Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0urFbKxdvL.exe

Overview

General Information

Sample name:0urFbKxdvL.exe
renamed because original name is a hash value
Original sample name:328eea4110a4b59778225e2efef7b9cfd07adfb8d189d9fa2d2e450de274659c.exe
Analysis ID:1527620
MD5:0ae609594fbd4bb27287bd63bc9e9529
SHA1:a506ec04296bd6fe7450c59578bd55a94f17aa65
SHA256:328eea4110a4b59778225e2efef7b9cfd07adfb8d189d9fa2d2e450de274659c
Tags:exeSliverFoxuser-bloated7731
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
PE file contains an invalid checksum
Program does not show much activity (idle)
Queries device information via Setup API
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 0urFbKxdvL.exe (PID: 6868 cmdline: "C:\Users\user\Desktop\0urFbKxdvL.exe" MD5: 0AE609594FBD4BB27287BD63BC9E9529)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 0urFbKxdvL.exeVirustotal: Detection: 18%Perma Link
Source: 0urFbKxdvL.exeReversingLabs: Detection: 32%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 91.2% probability
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_00000001400043D0 GetWindowsDirectoryW,FindFirstFileW,FindNextFileW,FindClose,0_2_00000001400043D0
Source: 0urFbKxdvL.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: 0urFbKxdvL.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 0urFbKxdvL.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: 0urFbKxdvL.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 0urFbKxdvL.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: 0urFbKxdvL.exeString found in binary or memory: https://sectigo.com/CPS0
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_0000000140004570: IIDFromString,CreateFileW,GetLastError,lstrlenW,wsprintfW,DeviceIoControl,CloseHandle,0_2_0000000140004570
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_000000014000CA3C0_2_000000014000CA3C
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_000000014000D6840_2_000000014000D684
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_0000000140009CA00_2_0000000140009CA0
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_00000001400126C40_2_00000001400126C4
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_00000001400073200_2_0000000140007320
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_000000014000CD280_2_000000014000CD28
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_00000001400039900_2_0000000140003990
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_00000001400049C00_2_00000001400049C0
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_000000014000E9D40_2_000000014000E9D4
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_001E00000_2_001E0000
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_001E69470_2_001E6947
Source: 0urFbKxdvL.exeBinary or memory string: OriginalFilename vs 0urFbKxdvL.exe
Source: 0urFbKxdvL.exe, 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedeviceinstaller.exe vs 0urFbKxdvL.exe
Source: 0urFbKxdvL.exeBinary or memory string: OriginalFilenamedeviceinstaller.exe vs 0urFbKxdvL.exe
Source: classification engineClassification label: mal60.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_0000000140007EB0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,InitiateSystemShutdownExW,0_2_0000000140007EB0
Source: C:\Users\user\Desktop\0urFbKxdvL.exeMutant created: \Sessions\1\BaseNamedObjects\e3a596ac-25f6-43e4-910a-e6a0c89ca722
Source: 0urFbKxdvL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\0urFbKxdvL.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 0urFbKxdvL.exeVirustotal: Detection: 18%
Source: 0urFbKxdvL.exeReversingLabs: Detection: 32%
Source: 0urFbKxdvL.exeString found in binary or memory: positioned on the newly-added filter. ! Deletes the next occurrence of the specified filter. When the subcommand
Source: 0urFbKxdvL.exeString found in binary or memory: ng of the list. When the subcommand completes, the cursor is positioned on the newly-added filter. + Add after
Source: 0urFbKxdvL.exeString found in binary or memory: cursor is positioned on the newly-added filter.
Source: 0urFbKxdvL.exeString found in binary or memory: cursor is positioned on the newly-added filter.
Source: C:\Users\user\Desktop\0urFbKxdvL.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\0urFbKxdvL.exeSection loaded: amsi.dllJump to behavior
Source: 0urFbKxdvL.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: 0urFbKxdvL.exeStatic file information: File size 4338576 > 1048576
Source: 0urFbKxdvL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 0urFbKxdvL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 0urFbKxdvL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 0urFbKxdvL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 0urFbKxdvL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_0000000140004230 GetFullPathNameW,LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,GetLastError,FreeLibrary,FreeLibrary,FreeLibrary,0_2_0000000140004230
Source: 0urFbKxdvL.exeStatic PE information: real checksum: 0x4716e should be: 0x426362
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_001E8C37 push edi; ret 0_2_001E8C4B
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_001E8C5E push ecx; ret 0_2_001E8C63
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_001E8C7C push ecx; ret 0_2_001E8C82
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_001E8C70 push edi; ret 0_2_001E8C7A
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_000000014000CA3C EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_000000014000CA3C

