,?,?,?,005F380F,000000FF), ref: 005CB481
      • Part of subcall function 005CB470: DeleteFileW.KERNEL32(?,?,?,00000800,?,005CA438,?,?,?,?,005C892B,?,?,?,005F380F,000000FF), ref: 005CB4AF
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 005C7C43
    • CloseHandle.KERNEL32(00000000), ref: 005C7C5F
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 005C7DAB
      • Part of subcall function 005CB032: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,005C7ED0,?,?,?,00000000), ref: 005CB04C
      • Part of subcall function 005CB032: SetFileTime.KERNEL32(?,?,?,?), ref: 005CB100
      • Part of subcall function 005CA880: CloseHandle.KERNEL32(000000FF,?,?,005CA83D,?,?,?,?,?,005F380F,000000FF), ref: 005CA89B
      • Part of subcall function 005CB8E6: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,005CB5B5,?,?,?,005CB405,?,00000001,00000000,?,?), ref: 005CB8FA
      • Part of subcall function 005CB8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,005CB5B5,?,?,?,005CB405,?,00000001,00000000,?,?), ref: 005CB92B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
    • API String ID: 3983180755-3508440684
    • Opcode ID: f6994a7a2897d9c1bb2599fba8b693e8854b708578b3bc93783a5a5aeaa74a8d
    • Instruction ID: e35ab65dd46eb4e3714c0ae365cc3b4733a2f7b7c387573a51ec223e21d08351
    • Opcode Fuzzy Hash: f6994a7a2897d9c1bb2599fba8b693e8854b708578b3bc93783a5a5aeaa74a8d
    • Instruction Fuzzy Hash: 23C1B47190424EAEDB15DBB4C849FEEBBACBF48310F00455AF546E7681DB34AA44CFA1
    Function 005EEAAE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: __floor_pentium4
    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
    • API String ID: 4168288129-2761157908
    • Opcode ID: 52af29e8151a86e5782b657ef53d4053976b3b9300241746030778a66c1d68d8
    • Instruction ID: 8783069aa17b5ac31a966fe0dee848954b772c954ff0eb4a4d2352b8cde05489
    • Opcode Fuzzy Hash: 52af29e8151a86e5782b657ef53d4053976b3b9300241746030778a66c1d68d8
    • Instruction Fuzzy Hash: 62C26C71E046698FDB29CE29DD407EABBB5FB84304F1445EAD48DE7241EB74AE818F40
    Function 005C395A Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 666COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: H_prolog_swprintf
    • String ID: CMT$h%u$hc%u
    • API String ID: 146138363-3282847064
    • Opcode ID: 40942167477ce0901184eb6e6438af37200bd2287632040d60aba5743c9f4f06
    • Instruction ID: 6d2de161e7597cca672fd4a0aaac2245c6e18e53a35e479d240b0ba5ee4955f0
    • Opcode Fuzzy Hash: 40942167477ce0901184eb6e6438af37200bd2287632040d60aba5743c9f4f06
    • Instruction Fuzzy Hash: 7042B3715012899EDF24DFA4C896FE93FA5BF55300F08447DFC468B282DB74AA89CB61
    Function 005C2EB6 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 804COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 005C2EBF
    • _strlen.LIBCMT ref: 005C348B
      • Part of subcall function 005D1600: __EH_prolog.LIBCMT ref: 005D1605
      • Part of subcall function 005D2ED2: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,005CCF18,00000000,?,?), ref: 005D2EEE
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005C35DD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
    • String ID: CMT
    • API String ID: 1206968400-2756464174
    • Opcode ID: 12dc4c9367f21644c215a6d0c38090f5fb034959046d2a73302059a8c8b4cf74
    • Instruction ID: 0b128c6eb9aa12c6d7d49bd4ef143ba6cdac9890a4a714e5ce67c9aeaa455d99
    • Opcode Fuzzy Hash: 12dc4c9367f21644c215a6d0c38090f5fb034959046d2a73302059a8c8b4cf74
    • Instruction Fuzzy Hash: 0A6207716002898FDF29CFB8C899BE93FA1BF55300F08857EEC5A9B282D7759644CB50
    Function 005CBA94 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,005CB98B,000000FF,?,?), ref: 005CBABD
      • Part of subcall function 005CCF32: _wcslen.LIBCMT ref: 005CCF56
    • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,005CB98B,000000FF,?,?), ref: 005CBAEB
    • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,005CB98B,000000FF,?,?), ref: 005CBAF7
    • FindNextFileW.KERNEL32(?,?,?,?,?,?,005CB98B,000000FF,?,?), ref: 005CBB21
    • GetLastError.KERNEL32(?,?,?,?,005CB98B,000000FF,?,?), ref: 005CBB2D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: FileFind$ErrorFirstLast$Next_wcslen
    • String ID:
    • API String ID: 42610566-0
    • Opcode ID: 75b0e88d5be2cb87b805fd7921860a8ca18ad956d3d2e224598d2c39a0ddfb1b
    • Instruction ID: adb072f49b09ec4b490b976a77c0334035861d5b889b5e28d048c918e56516a5
    • Opcode Fuzzy Hash: 75b0e88d5be2cb87b805fd7921860a8ca18ad956d3d2e224598d2c39a0ddfb1b
    • Instruction Fuzzy Hash: 54414D72500519AFCB25DFA8CC89BEABBB8FB48350F10069AE55DD3200DB346E94DF90
    Function 005E0A0A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 005E0A16
    • IsDebuggerPresent.KERNEL32 ref: 005E0AE2
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005E0B02
    • UnhandledExceptionFilter.KERNEL32(?), ref: 005E0B0C
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
    • String ID:
    • API String ID: 254469556-0
    • Opcode ID: 9ef419855bd0d0a48f444be03498296cc6f6fcf167a002780eadaf8a8114b37a
    • Instruction ID: 7352541283ef7828e84cdccd9611da5e992cf14f9d04c9b05adad5fe2063236a
    • Opcode Fuzzy Hash: 9ef419855bd0d0a48f444be03498296cc6f6fcf167a002780eadaf8a8114b37a
    • Instruction Fuzzy Hash: E9313A75D012199BDB20EFA1D989BCDBBB8BF18304F1041AAE54CA7290EB755AC4DF44
    Function 005DF82F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32(80000000,005DF774,0000001C,005DF969,00000000,?,?,?,?,?,?,?,005DF774,00000004,00623D24,005DF9F9), ref: 005DF840
    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,005DF774,00000004,00623D24,005DF9F9), ref: 005DF85B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: InfoQuerySystemVirtual
    • String ID: D
    • API String ID: 401686933-2746444292
    • Opcode ID: d6f86a8c0fc4aeeb269e4c4cc82c57ae975904ae17fb54fea31a95266c7be43b
    • Instruction ID: 793ec161e21de5c1fbe43f6075a133b46724e8ac9ab5e602033cce2cc84bc906
    • Opcode Fuzzy Hash: d6f86a8c0fc4aeeb269e4c4cc82c57ae975904ae17fb54fea31a95266c7be43b
    • Instruction Fuzzy Hash: B301FC326001099BCB24DE29DC05BEE7BE9BFD4324F0CC136AD1AD7254D638D945C780
    Function 005C92C6 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1157COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 005C92CB
      • Part of subcall function 005CD656: _wcsrchr.LIBVCRUNTIME ref: 005CD660
      • Part of subcall function 005CCAA0: _wcslen.LIBCMT ref: 005CCAA6
      • Part of subcall function 005D1907: _wcslen.LIBCMT ref: 005D190D
      • Part of subcall function 005CB5D6: _wcslen.LIBCMT ref: 005CB5E2
      • Part of subcall function 005CB5D6: __aulldiv.LIBCMT ref: 005CB60E
      • Part of subcall function 005CB5D6: GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,00000800,?), ref: 005CB615
      • Part of subcall function 005CB5D6: _swprintf.LIBCMT ref: 005CB640
      • Part of subcall function 005CB5D6: _wcslen.LIBCMT ref: 005CB64A
      • Part of subcall function 005CB5D6: _swprintf.LIBCMT ref: 005CB6A0
      • Part of subcall function 005CB5D6: _wcslen.LIBCMT ref: 005CB6AA
      • Part of subcall function 005C4727: __EH_prolog.LIBCMT ref: 005C472C
      • Part of subcall function 005CA212: __EH_prolog.LIBCMT ref: 005CA217
      • Part of subcall function 005CB8E6: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,005CB5B5,?,?,?,005CB405,?,00000001,00000000,?,?), ref: 005CB8FA
      • Part of subcall function 005CB8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,005CB5B5,?,?,?,005CB405,?,00000001,00000000,?,?), ref: 005CB92B
    Strings
    • __tmp_reference_source_, xrefs: 005C9596
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _wcslen$H_prolog$AttributesFile_swprintf$CurrentProcess__aulldiv_wcsrchr
    • String ID: __tmp_reference_source_
    • API String ID: 70197177-685763994
    • Opcode ID: a2db37bfdb439ae7997ded2bd1a1d4c87641dcd75263d9e915a5de2e617d129f
    • Instruction ID: 4fa088f3932491fa5b3a9ff1f18b0b33e59fb9170d951b2e70e78e8a5587eb2f
    • Opcode Fuzzy Hash: a2db37bfdb439ae7997ded2bd1a1d4c87641dcd75263d9e915a5de2e617d129f
    • Instruction Fuzzy Hash: B2A2E771904246AEDF19DFA4C88DFE9BFB8BF45304F0805BDE9499B282D7349944CBA1
    Function 005E4FEF Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 005E50E7
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 005E50F1
    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 005E50FE
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: 1beb8ddd97cd5781de1cccc7576d58447368ddec4dadc4542331412f714cb3fc
    • Instruction ID: 88be256f4dc4713a871e8062d73f13ad2d04ac702f7fd1316472b7c744018aa5
    • Opcode Fuzzy Hash: 1beb8ddd97cd5781de1cccc7576d58447368ddec4dadc4542331412f714cb3fc
    • Instruction Fuzzy Hash: 0431F3709012199BCB25DF65DD89B9DBBB8BF58310F1042DAE84CA7250E7749F85CF44
    Function 005E91B0 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00000000,?,005E9186,00000000,005FD570,0000000C,005E92DD,00000000,00000002,00000000), ref: 005E91D1
    • TerminateProcess.KERNEL32(00000000,?,005E9186,00000000,005FD570,0000000C,005E92DD,00000000,00000002,00000000), ref: 005E91D8
    • ExitProcess.KERNEL32 ref: 005E91EA
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: 72747a08ac143f1aae49b02e80875d92dd2a93a596d903a9aecb5da8f725885e
    • Instruction ID: ab4c55d490db1105f79708cecb27d4ed92bcc169c87efb2ebba4b0952612b37a
    • Opcode Fuzzy Hash: 72747a08ac143f1aae49b02e80875d92dd2a93a596d903a9aecb5da8f725885e
    • Instruction Fuzzy Hash: 77E0B63500458AABCF196F65DD0DE693F6AFFA0352F014014FA898B221CB39ED86DA90
    Function 005EE600 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d08e2bcb8369247a90beecc4ac2937ecc20121a35f50d3dd5c946701bfc99d8e
    • Instruction ID: a1e50091e6b3da5275cc70b359beb41ad26767a00f85171761054d37b859ef18
    • Opcode Fuzzy Hash: d08e2bcb8369247a90beecc4ac2937ecc20121a35f50d3dd5c946701bfc99d8e
    • Instruction Fuzzy Hash: A7025D71E102599BDF18CFA9C8816ADBBF1FF88314F25816AD859E7381D730AE41CB80
    Function 005DC093 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 005DC0B9
    • GetNumberFormatW.KERNEL32(00000400,00000000,?,0060072C,?,?), ref: 005DC108
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: FormatInfoLocaleNumber
    • String ID:
    • API String ID: 2169056816-0
    • Opcode ID: 9fcad929b92b9c235455caadfd8127462308aaa802f14eaa64d0543893408442
    • Instruction ID: 8475650ecd7861058544b2dac3a32bd16b0c3ce75e2f88bb17510ddfe35d15cb
    • Opcode Fuzzy Hash: 9fcad929b92b9c235455caadfd8127462308aaa802f14eaa64d0543893408442
    • Instruction Fuzzy Hash: 99015E39240209BAE7208FA4EC45F9B7BBDEF19710F005422FA04E7190D374A915CFA5
    Function 005C7727 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(005C7886,?,00000400), ref: 005C7727
    • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 005C7748
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ErrorFormatLastMessage
    • String ID:
    • API String ID: 3479602957-0
    • Opcode ID: 9e4f48b010c2ff2f981f7869feef79c8d20e460e5c41c01e4f31c6da42cba880
    • Instruction ID: 8a130efa300ab12a35cb0404fe331e252d0ec5f7e1219ca01799e27b038b4780
    • Opcode Fuzzy Hash: 9e4f48b010c2ff2f981f7869feef79c8d20e460e5c41c01e4f31c6da42cba880
    • Instruction Fuzzy Hash: BCD05231248304BEEA400BB05C0AF3B2B9DBB18B41F108408B304E90E0EA789028AA28
    Function 005F2BB4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,005F2BAF,?,?,00000008,?,?,005F284F,00000000), ref: 005F2DE1
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID:
    • API String ID: 3997070919-0
    • Opcode ID: eed50135f80570bc8ed410ca905cc597c290ed45d3db9eb2ec3c5667e9509316
    • Instruction ID: 96cbac83347a7224ce6cfa49af139be55ab201c1e8a6be8fcf3e04b959d0184f
    • Opcode Fuzzy Hash: eed50135f80570bc8ed410ca905cc597c290ed45d3db9eb2ec3c5667e9509316
    • Instruction Fuzzy Hash: F2B12B715106099FD715CF28C48AB757FE0FF45364F298658EA9ACF2A1C339E992CB40
    Function 005E0826 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 005E083C
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: FeaturePresentProcessor
    • String ID:
    • API String ID: 2325560087-0
    • Opcode ID: 4307cfe4bb423b4da970f82ec072418131b42bc7a2f9abc6981051f2dff5220a
    • Instruction ID: 3df6a9acf0bfa0c0680e4a1757e1feb9cbc2431d0d4b3df4a67dadc36c88db0d
    • Opcode Fuzzy Hash: 4307cfe4bb423b4da970f82ec072418131b42bc7a2f9abc6981051f2dff5220a
    • Instruction Fuzzy Hash: 05519271A406558FEB28CF55D8817AEBBF1FB48304F24992AC441EB3A1D3B8D981CF90
    Function 005CC365 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
    • GetVersionExW.KERNEL32(?), ref: 005CC388
      • Part of subcall function 005CC3F7: __EH_prolog.LIBCMT ref: 005CC3FC
      • Part of subcall function 005CC3F7: CoCreateInstance.COMBASE(005F68A0,00000000,00000001,005F67D0,?), ref: 005CC41E
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: CreateH_prologInstanceVersion
    • String ID:
    • API String ID: 511865808-0
    • Opcode ID: 0f46dc6afb828f1cb14383c385c13645b1ef2476b9bd3fa61008105e83193486
    • Instruction ID: 48f9c846a098c02524eec0688021e83078a75489c07a4ff8b7ec4af770a6875e
    • Opcode Fuzzy Hash: 0f46dc6afb828f1cb14383c385c13645b1ef2476b9bd3fa61008105e83193486
    • Instruction Fuzzy Hash: 8EF082305052D88EDF25DBA0B80ABD93FE96B11B09F0498C9C14952392C2B586C9DF76
    Function 005C4A8E Relevance: 1.5, Strings: 1, Instructions: 276COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID:
    • String ID: gj
    • API String ID: 0-4203073231
    • Opcode ID: 8b2118f728ac9d7bcded269a6b8401e1725e34c3f31edaeba0b6810ef909e09f
    • Instruction ID: f95fc09139f8ccc472866921d83a9d1f96ded1ffb91b329e51babc12e1a5ba1c
    • Opcode Fuzzy Hash: 8b2118f728ac9d7bcded269a6b8401e1725e34c3f31edaeba0b6810ef909e09f
    • Instruction Fuzzy Hash: 80C116B2A183418FC754CF6AD88065BFBE1FFC9208F19892DE998D7301D734A9458F96
    Function 005E0B9D Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00020BB0,005E0605), ref: 005E0BA2
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: f99323783828b594fa423b212b1931a442f2a3d26b7bd14f5b3e2db4564f5912
    • Instruction ID: 9ce9110bf6f28474d99863e204763fd056ee507120aec6eee1cd6f01be60954f
    • Opcode Fuzzy Hash: f99323783828b594fa423b212b1931a442f2a3d26b7bd14f5b3e2db4564f5912
    • Instruction Fuzzy Hash:
    Function 005ED1F0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: HeapProcess
    • String ID:
    • API String ID: 54951025-0
    • Opcode ID: cd0ca435c54641c9cea4f597e718b2fe94cfe1fd899e0317d402e67911e3245e
    • Instruction ID: 82796b56b76f80993db420355a846092420fcf9a2b77eaf2790d852168a3ed4e
    • Opcode Fuzzy Hash: cd0ca435c54641c9cea4f597e718b2fe94cfe1fd899e0317d402e67911e3245e
    • Instruction Fuzzy Hash: 97A011302022008B83008F32AA0830E3AAAAA222803008028E008C0220EB2880A0EA02
    Function 005D742E Relevance: .8, Instructions: 807COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 49c86cf5dfd120552ca6a330adbc3208c23189e3a77a00f43a99fa3c4c682a92
    • Instruction ID: 85aa499ba80b4905590c172cc59ea7cc2806c1e0e095040ad8051e71c82115e6
    • Opcode Fuzzy Hash: 49c86cf5dfd120552ca6a330adbc3208c23189e3a77a00f43a99fa3c4c682a92
    • Instruction Fuzzy Hash: 4F62B471608B899FCB39CF2CC4906B97FE1BF99304F14896FD89A8B342E634A945C711
    Function 005D88AF Relevance: .8, Instructions: 781COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a99e5591819f93bed0ea4b7cda3a5de53e9357d52e2d772d63c253c1e4b53f2a
    • Instruction ID: ec97ed941d802118d90601a196dccaf1c6850e1762bb567b529217d7e0f4c255
    • Opcode Fuzzy Hash: a99e5591819f93bed0ea4b7cda3a5de53e9357d52e2d772d63c253c1e4b53f2a
    • Instruction Fuzzy Hash: 4E62D4716082469FCB29CF2CC4906B9BBE1BF95304F08866FEC998B346D730E945DB91
    Function 005D07A7 Relevance: .7, Instructions: 694COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: dfbf6881d0393643dd25d5cfa1cce131a79b466a846340052269a16c1008f441
    • Instruction ID: 7b32fd6b802a5fb5dd18c4a8c2d0274f3ee5a0ad5b7b018c5c7105afdd542c84
    • Opcode Fuzzy Hash: dfbf6881d0393643dd25d5cfa1cce131a79b466a846340052269a16c1008f441
    • Instruction Fuzzy Hash: 18524972A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
    Function 005D8253 Relevance: .5, Instructions: 528COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e57bfc111586898b5ce2525d397cf57d4ddd8a22a86ad1c690e6c471aeff6cde
    • Instruction ID: 429759503e1402ce98ebdf674a30f9febe7e2e259b4f82e37e1aa2d289ab9a38
    • Opcode Fuzzy Hash: e57bfc111586898b5ce2525d397cf57d4ddd8a22a86ad1c690e6c471aeff6cde
    • Instruction Fuzzy Hash: 2C12BF716047068FC728CF28C895B79BBE0FB54308F14892FE99AC7781EB74A995CB45
    Function 005CD833 Relevance: .5, Instructions: 454COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a72c86b67bb509f8b026a9eb421964a4975268c4eb86192d4e893b05e2495f4e
    • Instruction ID: c04450fee389472996fd650c89a89b1715cc58525fae8841f72acf114acbea66
    • Opcode Fuzzy Hash: a72c86b67bb509f8b026a9eb421964a4975268c4eb86192d4e893b05e2495f4e
    • Instruction Fuzzy Hash: A4F16771A083458FC715CE68C884A2ABFF5FBC9314F184A2EE4C6D7252D631E945CBA2
    Function 005D7DDC Relevance: .3, Instructions: 343COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: H_prolog
    • String ID:
    • API String ID: 3519838083-0
    • Opcode ID: c2a2289699d6c4c6ce920d92b3ac1a1114e804a43f6428c38ecad6b60727f8bc
    • Instruction ID: f5166e901819dafd488975bf5f8020d13ab898e3ce87c01b2c6ef83b4b7df27e
    • Opcode Fuzzy Hash: c2a2289699d6c4c6ce920d92b3ac1a1114e804a43f6428c38ecad6b60727f8bc
    • Instruction Fuzzy Hash: 3CD160716083458FDB24CF2CC84476ABBE5BF89308F04456FE9899B342D774E949CB5A
    Function 005CFCCC Relevance: .3, Instructions: 320COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c4f2b823a635d558372637c4bdb2fbb7003e45912546cf14eda18b2026618637
    • Instruction ID: 6bf80a11aad34d626e907d90a2b616fdda35490503da9f5d9831024faa760922
    • Opcode Fuzzy Hash: c4f2b823a635d558372637c4bdb2fbb7003e45912546cf14eda18b2026618637
    • Instruction Fuzzy Hash: C0E148745583918FC304CF59D88056BBBE1BB9A300F4A095EF9C587393C734EA15DBA6
    Function 005D5282 Relevance: .3, Instructions: 270COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fbc3703b16c3aae3db15c4d448ff6b4734694cd092f9e90ebe0c6dc9e479c305
    • Instruction ID: 0f900357dec5eec161b5338da5a497e801d54de8d0fc49c0f879b661a58f8729
    • Opcode Fuzzy Hash: fbc3703b16c3aae3db15c4d448ff6b4734694cd092f9e90ebe0c6dc9e479c305
    • Instruction Fuzzy Hash: CA9129B0200B469BDB34EF68D896BBA7FD5BB90300F100D2FE59687382FB7499448752
    Function 005D55B0 Relevance: .2, Instructions: 243COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 931725267d3afae2a79d0ebb937372447d19929da5c01f319e552610ee085862
    • Instruction ID: 956df091f83765c1bc05b457764bc1820b4b064dae935fa4fa1721edf2c6d06d
    • Opcode Fuzzy Hash: 931725267d3afae2a79d0ebb937372447d19929da5c01f319e552610ee085862
    • Instruction Fuzzy Hash: 8F8115717047469FEB34DA6CC895BBD3FD5FB90344F14092FE9868B382EA648885C752
    Function 005E64D7 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1b43bf005f420b1bbd5a22aaac494e759624fb3a5d08c94762eec4ed88e38afc
    • Instruction ID: 8e84ba326a6678423969ed62ef5b891440226ad70a5dd23e7af16721ca980593
    • Opcode Fuzzy Hash: 1b43bf005f420b1bbd5a22aaac494e759624fb3a5d08c94762eec4ed88e38afc
    • Instruction Fuzzy Hash: A9615AB17507C9A6DE3C4A2BA959BBE2F94FB717C4F90081BE8C3CB189D611ED428315
    Function 005E62A8 Relevance: .2, Instructions: 214COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
    • Instruction ID: 8d4b26350660966e6e9c5dac59d5b2694bfbbab1ba12b67cfa6780e4bf807c7c
    • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
    • Instruction Fuzzy Hash: 555156616007CA97DF3C896B85997BE2F99BB7A3C0F180D1DE9C2D76C2C614ED058352
    Function 005D02F7 Relevance: .2, Instructions: 161COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 59c90b326ae750a163d36f5f0a940ebf0159cd809bfd08645a1ccb029928d703
    • Instruction ID: 236449d543b51c7c3942bec4369832bce4d35362154d62dee440bfba116286a0
    • Opcode Fuzzy Hash: 59c90b326ae750a163d36f5f0a940ebf0159cd809bfd08645a1ccb029928d703
    • Instruction Fuzzy Hash: 1451C4315093D54BCB21CF288544A6EBFE0BEDA314F49599BE5DA5B382C230DA4ACB52
    Function 005D13FD Relevance: .1, Instructions: 141COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fe44c26aca9e457bd7f0f0c8baa3a445e5561c08d9dc2d90e6a109484eaab603
    • Instruction ID: 45d1f32d3e99d05fb0ab5813b0fbcb728832c221323816ffbc608f1572ba61bf
    • Opcode Fuzzy Hash: fe44c26aca9e457bd7f0f0c8baa3a445e5561c08d9dc2d90e6a109484eaab603
    • Instruction Fuzzy Hash: 7051F0B1A087119FC748CF19D48055AFBE1FF88314F058A2EE899E3341D734E959CB9A
    Function 005D5011 Relevance: .1, Instructions: 112COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 74cd97078976d413443546a5e6f1c41999260f7e4caf4087a6071dd61f1d0527
    • Instruction ID: dc7be0e625796a3d2da94431017dd215d3fd44d521c9e8d0d9a6b7a3e6fa0a4b
    • Opcode Fuzzy Hash: 74cd97078976d413443546a5e6f1c41999260f7e4caf4087a6071dd61f1d0527
    • Instruction Fuzzy Hash: 8D31F4B1A04B068FD724DF68C85666ABFE0FB95300F104A2EE4D6D7742D735E90ACB91
    Function 005DD884 Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 005DD889
      • Part of subcall function 005DC504: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 005DC5EB
    • _wcslen.LIBCMT ref: 005DDB4F
    • _wcslen.LIBCMT ref: 005DDB58
    • SetWindowTextW.USER32(?,?), ref: 005DDBB6
    • _wcslen.LIBCMT ref: 005DDBF8
    • _wcsrchr.LIBVCRUNTIME ref: 005DDD40
    • GetDlgItem.USER32(?,00000066), ref: 005DDD7B
    • SetWindowTextW.USER32(00000000,?), ref: 005DDD8B
    • SendMessageW.USER32(00000000,00000143,00000000,0061389A), ref: 005DDD99
    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 005DDDC4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
    • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
    • API String ID: 2804936435-312220925
    • Opcode ID: 43addee7e029c3a1b2e2b1eaebf06cb21b1c13fbe3d66e0b6a7689f0de182b97
    • Instruction ID: c1d5e6d7a1ed69edfe8ed8baa7048633a25aa4dbc8718867815d3f0943a6211b
    • Opcode Fuzzy Hash: 43addee7e029c3a1b2e2b1eaebf06cb21b1c13fbe3d66e0b6a7689f0de182b97
    • Instruction Fuzzy Hash: B3E16272900159AADB34ABA4DC89EEE7BBCBB44350F4044A7F645E7250EE749E84CB60
    Function 005CF608 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 234COMMON
    Download Yara Rule
    APIs
    • _swprintf.LIBCMT ref: 005CF62E
      • Part of subcall function 005C4A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005C4A33
      • Part of subcall function 005D30F5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00603070,00000200,005CEC48,00000000,?,00000050,00603070), ref: 005D3112
    • _strlen.LIBCMT ref: 005CF64F
    • SetDlgItemTextW.USER32(?,00600274,?), ref: 005CF6AF
    • GetWindowRect.USER32(?,?), ref: 005CF6E9
    • GetClientRect.USER32(?,?), ref: 005CF6F5
    • GetWindowRect.USER32(?,?), ref: 005CF7C2
    • SetWindowTextW.USER32(?,?), ref: 005CF7FB
    • GetSystemMetrics.USER32(00000008), ref: 005CF803
    • GetWindow.USER32(?,00000005), ref: 005CF80E
    • GetWindowRect.USER32(00000000,?), ref: 005CF83B
    • GetWindow.USER32(00000000,00000002), ref: 005CF8AD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Window$Rect$Text$ByteCharClientItemMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
    • String ID: $%s:$CAPTION$d
    • API String ID: 2919830780-2512411981
    • Opcode ID: 806b612ad336e3e99927135e52ef2fd77baccd031b615f9d3037d16967a36966
    • Instruction ID: 046c109d9b5b8de767b0f5b16807567cc575eaf552647b806e39c9a013d3400f
    • Opcode Fuzzy Hash: 806b612ad336e3e99927135e52ef2fd77baccd031b615f9d3037d16967a36966
    • Instruction Fuzzy Hash: 5B8190721087019FD720DFA8CD89F6BBBEAFB88714F04092DFA8597250D670E8058B52
    Function 005EDCE2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___free_lconv_mon.LIBCMT ref: 005EDD26
      • Part of subcall function 005ED8C1: _free.LIBCMT ref: 005ED8DE
      • Part of subcall function 005ED8C1: _free.LIBCMT ref: 005ED8F0
      • Part of subcall function 005ED8C1: _free.LIBCMT ref: 005ED902
      • Part of subcall function 005ED8C1: _free.LIBCMT ref: 005ED914
      • Part of subcall function 005ED8C1: _free.LIBCMT ref: 005ED926
      • Part of subcall function 005ED8C1: _free.LIBCMT ref: 005ED938
      • Part of subcall function 005ED8C1: _free.LIBCMT ref: 005ED94A
      • Part of subcall function 005ED8C1: _free.LIBCMT ref: 005ED95C
      • Part of subcall function 005ED8C1: _free.LIBCMT ref: 005ED96E
      • Part of subcall function 005ED8C1: _free.LIBCMT ref: 005ED980
      • Part of subcall function 005ED8C1: _free.LIBCMT ref: 005ED992
      • Part of subcall function 005ED8C1: _free.LIBCMT ref: 005ED9A4
      • Part of subcall function 005ED8C1: _free.LIBCMT ref: 005ED9B6
    • _free.LIBCMT ref: 005EDD1B
      • Part of subcall function 005EA66A: RtlFreeHeap.NTDLL(00000000,00000000,?,005EDA56,?,00000000,?,00000000,?,005EDA7D,?,00000007,?,?,005EDE7A,?), ref: 005EA680
      • Part of subcall function 005EA66A: GetLastError.KERNEL32(?,?,005EDA56,?,00000000,?,00000000,?,005EDA7D,?,00000007,?,?,005EDE7A,?,?), ref: 005EA692
    • _free.LIBCMT ref: 005EDD3D
    • _free.LIBCMT ref: 005EDD52
    • _free.LIBCMT ref: 005EDD5D
    • _free.LIBCMT ref: 005EDD7F
    • _free.LIBCMT ref: 005EDD92
    • _free.LIBCMT ref: 005EDDA0
    • _free.LIBCMT ref: 005EDDAB
    • _free.LIBCMT ref: 005EDDE3
    • _free.LIBCMT ref: 005EDDEA
    • _free.LIBCMT ref: 005EDE07
    • _free.LIBCMT ref: 005EDE1F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
    • String ID: h`
    • API String ID: 161543041-636852635
    • Opcode ID: a6fbce29f2c7ce7043a58d169a15a10d66d6ede16ec77da2394f2f936429ceeb
    • Instruction ID: c89664810851017f1eed48d6bcba12e43001f493755ae24a8308016893b3033b
    • Opcode Fuzzy Hash: a6fbce29f2c7ce7043a58d169a15a10d66d6ede16ec77da2394f2f936429ceeb
    • Instruction Fuzzy Hash: A0316A31A003859FEB29AB3ADD49B56BBF9FB91310F144429E0D9DB191DB31AC40CA61
    Function 005DE619 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(00000068,00621CF0), ref: 005DE62D
    • ShowWindow.USER32(00000000,00000005,?,?,00000001,?,?,005DC9A9,005F60F0,00621CF0,00621CF0,00001000,?,00000000,?), ref: 005DE655
    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 005DE660
    • SendMessageW.USER32(00000000,000000C2,00000000,005F45F4), ref: 005DE66E
    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 005DE684
    • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 005DE69E
    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 005DE6E2
    • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 005DE6F0
    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 005DE6FF
    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 005DE726
    • SendMessageW.USER32(00000000,000000C2,00000000,005F549C), ref: 005DE735
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: MessageSend$ItemShowWindow
    • String ID: \
    • API String ID: 1207805008-2967466578
    • Opcode ID: f8a1a28a77f3e62f308dbb7f1eee845664082287ac878facff5ba1bb238414a0
    • Instruction ID: 81d368209863c4954b2cb08d0f0fc42e5b876199a11f53bc8cbf77a7beeec0bf
    • Opcode Fuzzy Hash: f8a1a28a77f3e62f308dbb7f1eee845664082287ac878facff5ba1bb238414a0
    • Instruction Fuzzy Hash: 3931E471145B40AFD321DF24DC4EFBB3FADFB52344F400909F692A6190C774591587A6
    Function 005CC3F7 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 210comCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 005CC3FC
    • CoCreateInstance.COMBASE(005F68A0,00000000,00000001,005F67D0,?), ref: 005CC41E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: CreateH_prologInstance
    • String ID: Name$Pou$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
    • API String ID: 457505298-3365319064
    • Opcode ID: 6f9552c477cac565e2dc74042aa5fc953ace709266d152520b0a068d833d1656
    • Instruction ID: e07800505a464adcb81e4837b5467d9db1155cb0b93daca4acb5cceb30a948f4
    • Opcode Fuzzy Hash: 6f9552c477cac565e2dc74042aa5fc953ace709266d152520b0a068d833d1656
    • Instruction Fuzzy Hash: C471F675A00219AFDB14DFA4C894EBFBFB9BF88710B14456DE506A72A0CB34AD05DB60
    Function 005DA6D1 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 005DA6F6
    • _wcslen.LIBCMT ref: 005DA796
    • GlobalAlloc.KERNEL32(00000040,?), ref: 005DA7A5
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 005DA7C6
    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 005DA7ED
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
    • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
    • API String ID: 1777411235-4209811716
    • Opcode ID: c6c98e3f1a3c92446454b8f8cd04fc95d8261820007b6245457bd0a278ffc559
    • Instruction ID: 488b60d2847343e6bf905c7f8b993414b23cd027b24591a75f5f2f0caba7ed02
    • Opcode Fuzzy Hash: c6c98e3f1a3c92446454b8f8cd04fc95d8261820007b6245457bd0a278ffc559
    • Instruction Fuzzy Hash: 0F3159321047467AE739AB799C0AF6F7FA8FF91720F14041FF541962C1FB68990983A6
    Function 005EA421 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 005EA435
      • Part of subcall function 005EA66A: RtlFreeHeap.NTDLL(00000000,00000000,?,005EDA56,?,00000000,?,00000000,?,005EDA7D,?,00000007,?,?,005EDE7A,?), ref: 005EA680
      • Part of subcall function 005EA66A: GetLastError.KERNEL32(?,?,005EDA56,?,00000000,?,00000000,?,005EDA7D,?,00000007,?,?,005EDE7A,?,?), ref: 005EA692
    • _free.LIBCMT ref: 005EA441
    • _free.LIBCMT ref: 005EA44C
    • _free.LIBCMT ref: 005EA457
    • _free.LIBCMT ref: 005EA462
    • _free.LIBCMT ref: 005EA46D
    • _free.LIBCMT ref: 005EA478
    • _free.LIBCMT ref: 005EA483
    • _free.LIBCMT ref: 005EA48E
    • _free.LIBCMT ref: 005EA49C
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: f426d064e5218cac4a0904ff00a861fb49f78464a8530aeba74c5f0db9fc360d
    • Instruction ID: 69730b98b918b5de016fa51da957146482d74e4984e9d196791f873f21a67565
    • Opcode Fuzzy Hash: f426d064e5218cac4a0904ff00a861fb49f78464a8530aeba74c5f0db9fc360d
    • Instruction Fuzzy Hash: F111C376900149AFCB09EF66C856CD93FB5FFD9750F0581A0FA488B222DB31EA519B81
    Function 005E3FC1 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
    • String ID: csm$csm$csm
    • API String ID: 322700389-393685449
    • Opcode ID: 62fb0a415079b1d7e1c4170553f7cc13b62c8c349e0cc5f573fba983708dc563
    • Instruction ID: 24ce82a9ffdbea21b3b5b4f256fec90bb65e7078c0cdc56724991545ce738796
    • Opcode Fuzzy Hash: 62fb0a415079b1d7e1c4170553f7cc13b62c8c349e0cc5f573fba983708dc563
    • Instruction Fuzzy Hash: E8B1787580028AEFCF1DDFA6C8898AEBFB5BF58310F10455AE9846B212D731DA51CF91
    Function 005DE8DF Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 184COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 005DE8FE
    • ShowWindow.USER32(?,00000000), ref: 005DEA6D
    • GetExitCodeProcess.KERNEL32(?,?), ref: 005DEAA9
    • CloseHandle.KERNEL32(?), ref: 005DEACF
    • ShowWindow.USER32(?,00000001), ref: 005DEB31
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ShowWindow$CloseCodeExitHandleProcess_wcslen
    • String ID: .exe$.inf$Ld_
    • API String ID: 783751319-551849580
    • Opcode ID: d2641b07dee3cf6881b530f4332dd157e9408aedd579a6cbb61d96ec5a55a3e8
    • Instruction ID: 3ec9f23083c2230f641a79782400fe696ccb3cd5bced40cba135a2fd2b42e986
    • Opcode Fuzzy Hash: d2641b07dee3cf6881b530f4332dd157e9408aedd579a6cbb61d96ec5a55a3e8
    • Instruction Fuzzy Hash: FF5104341497819EEB30BB28984AABB7FE5BF81744F08081FF5C19B350EB759895CB52
    Function 005CB5D6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 005CB5E2
      • Part of subcall function 005D2701: GetSystemTime.KERNEL32(?), ref: 005D270F
      • Part of subcall function 005D2701: SystemTimeToFileTime.KERNEL32(?,?), ref: 005D271D
      • Part of subcall function 005D26AA: __aulldiv.LIBCMT ref: 005D26B3
    • __aulldiv.LIBCMT ref: 005CB60E
    • GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,00000800,?), ref: 005CB615
    • _swprintf.LIBCMT ref: 005CB640
      • Part of subcall function 005C4A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005C4A33
    • _wcslen.LIBCMT ref: 005CB64A
    • _swprintf.LIBCMT ref: 005CB6A0