Malware Analysis System Evasion

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_000000014000112B 0_2_000000014000112B
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\0urFbKxdvL.exeRDTSC instruction interceptor: First address: 140001142 second address: 140001152 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov ecx, eax 0x0000000c fldpi 0x0000000e frndint 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0urFbKxdvL.exeRDTSC instruction interceptor: First address: 140001152 second address: 140001152 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a sub eax, ecx 0x0000000c dec ecx 0x0000000d cmp eax, ecx 0x0000000f jc 00007F9A810F7DADh 0x00000011 fldpi 0x00000013 frndint 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_000000014000112B rdtsc 0_2_000000014000112B
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_0000000140009CA0 SetupDiGetDeviceInstallParamsW,SetupDiSetDeviceInstallParamsW,SetupDiBuildDriverInfoList,SetupDiEnumDriverInfoW,SetupDiOpenDevRegKey,RegCloseKey,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SetupDiGetDeviceRegistryPropertyW,SetupDiSetDeviceInstallParamsW,SetupDiBuildDriverInfoList,SetupDiEnumDriverInfoW,SetupDiGetDriverInfoDetailW,GetLastError,SetupDiEnumDriverInfoW,SetupDiDestroyDriverInfoList,RegCloseKey,0_2_0000000140009CA0
Source: C:\Users\user\Desktop\0urFbKxdvL.exeAPI coverage: 2.1 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_00000001400043D0 GetWindowsDirectoryW,FindFirstFileW,FindNextFileW,FindClose,0_2_00000001400043D0
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_001E2917 GetSystemInfo,0_2_001E2917
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_000000014000112B rdtsc 0_2_000000014000112B
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_000000014000B608 __crtCaptureCurrentContext,IsDebuggerPresent,__crtUnhandledException,0_2_000000014000B608
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_00000001400121B8 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00000001400121B8
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_0000000140004230 GetFullPathNameW,LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,GetLastError,FreeLibrary,FreeLibrary,FreeLibrary,0_2_0000000140004230
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_000000014000C8BC GetProcessHeap,0_2_000000014000C8BC
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_0000000140010850 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0000000140010850
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_000000014000F644 cpuid 0_2_000000014000F644
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_0000000140009CA0 SetupDiGetDeviceInstallParamsW,SetupDiSetDeviceInstallParamsW,SetupDiBuildDriverInfoList,SetupDiEnumDriverInfoW,SetupDiOpenDevRegKey,RegCloseKey,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SetupDiGetDeviceRegistryPropertyW,SetupDiSetDeviceInstallParamsW,SetupDiBuildDriverInfoList,SetupDiEnumDriverInfoW,SetupDiGetDriverInfoDetailW,GetLastError,SetupDiEnumDriverInfoW,SetupDiDestroyDriverInfoList,RegCloseKey,0_2_0000000140009CA0
Source: C:\Users\user\Desktop\0urFbKxdvL.exeCode function: 0_2_0000000140010018 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0000000140010018

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Access Token Manipulation		1
Access Token Manipulation		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS Memory1
Query Registry		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager24
Security Software Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets223
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
0urFbKxdvL.exe19%VirustotalBrowse
0urFbKxdvL.exe32%ReversingLabsWin64.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00%VirustotalBrowse
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00urFbKxdvL.exefalseunknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0urFbKxdvL.exefalse
  • URL Reputation: safe
unknown
https://sectigo.com/CPS00urFbKxdvL.exefalse
  • URL Reputation: safe
unknown
http://ocsp.sectigo.com00urFbKxdvL.exefalse
  • URL Reputation: safe
unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0urFbKxdvL.exefalse
  • URL Reputation: safe
unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0urFbKxdvL.exefalseunknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1527620
Start date and time:2024-10-07 06:50:12 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 10s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:0urFbKxdvL.exe
renamed because original name is a hash value
Original Sample Name:328eea4110a4b59778225e2efef7b9cfd07adfb8d189d9fa2d2e450de274659c.exe
Detection:MAL
Classification:mal60.evad.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 9
  • Number of non-executed functions: 43
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