    • _wcslen.LIBCMT ref: 005CB6AA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Time_wcslen$System__aulldiv_swprintf$CurrentFileProcess__vswprintf_c_l
    • String ID: %u.%03u
    • API String ID: 2956649372-1114938957
    • Opcode ID: 5a9437ddb60ee4c7d3eea85013f856d736a9a65d61b2e79061e85fbb3f613a55
    • Instruction ID: 850e8d86ea700fb7af00b3974d38eaaa5c5db66974ea32da0aea02826541367f
    • Opcode Fuzzy Hash: 5a9437ddb60ee4c7d3eea85013f856d736a9a65d61b2e79061e85fbb3f613a55
    • Instruction Fuzzy Hash: 3D219472A043416FD614EBA5CC8AE6B7BECFBD4710F40492EF585D3241DA74DA488BA1
    Function 005DBC2B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68timeCOMMON
    Download Yara Rule
    APIs
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 005DBC3F
    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 005DBC50
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 005DBC5E
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 005DBC6C
    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 005DBC87
    • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 005DBCAE
    • _swprintf.LIBCMT ref: 005DBCD4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Time$System$File$Format$DateLocalSpecific_swprintf
    • String ID: %s %s
    • API String ID: 385609497-2939940506
    • Opcode ID: ca01d8c03dcb52630225270da8fbbe9264334852d126f0a726a1fe8100f43559
    • Instruction ID: 0c7d508da2a7aec66005cc964d5d921f69f37bc2429db24515118ff314a39035
    • Opcode Fuzzy Hash: ca01d8c03dcb52630225270da8fbbe9264334852d126f0a726a1fe8100f43559
    • Instruction Fuzzy Hash: AC21E3B240014DABDB219FA0EC48EFF3BADFF29304F040426FA05D2121E6249A49DB60
    Function 005E0ED0 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,005CC43F,005CC441,00000000,00000000,C27F4F18,00000001,00000000,00000000,005CC32C,?,?,?,005CC43F,ROOT\CIMV2), ref: 005E0F59
    • MultiByteToWideChar.KERNEL32(00000000,00000000,005CC43F,?,00000000,00000000,?,?,?,?,?,005CC43F), ref: 005E0FD4
    • SysAllocString.OLEAUT32(00000000), ref: 005E0FDF
    • _com_issue_error.COMSUPP ref: 005E1008
    • _com_issue_error.COMSUPP ref: 005E1012
    • GetLastError.KERNEL32(80070057,C27F4F18,00000001,00000000,00000000,005CC32C,?,?,?,005CC43F,ROOT\CIMV2), ref: 005E1017
    • _com_issue_error.COMSUPP ref: 005E102A
    • GetLastError.KERNEL32(00000000,?,005CC43F,ROOT\CIMV2), ref: 005E1040
    • _com_issue_error.COMSUPP ref: 005E1053
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
    • String ID:
    • API String ID: 1353541977-0
    • Opcode ID: 389fd6d160a44aa88dfd76ab424df0468e8cb1fdcbaf2291d7df63b3c773469d
    • Instruction ID: aa4ba6bbb4f624d24c330670ef0dfe3b299b271f8e60e593608364b4ba84ea6c
    • Opcode Fuzzy Hash: 389fd6d160a44aa88dfd76ab424df0468e8cb1fdcbaf2291d7df63b3c773469d
    • Instruction Fuzzy Hash: BB412C71A003859FD7249FA6DC49BAF7FA9FB44710F104529F545D7280D775A880CBA4
    Function 005CA5E9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 005CA5EE
    • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 005CA611
    • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 005CA630
      • Part of subcall function 005CD6A7: _wcslen.LIBCMT ref: 005CD6AF
      • Part of subcall function 005D3316: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013316,005CD523,00000000,.exe,?,?,00000800,?,?,?,005D9E5C), ref: 005D332C
    • _swprintf.LIBCMT ref: 005CA6CC
      • Part of subcall function 005C4A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005C4A33
    • MoveFileW.KERNEL32(?,?), ref: 005CA73B
    • MoveFileW.KERNEL32(?,?), ref: 005CA77B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
    • String ID: rtmp%d
    • API String ID: 3726343395-3303766350
    • Opcode ID: 61a4cd15f69c61b571502824cbf91ff93e585f50a42729ff21f2db65a0dafb79
    • Instruction ID: 37745208878dfb87b9464e2e09a7b9c60faea2a31747c1a2851271f760868076
    • Opcode Fuzzy Hash: 61a4cd15f69c61b571502824cbf91ff93e585f50a42729ff21f2db65a0dafb79
    • Instruction Fuzzy Hash: AC410B7190055EAACF20ABE0CC59FEF7FBCFF94344F0404AAA545E2146DA348A85DF61
    Function 005DC7B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005C12F6: GetParent.USER32(?), ref: 005C132A
      • Part of subcall function 005C12F6: GetDlgItem.USER32(00000000,00003021), ref: 005C133A
      • Part of subcall function 005C12F6: SetWindowTextW.USER32(00000000,005F45F4), ref: 005C1350
    • SendMessageW.USER32(?,00000080,00000001,?), ref: 005DC827
    • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 005DC840
    • SetWindowTextW.USER32(?,?), ref: 005DC851
    • GetDlgItem.USER32(?,00000065), ref: 005DC85A
    • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 005DC86E
    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 005DC884
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: MessageSend$Item$TextWindow$Parent
    • String ID: LICENSEDLG
    • API String ID: 3346671314-2177901306
    • Opcode ID: 21f3fa799d1100fca15b5075e41454db67fd60716330eba5b8e76c4039950e14
    • Instruction ID: 516fbee409c83cc75ec6e35bd01b7badf4bf4388dd287606bb9cef538b6e22ca
    • Opcode Fuzzy Hash: 21f3fa799d1100fca15b5075e41454db67fd60716330eba5b8e76c4039950e14
    • Instruction Fuzzy Hash: 3221B436244A067BD3315B69EC4DF7B3F6EFB46B55F00401AF602E52A0CB619812E731
    Function 005DE7EE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79windowCOMMON
    Download Yara Rule
    APIs
    • GetWindow.USER32(?,00000005), ref: 005DE811
    • GetClassNameW.USER32(00000000,?,00000800), ref: 005DE83D
      • Part of subcall function 005D3316: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013316,005CD523,00000000,.exe,?,?,00000800,?,?,?,005D9E5C), ref: 005D332C
    • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 005DE870
    • GetObjectW.GDI32(00000000,00000018,?), ref: 005DE884
    • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 005DE8AD
    • GetWindow.USER32(00000000,00000002), ref: 005DE8BD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: MessageSendWindow$ClassCompareNameObjectString
    • String ID: STATIC
    • API String ID: 2147236255-1882779555
    • Opcode ID: 35f9b1692ea4b42dc9fe6b56422b9971250b6b5dbafc5d41f9e01c776be0b935
    • Instruction ID: 6cdc252f89960d20428d33081904b4b7d4b9521a8919908ef0eb81871dace59e
    • Opcode Fuzzy Hash: 35f9b1692ea4b42dc9fe6b56422b9971250b6b5dbafc5d41f9e01c776be0b935
    • Instruction Fuzzy Hash: 91110F32100F117BE3307B689C0EFAF7E5EBB94711F000023FA02A9392DB74890696A5
    Function 005D2538 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
    Download Yara Rule
    APIs
    • __aulldiv.LIBCMT ref: 005D254E
      • Part of subcall function 005CC619: GetVersionExW.KERNEL32(?), ref: 005CC63E
    • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,00000001), ref: 005D2571
    • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,00000001), ref: 005D2583
    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 005D2594
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 005D25A4
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 005D25B4
    • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 005D25EF
    • __aullrem.LIBCMT ref: 005D2699
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
    • String ID:
    • API String ID: 1247370737-0
    • Opcode ID: 9ac4a57e2ca713776fc6c68b4a22284cbf853248981504da896642fee01e82c5
    • Instruction ID: f8f2bd2a3fa72e83914d7aba65a4705c2517f9116040448f5a7fd82d2297bde1
    • Opcode Fuzzy Hash: 9ac4a57e2ca713776fc6c68b4a22284cbf853248981504da896642fee01e82c5
    • Instruction Fuzzy Hash: 8B4125B14083069FC714DF69C88496BBBE9FB98314F008A2EF596C3250E739E549DB62
    Function 005DAD1E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _wcslen
    • String ID: </p>$</style>$<br>$<style>$>
    • API String ID: 176396367-3568243669
    • Opcode ID: dec491a5eb78c51bb319028d5c010fe7f8b4aa959f662758e4e982f3a631188f
    • Instruction ID: 8490cf19d9fc4566749aafd418f1a73677cdb6641a0499ae9db7f8504da74bb6
    • Opcode Fuzzy Hash: dec491a5eb78c51bb319028d5c010fe7f8b4aa959f662758e4e982f3a631188f
    • Instruction Fuzzy Hash: 7F51266664136392DB30AA2C88117777BE5FFA4791F68442BF9C18B7C0FB648D81C263
    Function 005F084D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
    Download Yara Rule
    APIs
    • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,005F0FC2,00000000,00000000,00000000,00000000,00000000,?), ref: 005F088F
    • __fassign.LIBCMT ref: 005F090A
    • __fassign.LIBCMT ref: 005F0925
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 005F094B
    • WriteFile.KERNEL32(?,00000000,00000000,005F0FC2,00000000,?,?,?,?,?,?,?,?,?,005F0FC2,00000000), ref: 005F096A
    • WriteFile.KERNEL32(?,00000000,00000001,005F0FC2,00000000,?,?,?,?,?,?,?,?,?,005F0FC2,00000000), ref: 005F09A3
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
    • String ID:
    • API String ID: 1324828854-0
    • Opcode ID: 02cf94f1e706804807891a3d6ea2de1861f8e0f4be4f37c3f51be541639e2a6c
    • Instruction ID: 9043b9bbc84d44bdb7dc9783181ac142838b6e15cec678a87380528edd81b338
    • Opcode Fuzzy Hash: 02cf94f1e706804807891a3d6ea2de1861f8e0f4be4f37c3f51be541639e2a6c
    • Instruction Fuzzy Hash: 45519171A00249AFDB10CFA8D945BFEBBF9FF09300F18511AEA55E7292E7749941CB60
    Function 005E3A90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • _ValidateLocalCookies.LIBCMT ref: 005E3AC7
    • ___except_validate_context_record.LIBVCRUNTIME ref: 005E3ACF
    • _ValidateLocalCookies.LIBCMT ref: 005E3B58
    • __IsNonwritableInCurrentImage.LIBCMT ref: 005E3B83
    • _ValidateLocalCookies.LIBCMT ref: 005E3BD8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
    • String ID: csm
    • API String ID: 1170836740-1018135373
    • Opcode ID: 0611b4a461e5abbcdd811f16b77b345a4de362dc8eded7e5e8bea293bf572f69
    • Instruction ID: 90c2e13a7165ba7a5c937aac9971ba272e166eee32dc356f15c6a6ee575cb25e
    • Opcode Fuzzy Hash: 0611b4a461e5abbcdd811f16b77b345a4de362dc8eded7e5e8bea293bf572f69
    • Instruction Fuzzy Hash: C141D634A00289ABCF04DF6AC888A9EBFB5FF45314F1481A5E8959B352C775DE05CF91
    Function 005DA975 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _wcslen
    • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
    • API String ID: 176396367-3743748572
    • Opcode ID: e61842399a94cc54885631be3580b23023855dd88cd0b2c2750cf90e46975950
    • Instruction ID: b5c9ad85b274e06ce273f062451fe21ce676600165085c17e23ca38bf87de2d7
    • Opcode Fuzzy Hash: e61842399a94cc54885631be3580b23023855dd88cd0b2c2750cf90e46975950
    • Instruction Fuzzy Hash: 7D318B326447469ADA34BB589C42B7B7BE4FB90320F60851FF595473C0FA60AD80C3A7
    Function 005EDA64 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 005EDA28: _free.LIBCMT ref: 005EDA51
    • _free.LIBCMT ref: 005EDAB2