TimeTypeDescription
00:51:19API Interceptor1x Sleep call for process: 0urFbKxdvL.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):0.539544912633656
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:0urFbKxdvL.exe
File size:4'338'576 bytes
MD5:0ae609594fbd4bb27287bd63bc9e9529
SHA1:a506ec04296bd6fe7450c59578bd55a94f17aa65
SHA256:328eea4110a4b59778225e2efef7b9cfd07adfb8d189d9fa2d2e450de274659c
SHA512:d8499aea7c7678fd73516908fc6b67620f6adb226229966b346e723ca08bdbddc42bfc37babdcdfc7c4e87ff8529beb930940eaa3302bb6e1e2731347da4abd1
SSDEEP:3072:gQX30XiK1yhTwS8XjJ3T/yub0kouJidkIQhujeZw0WMTwTKVrSf5RWRtS:zH0bXllTK60kojwo0TCKVrSf5y
TLSH:3E16D50363E96199F5F3AB3499B552219B737CA19E38C74E0258811DCFB3E809D39B63
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S._.2...2...2..X.&..2..X.'..2..X.$..2...Jz..2...2..22....&..2.... ..2...2~..2....%..2..Rich.2..................PE..d......^...

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x14000b32c
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, TERMINAL_SERVER_AWARE
Time Stamp:0x5EBBC909 [Wed May 13 10:16:41 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:2
File Version Major:5
File Version Minor:2
Subsystem Version Major:5
Subsystem Version Minor:2
Import Hash:09e13ccaecfac7723baa55f4b7663729

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
    Subject Chain
      Version:
      Thumbprint MD5:
      Thumbprint SHA-1:
      Thumbprint SHA-256:
      Serial:

      Entrypoint Preview

      Instruction
      dec eax
      sub esp, 28h
      call 00007F9A80B75418h
      dec eax
      add esp, 28h
      jmp 00007F9A80B664E5h
      int3
      int3
      dec eax
      lea eax, dword ptr [00009961h]
      dec eax
      mov dword ptr [ecx], eax
      dec eax
      mov eax, dword ptr [edx]
      mov byte ptr [ecx+10h], 00000000h
      dec eax
      mov dword ptr [ecx+08h], eax
      dec eax
      mov eax, ecx
      ret
      int3
      int3
      int3
      inc eax
      push ebx
      dec eax
      sub esp, 20h
      dec eax
      and dword ptr [ecx+08h], 00000000h
      dec eax
      lea eax, dword ptr [0000993Ah]
      dec eax
      mov ebx, ecx
      dec eax
      mov dword ptr [ecx], eax
      mov byte ptr [ecx+10h], 00000000h
      call 00007F9A80B70750h
      dec eax
      mov eax, ebx
      dec eax
      add esp, 20h
      pop ebx
      ret
      int3
      int3
      dec eax
      lea eax, dword ptr [00009919h]
      dec eax
      mov dword ptr [ecx], eax
      jmp 00007F9A80B70812h
      int3
      dec eax
      mov dword ptr [esp+08h], ebx
      push edi
      dec eax
      sub esp, 20h
      dec eax
      mov edi, edx
      dec eax
      mov ebx, ecx
      dec eax
      cmp ecx, edx
      je 00007F9A80B70753h
      call 00007F9A80B707F7h
      cmp byte ptr [edi+10h], 00000000h
      je 00007F9A80B70740h
      dec eax
      mov edx, dword ptr [edi+08h]
      dec eax
      mov ecx, ebx
      call 00007F9A80B70789h
      jmp 00007F9A80B7073Ah
      dec eax
      mov eax, dword ptr [edi+08h]
      dec eax
      mov dword ptr [ebx+08h], eax
      dec eax
      mov eax, ebx
      dec eax
      mov ebx, dword ptr [esp+30h]
      dec eax
      add esp, 20h
      pop edi
      ret
      dec eax
      mov dword ptr [esp+08h], ebx
      push edi
      dec eax
      sub esp, 20h
      dec eax
      lea eax, dword ptr [000098BBh]
      mov ebx, edx
      dec eax
      mov edi, ecx
      dec eax

      Rich Headers

      Programming Language:
      • [IMP] VS2008 SP1 build 30729
      • [RES] VS2012 UPD4 build 61030
      • [LNK] VS2012 UPD4 build 61030

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x1bcac0x78.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x330000xafec.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x310000x10f8.pdata
      IMAGE_DIRECTORY_ENTRY_SECURITY0x38a000x1b90.rsrc
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x3e0000x67c.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1a6f00x70.rdata
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x140000x4a8.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x12f910x130001e594382c3f5e8c63dafbf83a47224d4False0.5647743626644737data6.31237259360314IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x140000x8e360x9000748978ae9cc91681b00dd08b7b1c4a29False0.3344184027777778data4.318170867822159IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x1d0000x13b000x10800bbf99811d946b9122af7b8914d8d5dbeFalse0.4825846354166667data5.627074879820151IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .pdata0x310000x10f80x12005fca5de5e4fdf02465922bba040d5120False0.4516059027777778data4.842198122273491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .rsrc0x330000xafec0xb000ebcc72a1b2a02881e5b0bdf5fceb886dFalse0.13108132102272727data3.4487274625670556IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x3e0000x90c0xa00f6324ad470840bca9e3b60544f950905False0.4171875data4.283178652006133IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_STRING0x331180xeaMatlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.43162393162393164
      RT_STRING0x332040xaadataEnglishUnited States0.4823529411764706
      RT_MESSAGETABLE0x332b00xa944Matlab v4 mat-file (little endian) \306\352, rows 60000, columns 60002, imaginaryEnglishUnited States0.1238576571586818
      RT_VERSION0x3dbf40x3f8dataEnglishUnited States0.41437007874015747

      Imports

      DLLImport
      KERNEL32.dllFindFirstFileW, FindNextFileW, LocalFree, GetCurrentProcess, FormatMessageW, FileTimeToSystemTime, GetFileAttributesW, SetFilePointerEx, SetStdHandle, HeapSize, HeapReAlloc, GetConsoleMode, CreateFileW, GetFullPathNameW, GetWindowsDirectoryW, LoadLibraryW, lstrlenW, CloseHandle, FindClose, DeviceIoControl, GetLastError, GetProcAddress, GetDateFormatW, FreeLibrary, GetConsoleCP, FlushFileBuffers, OutputDebugStringW, LoadLibraryExW, LCMapStringW, WideCharToMultiByte, GetModuleHandleW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, GetStringTypeW, GetStartupInfoW, GetFileType, RtlUnwindEx, Sleep, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, GetModuleFileNameW, WriteFile, GetStdHandle, GetModuleHandleExW, WriteConsoleW, ExitProcess, GetProcessHeap, MultiByteToWideChar, GetCurrentThreadId, SetLastError, GetCPInfo, GetOEMCP, GetACP, HeapFree, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, GetCommandLineW, EncodePointer, DecodePointer, RtlPcToFileHeader, RaiseException, IsDebuggerPresent, IsProcessorFeaturePresent, VirtualAlloc
      USER32.dllwsprintfW, LoadStringW, CharPrevW, CharNextW
      ADVAPI32.dllRegQueryValueExW, LookupPrivilegeValueW, AdjustTokenPrivileges, OpenProcessToken, OpenServiceW, OpenSCManagerW, CloseServiceHandle, RegSetValueExW, RegDeleteValueW, RegCloseKey, InitiateSystemShutdownExW
      ole32.dllCLSIDFromString, IIDFromString
      SETUPAPI.dllCM_Get_Next_Res_Des_Ex, CM_Get_Res_Des_Data_Size_Ex, CM_Get_Res_Des_Data_Ex, CM_Get_First_Log_Conf_Ex, CM_Free_Res_Des_Handle, CM_Free_Log_Conf_Handle, SetupDiGetDriverInstallParamsW, SetupDiSetDeviceInstallParamsW, SetupDiDestroyDriverInfoList, SetupDiGetDriverInfoDetailW, SetupDiSetSelectedDriverW, SetupDiEnumDriverInfoW, SetupDiBuildDriverInfoList, SetupScanFileQueueW, SetupCloseFileQueue, SetupOpenFileQueue, SetupGetStringFieldW, SetupFindFirstLineW, SetupCloseInfFile, SetupOpenInfFileW, SetupDiGetDeviceRegistryPropertyW, SetupDiOpenDeviceInfoW, SetupDiCreateDeviceInfoListExW, CM_Reenumerate_DevNode_Ex, CM_Locate_DevNode_ExW, CM_Get_Device_Interface_List_SizeW, CM_Get_Device_Interface_ListW, CM_Get_DevNode_Status_Ex, CM_Get_Device_ID_ExW, CM_Disconnect_Machine, CM_Connect_MachineW, SetupDiClassGuidsFromNameExW, SetupDiClassNameFromGuidExW, SetupDiSetClassInstallParamsW, SetupDiGetDeviceInstallParamsW, SetupDiSetDeviceRegistryPropertyW, SetupDiOpenClassRegKeyExW, SetupDiCallClassInstaller, SetupDiGetClassDescriptionExW, SetupDiBuildClassInfoListExW, SetupDiGetINFClassW, SetupDiGetClassDevsExW, SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiCreateDeviceInfoW, SetupDiGetDeviceInfoListDetailW, SetupDiCreateDeviceInfoList, SetupCopyOEMInfW, SetupDiOpenDevRegKey