      • Part of subcall function 005EA66A: RtlFreeHeap.NTDLL(00000000,00000000,?,005EDA56,?,00000000,?,00000000,?,005EDA7D,?,00000007,?,?,005EDE7A,?), ref: 005EA680
      • Part of subcall function 005EA66A: GetLastError.KERNEL32(?,?,005EDA56,?,00000000,?,00000000,?,005EDA7D,?,00000007,?,?,005EDE7A,?,?), ref: 005EA692
    • _free.LIBCMT ref: 005EDABD
    • _free.LIBCMT ref: 005EDAC8
    • _free.LIBCMT ref: 005EDB1C
    • _free.LIBCMT ref: 005EDB27
    • _free.LIBCMT ref: 005EDB32
    • _free.LIBCMT ref: 005EDB3D
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
    • Instruction ID: a36a305ca4bfbb4521b75cfb4722634a42cb44a457b7e6cf0174b637ba5457ca
    • Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
    • Instruction Fuzzy Hash: 1F118C31944B85AAD524B7B2CC0AFCB7FBCBFD1300F400C34B2DA6A052DB24B6404761
    Function 005DF77A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,005DF7F5,005DF758,005DF9F9), ref: 005DF791
    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 005DF7A7
    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 005DF7BC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AddressProc$HandleModule
    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
    • API String ID: 667068680-1718035505
    • Opcode ID: 93a8e06f2653af460470d9e35b3b53b5a62399f9544162f6dbc27896aa6c7ce1
    • Instruction ID: fc6bfdda732a052a0ead7c6a9b28322967f74fcd2c86222022e6c748e4f0e59b
    • Opcode Fuzzy Hash: 93a8e06f2653af460470d9e35b3b53b5a62399f9544162f6dbc27896aa6c7ce1
    • Instruction Fuzzy Hash: 63F0CD313416239B9B304EAC5C859FB2E9DFE01755324083BEA5BE7300EB18CC869BE0
    Function 005C12F6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005CF608: _swprintf.LIBCMT ref: 005CF62E
      • Part of subcall function 005CF608: _strlen.LIBCMT ref: 005CF64F
      • Part of subcall function 005CF608: SetDlgItemTextW.USER32(?,00600274,?), ref: 005CF6AF
      • Part of subcall function 005CF608: GetWindowRect.USER32(?,?), ref: 005CF6E9
      • Part of subcall function 005CF608: GetClientRect.USER32(?,?), ref: 005CF6F5
    • GetParent.USER32(?), ref: 005C132A
    • GetDlgItem.USER32(00000000,00003021), ref: 005C133A
    • SetWindowTextW.USER32(00000000,005F45F4), ref: 005C1350
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ItemRectTextWindow$ClientParent_strlen_swprintf
    • String ID: 0$p0`$p0`
    • API String ID: 1283792255-762388361
    • Opcode ID: 7f104407ff432253528ce57f7b0b5a43998a5a8a0751f9dc01de75b414bad30d
    • Instruction ID: 24f89f08af01a87749a56c44b3825e1ca419bee0bc90d4e1659011c2af5d6faa
    • Opcode Fuzzy Hash: 7f104407ff432253528ce57f7b0b5a43998a5a8a0751f9dc01de75b414bad30d
    • Instruction Fuzzy Hash: 6CF03130540B89AEDF255EA0880DFAA3F9ABB06B59F044928FD45545A2CB74C591EB24
    Function 005D2799 Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
    Download Yara Rule
    APIs
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 005D27F1
      • Part of subcall function 005CC619: GetVersionExW.KERNEL32(?), ref: 005CC63E
    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 005D2815
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 005D282F
    • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 005D2842
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 005D2852
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 005D2862
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Time$File$System$Local$SpecificVersion
    • String ID:
    • API String ID: 2092733347-0
    • Opcode ID: 3990a236777a66f231f7aac06c380869b07216aa89adb991ceb52c7b20ff2bec
    • Instruction ID: 51b1aecc52b7a669143ede58279fcaf3cd87f0a519f3acbc74f54a1b3ad16580
    • Opcode Fuzzy Hash: 3990a236777a66f231f7aac06c380869b07216aa89adb991ceb52c7b20ff2bec
    • Instruction Fuzzy Hash: 41310B75108315AFC704DFA8D8849ABBBE8FFA8714F00591EF995C3210E734D549CBA6
    Function 005E3C8A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,005E3C81,005E3A3C,005E0BF4), ref: 005E3C98
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005E3CA6
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005E3CBF
    • SetLastError.KERNEL32(00000000,005E3C81,005E3A3C,005E0BF4), ref: 005E3D11
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: a0442044c3cb38290a7568306cd1806fe296e8bfd59d9be709788a1010789f88
    • Instruction ID: 94fc9ed348c5fa96062f786c4d53f9191dcfa18cff8008b0ea856557a32a56bb
    • Opcode Fuzzy Hash: a0442044c3cb38290a7568306cd1806fe296e8bfd59d9be709788a1010789f88
    • Instruction Fuzzy Hash: A901B1322183625EE71C277ABD8D72B2F99FB81774F30126AF690A70E1EE555C109A84
    Function 005EA515 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,00603070,005E5982,00603070,?,?,005E5281,00000050,?,00603070,00000200), ref: 005EA519
    • _free.LIBCMT ref: 005EA54C
    • _free.LIBCMT ref: 005EA574
    • SetLastError.KERNEL32(00000000,?,00603070,00000200), ref: 005EA581
    • SetLastError.KERNEL32(00000000,?,00603070,00000200), ref: 005EA58D
    • _abort.LIBCMT ref: 005EA593
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ErrorLast$_free$_abort
    • String ID:
    • API String ID: 3160817290-0
    • Opcode ID: 3850280619a300106d10288a0a53463fc0610ccf2d749a2401e7791358592fa7
    • Instruction ID: a4058267fb74289b3e53cc0ebe5a32544260292615028ec0f3a664418861ccf1
    • Opcode Fuzzy Hash: 3850280619a300106d10288a0a53463fc0610ccf2d749a2401e7791358592fa7
    • Instruction Fuzzy Hash: 6CF0F9361406C267D61D333B7C0EB3F1E2ABBD1760F250125F6D4D3191FF28A9029916
    Function 005CD4D2 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005D1907: _wcslen.LIBCMT ref: 005D190D
      • Part of subcall function 005CCD5C: _wcsrchr.LIBVCRUNTIME ref: 005CCD73
    • _wcslen.LIBCMT ref: 005CD5A4
    • _wcslen.LIBCMT ref: 005CD5EC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _wcslen$_wcsrchr
    • String ID: .exe$.rar$.sfx
    • API String ID: 3513545583-31770016
    • Opcode ID: df871c6dcf9330cba2249194cc4bb54fed7950f937d3a12a9233ab62af006591
    • Instruction ID: bd4501e99ea5b0afd8ea9c7b9701a2afd41c0e1ac77f209110d236b306af61a6
    • Opcode Fuzzy Hash: df871c6dcf9330cba2249194cc4bb54fed7950f937d3a12a9233ab62af006591
    • Instruction Fuzzy Hash: EC41E222900752ADC731ABB48856F3B7FB8FF91758B10092FF986DB181E7619D81C3A5
    Function 005CCF32 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 005CCF56
    • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,005CB505,?,?,00000800,?,?,005CB4CA,?), ref: 005CCFF4
    • _wcslen.LIBCMT ref: 005CD06A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _wcslen$CurrentDirectory
    • String ID: UNC$\\?\
    • API String ID: 3341907918-253988292
    • Opcode ID: 0fefe870f0a835a271f062577aa3524e616d03394d80f88cb8117ded1c08d814
    • Instruction ID: d795159eef1e2ed56016b105a1105c18fdf805af78fce9c2229f15155720dc47
    • Opcode Fuzzy Hash: 0fefe870f0a835a271f062577aa3524e616d03394d80f88cb8117ded1c08d814
    • Instruction Fuzzy Hash: 9841A33240021ABECF20AFA8CC09FEB7FB9BF85350F14443EF854E6141E7B499919A61
    Function 005E9235 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,005E91E6,00000000,?,005E9186,00000000,005FD570,0000000C,005E92DD,00000000,00000002), ref: 005E9255
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005E9268
    • FreeLibrary.KERNEL32(00000000,?,?,?,005E91E6,00000000,?,005E9186,00000000,005FD570,0000000C,005E92DD,00000000,00000002), ref: 005E928B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: fa0a34af1fd45892118822f5dbb24c23147813c3f8d3118b624e7293559394d9
    • Instruction ID: 48f7027fc55bb7935a091ad1b84b30c9f7ce79e7add2b16b6e309be5fe6146d6
    • Opcode Fuzzy Hash: fa0a34af1fd45892118822f5dbb24c23147813c3f8d3118b624e7293559394d9
    • Instruction Fuzzy Hash: E3F0443590020CBBDF159BA5DC49BAE7FB9FB44755F0001A4F905A6160CB749E45DE90
    Function 005D0627 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005D1B3B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 005D1B56
      • Part of subcall function 005D1B3B: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,005D063A,Crypt32.dll,00000000,005D06B4,00000200,?,005D0697,00000000,00000000,?), ref: 005D1B78
    • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 005D0646
    • GetProcAddress.KERNEL32(0060A1F0,CryptUnprotectMemory), ref: 005D0656
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AddressProc$DirectoryLibraryLoadSystem
    • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
    • API String ID: 2141747552-1753850145
    • Opcode ID: bd1348a64da5df41ab4b6781b961d38a900f77b6fa1321de15fd9c019302a839
    • Instruction ID: 0c8371bce462e58c0e364fdb30cd985a3dca06ee394352b51e0fa5c81aa7a945
    • Opcode Fuzzy Hash: bd1348a64da5df41ab4b6781b961d38a900f77b6fa1321de15fd9c019302a839
    • Instruction Fuzzy Hash: 6CE04F708447115EDB315F79A94CB277EE47B24B00F00885FE285D3792DAB8D480CF10
    Function 005E3D6A Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AdjustPointer$_abort
    • String ID:
    • API String ID: 2252061734-0
    • Opcode ID: a2301d65015a596cd1d616bc81722a386bbcc4c1dce75c5169f66ccd56142261
    • Instruction ID: 0c787c809fd20a5bbc481aa874378eb18f9a5f6334a42fa13b5df230d64daaad
    • Opcode Fuzzy Hash: a2301d65015a596cd1d616bc81722a386bbcc4c1dce75c5169f66ccd56142261
    • Instruction Fuzzy Hash: 7451D172A002869FDB2D8F16D94DB7A7FA9FF44310F14452DE88197291E771EE80CB90
    Function 005ED0F0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 005ED0F9
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005ED11C
      • Part of subcall function 005EA7FE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,005EDBEC,00000000,?,005E80B1,?,00000008,?,005EA871,?,?,?), ref: 005EA830
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 005ED142
    • _free.LIBCMT ref: 005ED155
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005ED164
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
    • String ID:
    • API String ID: 336800556-0
    • Opcode ID: ebec0d361fa17331207fdcb298b2015f22933b32175d2ddc03080be158caec82
    • Instruction ID: 93b3e081e0f3cd6f5a462b5f1a3b839253e219a963d40a24f5421dc7d2e6bbc9
    • Opcode Fuzzy Hash: ebec0d361fa17331207fdcb298b2015f22933b32175d2ddc03080be158caec82
    • Instruction Fuzzy Hash: A00184726012957F272956B76C8CC7B6E7DFED2BE03140129B988C6300EA688C02D5B1
    Function 005EA599 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,?,005EA7F0,005EC348,?,005EA543,00000001,00000364,?,005E5281,00000050,?,00603070,00000200), ref: 005EA59E
    • _free.LIBCMT ref: 005EA5D3
    • _free.LIBCMT ref: 005EA5FA
    • SetLastError.KERNEL32(00000000,?,00603070,00000200), ref: 005EA607
    • SetLastError.KERNEL32(00000000,?,00603070,00000200), ref: 005EA610
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ErrorLast$_free
    • String ID:
    • API String ID: 3170660625-0