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:00:51:15
      Start date:07/10/2024
      Path:C:\Users\user\Desktop\0urFbKxdvL.exe
      Wow64 process (32bit):false
      Commandline:"C:\Users\user\Desktop\0urFbKxdvL.exe"
      Imagebase:0x140000000
      File size:4'338'576 bytes
      MD5 hash:0AE609594FBD4BB27287BD63BC9E9529
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:2.3%
        Dynamic/Decrypted Code Coverage:99.2%
        Signature Coverage:35.7%
        Total number of Nodes:392
        Total number of Limit Nodes:7
        execution_graph 8338 1400035ed 8339 1400035f3 VirtualAlloc 8338->8339 8340 14000361c 8339->8340 8341 1e0000 8342 1e0005 8341->8342 8402 1e0e57 8342->8402 8345 1e0e57 LoadLibraryA 8346 1e0462 8345->8346 8347 1e0e57 LoadLibraryA 8346->8347 8348 1e0479 8347->8348 8406 1e8857 8348->8406 8353 1e049c 8355 1e0e57 LoadLibraryA 8353->8355 8386 1e050e 8355->8386 8357 1e0526 8435 1e2917 8357->8435 8360 1e05aa SleepEx 8363 1e065f 8360->8363 8364 1e05d5 8360->8364 8361 1e0e57 LoadLibraryA 8361->8360 8439 1e2467 8363->8439 8365 1e0e57 LoadLibraryA 8364->8365 8365->8386 8368 1e066c 8371 1e0e57 LoadLibraryA 8368->8371 8369 1e06f6 8444 1e1cc7 8369->8444 8371->8386 8375 1e077f 8464 1e1877 8375->8464 8376 1e0e57 LoadLibraryA 8376->8375 8379 1e079e 8381 1e0e57 LoadLibraryA 8379->8381 8380 1e0828 8382 1e08bf 8380->8382 8383 1e0835 8380->8383 8381->8386 8469 1e1307 8382->8469 8384 1e0e57 LoadLibraryA 8383->8384 8384->8386 8388 1e08d7 8390 1e0e57 LoadLibraryA 8388->8390 8389 1e0a52 8580 1e2367 8389->8580 8399 1e0951 8390->8399 8393 1e6947 LoadLibraryA 8400 1e0a43 8393->8400 8394 1e0a17 8395 1e1307 LoadLibraryA 8394->8395 8396 1e0a28 8395->8396 8478 1e6947 8396->8478 8397 1e0e57 LoadLibraryA 8397->8386 8399->8394 8401 1e1307 LoadLibraryA 8399->8401 8400->8397 8401->8399 8403 1e0e81 8402->8403 8404 1e044b 8403->8404 8405 1e0ebf LoadLibraryA 8403->8405 8404->8345 8405->8404 8585 1e7e67 8406->8585 8408 1e8860 8590 1e86b7 8408->8590 8413 1e0e57 LoadLibraryA 8414 1e890a 8413->8414 8606 1e80a7 8414->8606 8416 1e8914 8611 1e8387 8416->8611 8418 1e8927 8614 1e8467 8418->8614 8420 1e0486 8421 1e29e7 8420->8421 8422 1e0e57 LoadLibraryA 8421->8422 8423 1e2ae8 8422->8423 8424 1e0e57 LoadLibraryA 8423->8424 8425 1e2afc 8424->8425 8426 1e0e57 LoadLibraryA 8425->8426 8427 1e048b 8426->8427 8427->8353 8428 1e2bb7 8427->8428 8429 1e0e57 LoadLibraryA 8428->8429 8430 1e2c68 8429->8430 8431 1e0e57 LoadLibraryA 8430->8431 8432 1e2d1a 8431->8432 8433 1e0e57 LoadLibraryA 8432->8433 8434 1e0494 8432->8434 8433->8434 8434->8353 8434->8357 8436 1e0e57 LoadLibraryA 8435->8436 8437 1e29b8 GetSystemInfo 8436->8437 8438 1e0530 8437->8438 8438->8360 8438->8361 8440 1e0e57 LoadLibraryA 8439->8440 8441 1e24d9 8440->8441 8442 1e2507 SleepEx 8441->8442 8443 1e0664 8441->8443 8442->8441 8443->8368 8443->8369 8619 1e19a7 8444->8619 8447 1e0e57 LoadLibraryA 8448 1e1d74 8447->8448 8449 1e0e57 LoadLibraryA 8448->8449 8450 1e1df3 8449->8450 8451 1e0e57 LoadLibraryA 8450->8451 8452 1e1e96 8451->8452 8453 1e0e57 LoadLibraryA 8452->8453 8454 1e1ee9 8453->8454 8455 1e0e57 LoadLibraryA 8454->8455 8456 1e06fb 8455->8456 8457 1e2e37 8456->8457 8458 1e0e57 LoadLibraryA 8457->8458 8459 1e2faa 8458->8459 8460 1e0e57 LoadLibraryA 8459->8460 8461 1e2fc1 8460->8461 8462 1e0e57 LoadLibraryA 8461->8462 8463 1e0705 8462->8463 8463->8375 8463->8376 8465 1e0e57 LoadLibraryA 8464->8465 8466 1e18e9 8465->8466 8467 1e0e57 LoadLibraryA 8466->8467 8468 1e0796 8467->8468 8468->8379 8468->8380 8628 1e1047 8469->8628 8471 1e13c2 8472 1e1047 LoadLibraryA 8471->8472 8473 1e13d3 8472->8473 8474 1e1047 LoadLibraryA 8473->8474 8475 1e13e4 8474->8475 8476 1e0e57 LoadLibraryA 8475->8476 8477 1e08cf 8476->8477 8477->8388 8477->8389 8479 1e6957 8478->8479 8637 1e46f7 8479->8637 8481 1e6b2e 8482 1e0e57 LoadLibraryA 8481->8482 8483 1e6cfc 8482->8483 8655 1e4177 8483->8655 8485 1e6df4 8658 1e1557 8485->8658 8488 1e6ed0 8490 1e46f7 LoadLibraryA 8488->8490 8491 1e6efb 8490->8491 8676 1e4dd7 8491->8676 8493 1e6f1b 8682 1e4f77 8493->8682 8495 1e6f79 8687 1e50a7 8495->8687 8498 1e46f7 LoadLibraryA 8499 1e6fcd 8498->8499 8500 1e4dd7 LoadLibraryA 8499->8500 8501 1e6fed 8500->8501 8502 1e4f77 LoadLibraryA 8501->8502 8503 1e704b 8502->8503 8696 1e60f7 8503->8696 8505 1e7093 8506 1e50a7 LoadLibraryA 8505->8506 8507 1e70c2 8506->8507 8508 1e46f7 LoadLibraryA 8507->8508 8509 1e70df 8508->8509 8510 1e4dd7 LoadLibraryA 8509->8510 8511 1e70ff 8510->8511 8512 1e4f77 LoadLibraryA 8511->8512 8513 1e715d 8512->8513 8700 1e61c7 8513->8700 8516 1e50a7 LoadLibraryA 8517 1e71a6 8516->8517 8518 1e46f7 LoadLibraryA 8517->8518 8519 1e71c3 8518->8519 8520 1e4dd7 LoadLibraryA 8519->8520 8521 1e71e3 8520->8521 8522 1e4f77 LoadLibraryA 8521->8522 8523 1e7241 8522->8523 8524 1e61c7 LoadLibraryA 8523->8524 8525 1e725b 8524->8525 8526 1e50a7 LoadLibraryA 8525->8526 8527 1e728a 