    • Opcode ID: 150d3ad72939cf4a2c8efdc4017e84cd93eeab8ded154a989abbfbde423583fe
    • Instruction ID: 9fe8fe39da1698c466ceb4ef21f036d482dff1d74b083621c23261f003f4b401
    • Opcode Fuzzy Hash: 150d3ad72939cf4a2c8efdc4017e84cd93eeab8ded154a989abbfbde423583fe
    • Instruction Fuzzy Hash: 6B012636580681A7861E27372C8DA3B2D6EBBD23607250025F985D3182FF24AD026466
    Function 005D220D Relevance: 7.5, APIs: 5, Instructions: 43COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005D24EF: ResetEvent.KERNEL32(?), ref: 005D2501
      • Part of subcall function 005D24EF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 005D2515
    • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 005D2241
    • CloseHandle.KERNEL32(?,?), ref: 005D225B
    • DeleteCriticalSection.KERNEL32(?), ref: 005D2274
    • CloseHandle.KERNEL32(?), ref: 005D2280
    • CloseHandle.KERNEL32(?), ref: 005D228C
      • Part of subcall function 005D2303: WaitForSingleObject.KERNEL32(?,000000FF,005D2526,?), ref: 005D2309
      • Part of subcall function 005D2303: GetLastError.KERNEL32(?), ref: 005D2315
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
    • String ID:
    • API String ID: 1868215902-0
    • Opcode ID: c578801aafb3140b3332abd630e2bc79bf5e84ba9482e1d90a1936edc8fb1b4b
    • Instruction ID: 146944b4a15e1da3b9de7dc3dcd159f738d8d1120ed9d9d24fe72d88c2b0b4b0
    • Opcode Fuzzy Hash: c578801aafb3140b3332abd630e2bc79bf5e84ba9482e1d90a1936edc8fb1b4b
    • Instruction Fuzzy Hash: 0F017576000704EFC7329F68DD88FD6BBADFB58710F00492AF26A92160CB796959DF50
    Function 005ED9BF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 005ED9D7
      • Part of subcall function 005EA66A: RtlFreeHeap.NTDLL(00000000,00000000,?,005EDA56,?,00000000,?,00000000,?,005EDA7D,?,00000007,?,?,005EDE7A,?), ref: 005EA680
      • Part of subcall function 005EA66A: GetLastError.KERNEL32(?,?,005EDA56,?,00000000,?,00000000,?,005EDA7D,?,00000007,?,?,005EDE7A,?,?), ref: 005EA692
    • _free.LIBCMT ref: 005ED9E9
    • _free.LIBCMT ref: 005ED9FB
    • _free.LIBCMT ref: 005EDA0D
    • _free.LIBCMT ref: 005EDA1F
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 78d6858a0c2cc4ebb8a434d8b2a946949bf0dc1d531ec7d2bd950d1d63618120
    • Instruction ID: 6739da9737969b4b7331298fae166835c02cfe62cf80c054c98287eb9f0b5cb5
    • Opcode Fuzzy Hash: 78d6858a0c2cc4ebb8a434d8b2a946949bf0dc1d531ec7d2bd950d1d63618120
    • Instruction Fuzzy Hash: 65F01272954280ABD728EF76F986D167BFABBC5710B681C15F0C8E7541CB70FC808664
    Function 005D3338 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 005D3340
    • _wcslen.LIBCMT ref: 005D3351
    • _wcslen.LIBCMT ref: 005D3361
    • _wcslen.LIBCMT ref: 005D336F
    • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,005CC844,?,?,00000000,?,?,?), ref: 005D338A
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _wcslen$CompareString
    • String ID:
    • API String ID: 3397213944-0
    • Opcode ID: 42deed9be5f7de2170450e39995a265c8c1892389987d5b208f8df5434e97e50
    • Instruction ID: 3141819ebe5753db7fad928817970216d520c1374e42b5c0a25bd1752ab1be57
    • Opcode Fuzzy Hash: 42deed9be5f7de2170450e39995a265c8c1892389987d5b208f8df5434e97e50
    • Instruction Fuzzy Hash: E4F06D32008054BBCF262F56DC09CCE3F26FB90B61B118402F6295E161CE329661EA90
    Function 005E9CD0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 005E9CEE
      • Part of subcall function 005EA66A: RtlFreeHeap.NTDLL(00000000,00000000,?,005EDA56,?,00000000,?,00000000,?,005EDA7D,?,00000007,?,?,005EDE7A,?), ref: 005EA680
      • Part of subcall function 005EA66A: GetLastError.KERNEL32(?,?,005EDA56,?,00000000,?,00000000,?,005EDA7D,?,00000007,?,?,005EDE7A,?,?), ref: 005EA692
    • _free.LIBCMT ref: 005E9D00
    • _free.LIBCMT ref: 005E9D13
    • _free.LIBCMT ref: 005E9D24
    • _free.LIBCMT ref: 005E9D35
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: fdb1fcb8ba6a4192a88b4f180febc832efb31ba72b7d732d9f7c2b6c82ff6b3d
    • Instruction ID: 5a28259119d4276066b00cdc48e8c4a618190309694b8a8699d7ed4698e628ae
    • Opcode Fuzzy Hash: fdb1fcb8ba6a4192a88b4f180febc832efb31ba72b7d732d9f7c2b6c82ff6b3d
    • Instruction Fuzzy Hash: EBF05E70802961DBD729AF26FC469053FB3F7A67207193626F46952270CF7219028B85
    Function 005DB81C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 238COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005DB6A9: GetDC.USER32(00000000), ref: 005DB6AD
      • Part of subcall function 005DB6A9: GetDeviceCaps.GDI32(00000000,0000000C), ref: 005DB6B8
      • Part of subcall function 005DB6A9: ReleaseDC.USER32(00000000,00000000), ref: 005DB6C3
    • GetObjectW.GDI32(?,00000018,?), ref: 005DB84C
      • Part of subcall function 005DBADE: GetDC.USER32(00000000), ref: 005DBAE7
      • Part of subcall function 005DBADE: GetObjectW.GDI32(?,00000018,?), ref: 005DBB16
      • Part of subcall function 005DBADE: ReleaseDC.USER32(00000000,?), ref: 005DBBAE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ObjectRelease$CapsDevice
    • String ID: ($Pou
    • API String ID: 1061551593-2564039336
    • Opcode ID: dfab74c2a844e89ceb50ef1a17641e5f8f7ab27e1cb944a8fd8ac2323e423038
    • Instruction ID: ab89dd95614db2f8945c9927a9b6b8cdee4499ceddba782ae13b1f6eeb6fa340
    • Opcode Fuzzy Hash: dfab74c2a844e89ceb50ef1a17641e5f8f7ab27e1cb944a8fd8ac2323e423038
    • Instruction Fuzzy Hash: 0291E175608745AFD720DF29C844A2BBBE9FF88700F01491EF59AD3260DB30A806DF62
    Function 005D2948 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _swprintf
    • String ID: %ls$%s: %s
    • API String ID: 589789837-2259941744
    • Opcode ID: 2a1d8198f14647c38414ef0bace9b0536ea77972601ea290c33dbdb50df6dd89
    • Instruction ID: 27b133609e01af473fa535daaa04c121b37d72220d81cad67559f2aebda76e47
    • Opcode Fuzzy Hash: 2a1d8198f14647c38414ef0bace9b0536ea77972601ea290c33dbdb50df6dd89
    • Instruction Fuzzy Hash: 6451D431688302FEFA315B9C8C56F357E55BB34F42F204907B787A82E9C6E25590A717
    Function 005DDFCC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133COMMON
    Download Yara Rule
    APIs
    • GetTempPathW.KERNEL32(00000800,?), ref: 005DDFE2
      • Part of subcall function 005CCAA0: _wcslen.LIBCMT ref: 005CCAA6
    • _swprintf.LIBCMT ref: 005DE016
      • Part of subcall function 005C4A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005C4A33
    • SetDlgItemTextW.USER32(?,00000066,00612892), ref: 005DE036
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ItemPathTempText__vswprintf_c_l_swprintf_wcslen
    • String ID: %s%s%u
    • API String ID: 1453054206-1360425832
    • Opcode ID: 75e2729ed518ed0bee46f272b90823b02605045d446ec6ab66ec7eb617cd2533
    • Instruction ID: 1de76b3f5e6bf42c5a85f9c99a34ea19716301efc2f38aeb05f03a79e3a8760f
    • Opcode Fuzzy Hash: 75e2729ed518ed0bee46f272b90823b02605045d446ec6ab66ec7eb617cd2533
    • Instruction Fuzzy Hash: 01416071500219AADF31ABA4DC49EEE7BBDFB44340F408497B909AB241EF708A94CF60
    Function 005E9330 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ET7GnkzV1D.exe,00000104), ref: 005E9370
    • _free.LIBCMT ref: 005E943B
    • _free.LIBCMT ref: 005E9445
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _free$FileModuleName
    • String ID: C:\Users\user\Desktop\ET7GnkzV1D.exe
    • API String ID: 2506810119-1416630267
    • Opcode ID: 8d3bd771e7a7f8f1c6571acc9b8c49e11c3bea1ad79e2d2c252a7e1e14e6470f
    • Instruction ID: 2ec7516ae99086fd49cbb701ef2d058e64466d172ac14cd38ea53f7d84c4673d
    • Opcode Fuzzy Hash: 8d3bd771e7a7f8f1c6571acc9b8c49e11c3bea1ad79e2d2c252a7e1e14e6470f
    • Instruction Fuzzy Hash: 6231B371A00299EBCB29DF969885D9EBFF9FBC5310F104066F58497241D7709A42CB90
    Function 005E4366 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 005E438B
    • _abort.LIBCMT ref: 005E4496
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: EncodePointer_abort
    • String ID: MOC$RCC
    • API String ID: 948111806-2084237596
    • Opcode ID: 6c7dbcba8d09ed32851916989b975b187540299b2a2b2cbb53c81c95858d7eeb
    • Instruction ID: aa3e512b336eefdb8bda9d59a0265ae5ddf943e02b980f83d9c6c521922b8a76
    • Opcode Fuzzy Hash: 6c7dbcba8d09ed32851916989b975b187540299b2a2b2cbb53c81c95858d7eeb
    • Instruction Fuzzy Hash: 7A418A72A0024AAFCF19CF99DC85AAE7FB5BF48304F148458FA4467261D335AA50DF50
    Function 005C7F1B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 005C7F20
      • Part of subcall function 005C42F1: __EH_prolog.LIBCMT ref: 005C42F6
    • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 005C7FE5
      • Part of subcall function 005C8704: GetCurrentProcess.KERNEL32(00000020,?), ref: 005C8713
      • Part of subcall function 005C8704: GetLastError.KERNEL32 ref: 005C8759
      • Part of subcall function 005C8704: CloseHandle.KERNEL32(?), ref: 005C8768
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
    • String ID: SeRestorePrivilege$SeSecurityPrivilege
    • API String ID: 3813983858-639343689
    • Opcode ID: 888144fffaf27b126fd6e7409b520b89208cfb997baac75f4c1ff22b6622223d
    • Instruction ID: 64dcfca732b8458771b2fb550a054d91afe6e8421ed4516e18bad672fe1705e1
    • Opcode Fuzzy Hash: 888144fffaf27b126fd6e7409b520b89208cfb997baac75f4c1ff22b6622223d
    • Instruction Fuzzy Hash: A831B131940249AEEF20EBA89C49FBF7FA9BB48354F00402EF505A6291DB749944CB61
    Function 005CEC0C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
    Download Yara Rule
    APIs
    • __fprintf_l.LIBCMT ref: 005CEC74
    • _strncpy.LIBCMT ref: 005CECBA
      • Part of subcall function 005D30F5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00603070,00000200,005CEC48,00000000,?,00000050,00603070), ref: 005D3112
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ByteCharMultiWide__fprintf_l_strncpy
    • String ID: $%s$@%s
    • API String ID: 562999700-834177443
    • Opcode ID: 8895c62066d27e50374360f6a3c6498dc729ed14ea07dd925c20abc4578a7458
    • Instruction ID: d26f75f8ecca9395897f7d70fdba187ede167610aea9e0c668fc09a37ec50473
    • Opcode Fuzzy Hash: 8895c62066d27e50374360f6a3c6498dc729ed14ea07dd925c20abc4578a7458
    • Instruction Fuzzy Hash: B9217F7294030DAEEB20DEE4CD4AFEF3FA9BF05700F04052AFA1596291E775DA548B51
    Function 005D2166 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,005CC04A,00000008,?,00000000,?,005CE685,?,00000000), ref: 005D21A5
    • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,005CC04A,00000008,?,00000000,?,005CE685,?,00000000), ref: 005D21AF
    • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,005CC04A,00000008,?,00000000,?,005CE685,?,00000000), ref: 005D21BF
    Strings
    • Thread pool initialization failed., xrefs: 005D21D7
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Create$CriticalEventInitializeSectionSemaphore
    • String ID: Thread pool initialization failed.
    • API String ID: 3340455307-2182114853
    • Opcode ID: a022a366f1d36b152a4cd0c16114224fd5b2ecf6e5e0637e76caad5fd712516b
    • Instruction ID: 015bf0135485d217683e55c4595d7a6645deda8e14bb498137906c9949d2fb09
    • Opcode Fuzzy Hash: a022a366f1d36b152a4cd0c16114224fd5b2ecf6e5e0637e76caad5fd712516b
    • Instruction Fuzzy Hash: A01160B1604709AFC3315FAA9C88AA7FFDCFB65344F10882FE296C6200DA715940CB64
    Function 005DEE2D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID:
    • String ID: RENAMEDLG$REPLACEFILEDLG
    • API String ID: 0-56093855
    • Opcode ID: b777edf87066745243df645ae274a045584db687781076f2a6fcf135471a82e6
    • Instruction ID: 5b598fb069d11953e2723f128103c808a1f81e13631af7a68dd9a188ba552414
    • Opcode Fuzzy Hash: b777edf87066745243df645ae274a045584db687781076f2a6fcf135471a82e6
    • Instruction Fuzzy Hash: 87019A75A44344ABDB31AF6CEC09A673FEEFB04395B101427F906863B0C2718851DBA1
    Function 005C4957 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • std::_Xinvalid_argument.LIBCPMT ref: 005C495C
      • Part of subcall function 005DFD1D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 005DFD29
      • Part of subcall function 005DFD1D: ___delayLoadHelper2@8.DELAYIMP ref: 005DFD4F
    • std::_Xinvalid_argument.LIBCPMT ref: 005C4967
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
    • String ID: string too long$vector too long
    • API String ID: 2355824318-1617939282
    • Opcode ID: 5d2e844994361e9cd04523be574a98190e13dcea8604a65fbe42355d19f20940
    • Instruction ID: 10e4696a4d396e06556f8c4cdd93b27005798c999f3022cbf551084b7eb6faa7
    • Opcode Fuzzy Hash: 5d2e844994361e9cd04523be574a98190e13dcea8604a65fbe42355d19f20940
    • Instruction Fuzzy Hash: E9F01C312013186B8634AE99EC49D4BBBEAFF85B51761092BEA45D3602D7B0A9048FB5
    Function 005DAC24 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33registryCOMMON
    Download Yara Rule
    APIs
    • LoadCursorW.USER32(00000000,00007F00), ref: 005DAC5B
    • RegisterClassExW.USER32(00000030), ref: 005DAC7C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ClassCursorLoadRegister
    • String ID: 0$RarHtmlClassName
    • API String ID: 1693014935-3342523147
    • Opcode ID: 191298ee59d655737ad1f1d277253d5b8d6620a8400994c8770ddf83148c9772
    • Instruction ID: 1eda5cf5bcb6094583f6f5e8302568eb01a0452eb817f0af72f6d287b901cfae
    • Opcode Fuzzy Hash: 191298ee59d655737ad1f1d277253d5b8d6620a8400994c8770ddf83148c9772
    • Instruction Fuzzy Hash: BCF0C4B1D11219ABDB009F99D989ADEFFF8FB08354F50842EE505B7240D7B45A058FA4
    Function 005EABDA Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: __alldvrm$_strrchr
    • String ID:
    • API String ID: 1036877536-0
    • Opcode ID: afb2700922330d6a2a5e5337cc0ba606ce23cf73aa61dbbfb2679083630104d7
    • Instruction ID: 69f2c0e77e32daa3cb87047c0f15a1d87e2a716cea148c2d30dd1018ce1f859e
    • Opcode Fuzzy Hash: afb2700922330d6a2a5e5337cc0ba606ce23cf73aa61dbbfb2679083630104d7
    • Instruction Fuzzy Hash: 2BA12771A003C69FDB1ACF3AC8917AEBFA5FF51310F1845A9E4C59B282C638AD41C752
    Function 005CB74D Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,005C8D5C,?,?,?), ref: 005CB7F3
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000800,?,005C8D5C,?,?), ref: 005CB837
    • SetFileTime.KERNEL32(?,005C8AEC,?,00000000,?,00000800,?,005C8D5C,?,?,?,?,?,?,?,?), ref: 005CB8B8
    • CloseHandle.KERNEL32(?,?,00000800,?,005C8D5C,?,?,?,?,?,?,?,?,?,?), ref: 005CB8BF
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: File$Create$CloseHandleTime
    • String ID:
    • API String ID: 2287278272-0
    • Opcode ID: e9435717af82140635b1169dcfa9fe778b79ae0bca3c3623aca5ddbdd8bd9690
    • Instruction ID: 42d9ad49ba2c161c00245f8ff6c4b0fcd93d28b5bfcbd2dbf74a0e946a871317
    • Opcode Fuzzy Hash: e9435717af82140635b1169dcfa9fe778b79ae0bca3c3623aca5ddbdd8bd9690
    • Instruction Fuzzy Hash: 7C41CD30248381AEE721DBA4DC5AFABBFE8ABD0300F04091EF5D1D7190D7689A48DB52
    Function 005C10E0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _wcslen
    • String ID:
    • API String ID: 176396367-0
    • Opcode ID: 657aa0a28b9190446f9ffd2ee8c027454ac5f62b01facf562296b6bd249d7192
    • Instruction ID: d2b94ed29a0f78e27fef25df2f360b4e8ae0a00ad6432f60c851441ecf6bb494
    • Opcode Fuzzy Hash: 657aa0a28b9190446f9ffd2ee8c027454ac5f62b01facf562296b6bd249d7192
    • Instruction Fuzzy Hash: 57419475D00A669FCB259FA88C59AEE7F78FF45310F04001AF945F7245DA30AD498AE4
    Function 005C851F Relevance: 6.1, APIs: 4, Instructions: 118COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 005C8532
    • _wcslen.LIBCMT ref: 005C8558
    • _wcslen.LIBCMT ref: 005C85EF
    • _wcslen.LIBCMT ref: 005C8657
      • Part of subcall function 005CB966: FindClose.KERNEL32(00000000,000000FF,?,?), ref: 005CB991
      • Part of subcall function 005CB41F: RemoveDirectoryW.KERNEL32(?,?,?,005C8649,?), ref: 005CB430
      • Part of subcall function 005CB41F: RemoveDirectoryW.KERNEL32(?,?,?,00000800,?,005C8649,?), ref: 005CB45E
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _wcslen$DirectoryRemove$CloseFind
    • String ID:
    • API String ID: 973666142-0
    • Opcode ID: 13c4833921830cc24cf7045191f17a435417e1473527d55b164f376317025a4e
    • Instruction ID: 8862ce10afc5986d44aa19ce57cb53e5cbb32c9edfdc10c736510968d30f7a04
    • Opcode Fuzzy Hash: 13c4833921830cc24cf7045191f17a435417e1473527d55b164f376317025a4e
    • Instruction Fuzzy Hash: E831B371800255AECF21ABA48C45FFA3B65BB94340F05485EF859A7145DFB4DEC48A90
    Function 005EDB48 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,005EA871,?,00000000,?,00000001,?,?,00000001,005EA871,?), ref: 005EDB95
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005EDC1E
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,005E80B1,?), ref: 005EDC30
    • __freea.LIBCMT ref: 005EDC39
      • Part of subcall function 005EA7FE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,005EDBEC,00000000,?,005E80B1,?,00000008,?,005EA871,?,?,?), ref: 005EA830
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
    • String ID:
    • API String ID: 2652629310-0
    • Opcode ID: 59576d45754676a4c1166d4737c71e4a57a2f202c61b3beafb5a1a70731a3e06
    • Instruction ID: 9400cd31814ee587d86ea8a8a58e5bc741a8550f7033e07182db5e1ebba01549
    • Opcode Fuzzy Hash: 59576d45754676a4c1166d4737c71e4a57a2f202c61b3beafb5a1a70731a3e06
    • Instruction Fuzzy Hash: 4431BD72A0025AABDB299F66CC45EAE7FB5FF50350B150268FC48DA250E735DD90CBA0
    Function 005DB673 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(00000000), ref: 005DB676
    • GetDeviceCaps.GDI32(00000000,00000058), ref: 005DB685
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005DB693
    • ReleaseDC.USER32(00000000,00000000), ref: 005DB6A1
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: CapsDevice$Release
    • String ID:
    • API String ID: 1035833867-0
    • Opcode ID: cae2d1167ff44551e3b894a9c86c30fec09ed73901da5a7627a332833952e7df
    • Instruction ID: 1c4e6339c2ce1533d9dff3ccdc79aa8e8e66f002e37d0c8b357501222a442fa3
    • Opcode Fuzzy Hash: cae2d1167ff44551e3b894a9c86c30fec09ed73901da5a7627a332833952e7df
    • Instruction Fuzzy Hash: 31E0EC35985F61ABD7301BB4AC1DBAB3F56AB15752F051006FA0296190CAB044558FD1
    Function 005C80BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 005C80C3
      • Part of subcall function 005D1907: _wcslen.LIBCMT ref: 005D190D
      • Part of subcall function 005CB966: FindClose.KERNEL32(00000000,000000FF,?,?), ref: 005CB991
    • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 005C8262
      • Part of subcall function 005CB8E6: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,005CB5B5,?,?,?,005CB405,?,00000001,00000000,?,?), ref: 005CB8FA
      • Part of subcall function 005CB8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,005CB5B5,?,?,?,005CB405,?,00000001,00000000,?,?), ref: 005CB92B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: File$Attributes$CloseFindH_prologTime_wcslen
    • String ID: :
    • API String ID: 3226429890-336475711
    • Opcode ID: 57b5686715a4fd2f793db9c0d54328137188da45e65b80bb14ee53d005e37252
    • Instruction ID: 0cf711b7c3f6be04aae999410b23c5084724c4f32d31c5f9bffa332e2b427a8a
    • Opcode Fuzzy Hash: 57b5686715a4fd2f793db9c0d54328137188da45e65b80bb14ee53d005e37252
    • Instruction Fuzzy Hash: 22515371800559AEEB25EBA0CC5AFEE7B7DFF85300F04409AB606A6182DB745F85CF61
    Function 005DC67E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _wcslen
    • String ID: }
    • API String ID: 176396367-4239843852
    • Opcode ID: f4c075ba1eec2d1e7fbb8873cd90cdfde109bdd40dfcad93b2eb029f9b5208d0
    • Instruction ID: f810b3fbf71b67e6bbb8edaec0ba5ecfddb715d949b02889833b8f2040e69a56
    • Opcode Fuzzy Hash: f4c075ba1eec2d1e7fbb8873cd90cdfde109bdd40dfcad93b2eb029f9b5208d0
    • Instruction Fuzzy Hash: 8D21C22290430B5AD731EB68D849A6BBFECFB84750F00042FF640C2341EB61D948CBA2
    Function 005D069C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005D0627: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 005D0646