8526->8527 8703 1e5617 8527->8703 8530 1e5617 LoadLibraryA 8531 1e72a4 8530->8531 8532 1e5617 LoadLibraryA 8531->8532 8533 1e72b1 8532->8533 8534 1e5617 LoadLibraryA 8533->8534 8535 1e72be 8534->8535 8536 1e0e57 LoadLibraryA 8535->8536 8537 1e73a9 8536->8537 8538 1e0e57 LoadLibraryA 8537->8538 8539 1e7468 8538->8539 8540 1e0e57 LoadLibraryA 8539->8540 8541 1e747c 8540->8541 8542 1e0e57 LoadLibraryA 8541->8542 8543 1e74ae 8542->8543 8708 1e5797 8543->8708 8545 1e74bb 8546 1e46f7 LoadLibraryA 8545->8546 8547 1e76c4 8546->8547 8548 1e50a7 LoadLibraryA 8547->8548 8551 1e76f9 8548->8551 8549 1e7b94 8550 1e1cc7 LoadLibraryA 8549->8550 8574 1e7a84 8550->8574 8551->8549 8552 1e7729 8551->8552 8553 1e46f7 LoadLibraryA 8552->8553 8554 1e7903 8553->8554 8555 1e4dd7 LoadLibraryA 8554->8555 8556 1e7923 8555->8556 8557 1e4f77 LoadLibraryA 8556->8557 8558 1e7981 8557->8558 8559 1e0e57 LoadLibraryA 8558->8559 8560 1e7a13 8559->8560 8561 1e7a8e 8560->8561 8565 1e7a55 8560->8565 8562 1e4177 LoadLibraryA 8561->8562 8563 1e7acf 8562->8563 8735 1e52d7 8563->8735 8569 1e1cc7 LoadLibraryA 8565->8569 8567 1e52d7 LoadLibraryA 8568 1e7af0 8567->8568 8570 1e52d7 LoadLibraryA 8568->8570 8569->8574 8571 1e7b05 8570->8571 8572 1e52d7 LoadLibraryA 8571->8572 8573 1e7b1a 8572->8573 8575 1e7b5d 8573->8575 8576 1e1557 LoadLibraryA 8573->8576 8574->8400 8575->8574 8742 1e6647 8575->8742 8578 1e7b54 8576->8578 8578->8575 8579 1e1637 LoadLibraryA 8578->8579 8579->8575 8781 1e2087 8580->8781 8583 1e0e57 LoadLibraryA 8584 1e0a57 8583->8584 8584->8393 8586 1e0e57 LoadLibraryA 8585->8586 8587 1e7f4f 8586->8587 8588 1e0e57 LoadLibraryA 8587->8588 8589 1e7fc5 8588->8589 8589->8408 8591 1e0e57 LoadLibraryA 8590->8591 8592 1e87d9 8591->8592 8593 1e87e6 8592->8593 8594 1e0e57 LoadLibraryA 8592->8594 8598 1e8517 8593->8598 8595 1e87f9 VirtualProtect 8594->8595 8617 1e4387 8595->8617 8599 1e0e57 LoadLibraryA 8598->8599 8600 1e862c 8599->8600 8601 1e8639 8600->8601 8602 1e0e57 LoadLibraryA 8600->8602 8601->8413 8603 1e8654 VirtualProtect 8602->8603 8604 1e4387 8603->8604 8605 1e8689 VirtualProtect 8604->8605 8605->8601 8607 1e0e57 LoadLibraryA 8606->8607 8608 1e8189 8607->8608 8609 1e0e57 LoadLibraryA 8608->8609 8610 1e81bb 8608->8610 8609->8610 8610->8416 8612 1e0e57 LoadLibraryA 8611->8612 8613 1e8421 8612->8613 8613->8418 8615 1e0e57 LoadLibraryA 8614->8615 8616 1e84f2 8615->8616 8616->8420 8618 1e43ae VirtualProtect 8617->8618 8618->8593 8620 