      • Part of subcall function 005D0627: GetProcAddress.KERNEL32(0060A1F0,CryptUnprotectMemory), ref: 005D0656
    • GetCurrentProcessId.KERNEL32(?,00000200,?,005D0697), ref: 005D072A
    Strings
    • CryptProtectMemory failed, xrefs: 005D06E1
    • CryptUnprotectMemory failed, xrefs: 005D0722
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: AddressProc$CurrentProcess
    • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
    • API String ID: 2190909847-396321323
    • Opcode ID: 32efa635639594334c2cf99e6b2f7b0d0f2939435537e1f2fd867d6a71e8b448
    • Instruction ID: ceca295827a6b29b7dfe1382ca89ca2f717f44d8fb9a8150b5228d902e5e4710
    • Opcode Fuzzy Hash: 32efa635639594334c2cf99e6b2f7b0d0f2939435537e1f2fd867d6a71e8b448
    • Instruction Fuzzy Hash: 01110C31A00269ABDF255B289844B6F3F29FB447A4F05415BFC01AF3D2C624AD81CE95
    Function 005CCDC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • _swprintf.LIBCMT ref: 005CCDE7
      • Part of subcall function 005C4A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005C4A33
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: __vswprintf_c_l_swprintf
    • String ID: %c:\
    • API String ID: 1543624204-3142399695
    • Opcode ID: f426afd2c57c61e5f1805425b1d765ba33f1dbddcd998a2495c8ad1ec63f29b3
    • Instruction ID: 69381ea2e96f6c291e06c5dae94ba3465f35f1ef8ddbd28a7ccf2915799f824f
    • Opcode Fuzzy Hash: f426afd2c57c61e5f1805425b1d765ba33f1dbddcd998a2495c8ad1ec63f29b3
    • Instruction Fuzzy Hash: 8F01F9635043527EDA35ABEA9C4AE67AFACFFD6770B40481EF489D7081EA20D440D6B1
    Function 005E0D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 005E0DBD
    • ___raise_securityfailure.LIBCMT ref: 005E0EA5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: FeaturePresentProcessor___raise_securityfailure
    • String ID: x=b
    • API String ID: 3761405300-1828169776
    • Opcode ID: 67bad89309b4104818ca6eb058d364c16b87fa78929c67e058025ba47a381a33
    • Instruction ID: a7dac514f81f219b261893105b6cf26bf99e03a3a4f26fb447c8f5a38e490685
    • Opcode Fuzzy Hash: 67bad89309b4104818ca6eb058d364c16b87fa78929c67e058025ba47a381a33
    • Instruction Fuzzy Hash: B221E6B5640A20AEE324CF19ED456507BB6FF48354F11741BE5848B3B1D3F8AA8ACF00
    Function 005DC8CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
    Download Yara Rule
    APIs
    • LoadBitmapW.USER32(00000065), ref: 005DC8DD
    • GetObjectW.GDI32(00000000,00000018,?), ref: 005DC902
      • Part of subcall function 005DB6D2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,005DC92D,00000066), ref: 005DB6E5
      • Part of subcall function 005DB6D2: SizeofResource.KERNEL32(00000000,?,?,?,005DC92D,00000066), ref: 005DB6FC
      • Part of subcall function 005DB6D2: LoadResource.KERNEL32(00000000,?,?,?,005DC92D,00000066), ref: 005DB713
      • Part of subcall function 005DB6D2: LockResource.KERNEL32(00000000,?,?,?,005DC92D,00000066), ref: 005DB722
      • Part of subcall function 005DB6D2: GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,005DC92D,00000066), ref: 005DB73D
      • Part of subcall function 005DB6D2: GlobalLock.KERNEL32(00000000), ref: 005DB74E
      • Part of subcall function 005DB6D2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 005DB772
      • Part of subcall function 005DB6D2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 005DB7B7
      • Part of subcall function 005DB6D2: GlobalUnlock.KERNEL32(00000000), ref: 005DB7D6
      • Part of subcall function 005DB6D2: GlobalFree.KERNEL32(00000000), ref: 005DB7DD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Global$Resource$BitmapCreateLoadLock$AllocFindFreeFromGdipObjectSizeofStreamUnlock
    • String ID: ]
    • API String ID: 3156877484-3352871620
    • Opcode ID: 204ac7985b2ca29e301c85c9abdea17082c6e9d69137d933c5ab300f80f0f3d5
    • Instruction ID: 2ab6019fab2c93f58a6f64dd8c773f929868b8e98becf7f3069bdcb4d5963481
    • Opcode Fuzzy Hash: 204ac7985b2ca29e301c85c9abdea17082c6e9d69137d933c5ab300f80f0f3d5
    • Instruction Fuzzy Hash: 7201AD32540A17A7DB31276C9C19A7F6E6BBFC1B61F160113B901BB392DF318C06D6A0
    Function 005DE750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005C12F6: GetParent.USER32(?), ref: 005C132A
      • Part of subcall function 005C12F6: GetDlgItem.USER32(00000000,00003021), ref: 005C133A
      • Part of subcall function 005C12F6: SetWindowTextW.USER32(00000000,005F45F4), ref: 005C1350
    • SetDlgItemTextW.USER32(?,00000066,?), ref: 005DE7C5
    • SetDlgItemTextW.USER32(?,00000068), ref: 005DE7D4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ItemText$ParentWindow
    • String ID: RENAMEDLG
    • API String ID: 1442298700-3299779563
    • Opcode ID: ebdcc6d4701fb21579baa5373e3e4e9d2d2bff1ffbb870ef5e0b9a771e457b2a
    • Instruction ID: 15caca96f32cd0d3e1973ff799c7e4145b82bbcca5ae3352998b4ba46de694a9
    • Opcode Fuzzy Hash: ebdcc6d4701fb21579baa5373e3e4e9d2d2bff1ffbb870ef5e0b9a771e457b2a
    • Instruction Fuzzy Hash: 1701F536784B54BAE3716B689C4EF673F5EFB5A701F100413F302AA290C66259068765
    Function 005D233E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
    Download Yara Rule
    APIs
    • CreateThread.KERNEL32(00000000,00010000,005D2480,?,00000000,00000000), ref: 005D2362
    • SetThreadPriority.KERNEL32(?,00000000), ref: 005D23A9
      • Part of subcall function 005C76E9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005C7707
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: Thread$CreatePriority__vswprintf_c_l
    • String ID: CreateThread failed
    • API String ID: 2655393344-3849766595
    • Opcode ID: 8c5194fe1815e2102c59f9e0b4fda49c11cf24014d0b5f57134fd640931e5870
    • Instruction ID: f4c75fd480fed9b87db02cec871aa7e813735c60210eb174162c7326e28720cd
    • Opcode Fuzzy Hash: 8c5194fe1815e2102c59f9e0b4fda49c11cf24014d0b5f57134fd640931e5870
    • Instruction Fuzzy Hash: 4F01D6B52447066FD7246F98DC95F67BB9DFB64712F10092FF742962C0CAA1A8808A30
    Function 005E962A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005ED0F0: GetEnvironmentStringsW.KERNEL32 ref: 005ED0F9
      • Part of subcall function 005ED0F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005ED11C
      • Part of subcall function 005ED0F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 005ED142
      • Part of subcall function 005ED0F0: _free.LIBCMT ref: 005ED155
      • Part of subcall function 005ED0F0: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005ED164
    • _free.LIBCMT ref: 005E9670
    • _free.LIBCMT ref: 005E9677
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
    • String ID: hBb
    • API String ID: 400815659-3631640185
    • Opcode ID: 36538cbe93c894fda52bd2465050955e1438571a18fc7a41e11e73977ee3cffd
    • Instruction ID: baca24680266feddc2f70742fa0f0642a809233c13f33771e7579b73ead7b115
    • Opcode Fuzzy Hash: 36538cbe93c894fda52bd2465050955e1438571a18fc7a41e11e73977ee3cffd
    • Instruction Fuzzy Hash: 9DE0E55290A8E381973D373B2C19A6E0E467BC2730B260327F8A4962C2DE148902049A
    Function 005D2303 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(?,000000FF,005D2526,?), ref: 005D2309
    • GetLastError.KERNEL32(?), ref: 005D2315
      • Part of subcall function 005C76E9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005C7707
    Strings
    • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 005D231E
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
    • String ID: WaitForMultipleObjects error %d, GetLastError %d
    • API String ID: 1091760877-2248577382
    • Opcode ID: ae30ad89541e2de4acac68ffecbedee6b229052cc4f603b0f6d1ca73c8b0cef8
    • Instruction ID: 604c5007944af536b8efd20de18dac022f1af7a9b825331eddc30512c2834b37
    • Opcode Fuzzy Hash: ae30ad89541e2de4acac68ffecbedee6b229052cc4f603b0f6d1ca73c8b0cef8
    • Instruction Fuzzy Hash: 8AD02B3140C83537C500276C6C0DD7F3C097F71330F200B09F336962E4DE64098089A5
    Function 005CF5BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(00000000,?,005CED75,?), ref: 005CF5C3
    • FindResourceW.KERNEL32(00000000,RTL,00000005,?,005CED75,?), ref: 005CF5D1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2934255536.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
    • Associated: 00000000.00000002.2934163455.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934300608.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000600000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000604000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934327666.0000000000624000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2934415392.0000000000625000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5c0000_ET7GnkzV1D.jbxd
    Similarity
    • API ID: FindHandleModuleResource
    • String ID: RTL
    • API String ID: 3537982541-834975271
    • Opcode ID: a501d98428b0b65b6b1ca26675a68e0f32ecca36345189417a209859d6a5f8e7
    • Instruction ID: 653e03f5595cd0e1ec4ea749aa8664e88c3790e0d2278c5ef1222adcd3805477
    • Opcode Fuzzy Hash: a501d98428b0b65b6b1ca26675a68e0f32ecca36345189417a209859d6a5f8e7
    • Instruction Fuzzy Hash: C6C0123124435066D63027B16D0DF932E9D6B10715F05045CB741DE1C0DEEDC844CB60