1e0e57 LoadLibraryA 8619->8620 8621 1e1a81 8620->8621 8622 1e0e57 LoadLibraryA 8621->8622 8623 1e1bce 8622->8623 8624 1e0e57 LoadLibraryA 8623->8624 8625 1e1be8 8624->8625 8626 1e0e57 LoadLibraryA 8625->8626 8627 1e1c3b 8626->8627 8627->8447 8627->8456 8629 1e0e57 LoadLibraryA 8628->8629 8630 1e11f8 8629->8630 8631 1e0e57 LoadLibraryA 8630->8631 8636 1e1221 8630->8636 8632 1e1244 8631->8632 8633 1e0e57 LoadLibraryA 8632->8633 8634 1e125b 8633->8634 8635 1e0e57 LoadLibraryA 8634->8635 8635->8636 8636->8471 8638 1e4710 8637->8638 8639 1e0e57 LoadLibraryA 8638->8639 8640 1e49a4 8639->8640 8641 1e0e57 LoadLibraryA 8640->8641 8642 1e49bb 8641->8642 8643 1e0e57 LoadLibraryA 8642->8643 8644 1e49d5 8643->8644 8645 1e0e57 LoadLibraryA 8644->8645 8646 1e49ef 8645->8646 8647 1e0e57 LoadLibraryA 8646->8647 8648 1e4a09 8647->8648 8649 1e0e57 LoadLibraryA 8648->8649 8650 1e4afc 8649->8650 8651 1e0e57 LoadLibraryA 8650->8651 8652 1e4b15 8651->8652 8653 1e0e57 LoadLibraryA 8652->8653 8654 1e4b2e 8653->8654 8654->8481 8757 1e40b7 8655->8757 8659 1e1047 LoadLibraryA 8658->8659 8660 1e15f1 8659->8660 8661 1e1047 LoadLibraryA 8660->8661 8662 1e15ff 8661->8662 8662->8488 8663 1e1637 8662->8663 8664 1e1047 LoadLibraryA 8663->8664 8665 1e17bf 8664->8665 8666 1e1047 LoadLibraryA 8665->8666 8667 1e17cd 8666->8667 8668 1e1047 LoadLibraryA 8667->8668 8669 1e17de 8668->8669 8670 1e1047 LoadLibraryA 8669->8670 8671 1e17ec 8670->8671 8672 1e1047 LoadLibraryA 8671->8672 8673 1e17fd 8672->8673 8674 1e1047 LoadLibraryA 8673->8674 8675 1e180e 8674->8675 8675->8488 8677 1e4e8e 8676->8677 8678 1e4e33 8676->8678 8679 1e1cc7 LoadLibraryA 8677->8679 8678->8493 8680 1e4e93 8679->8680 8681 1e0e57 LoadLibraryA 8680->8681 8681->8678 8683 1e0e57 LoadLibraryA 8682->8683 8684 1e5018 8683->8684 8685 1e0e57 LoadLibraryA 8684->8685 8686 1e502e 8685->8686 8686->8495 8688 1e0e57 LoadLibraryA 8687->8688 8689 1e5178 8688->8689 8690 1e0e57 LoadLibraryA 8689->8690 8691 1e5191 8690->8691 8692 1e0e57 LoadLibraryA 8691->8692 8693 1e51aa 8692->8693 8694 1e0e57 LoadLibraryA 8693->8694 8695 1e521b 8694->8695 8695->8498 8697 1e611a 8696->8697 8698 1e611f 8696->8698 8699 1e40b7 LoadLibraryA 8697->8699 8698->8505 8699->8698 8760 1e6167 8700->8760 8702 1e61d9 8702->8516 8704 1e0e57 LoadLibraryA 8703->8704 8705 1e56d2 8704->8705 8706 1e0e57 LoadLibraryA 8705->8706 8707 1e5745 8706->8707 8707->8530 8709 1e0e57 LoadLibraryA 8708->8709 8710 1e584a 8709->8710 8711 1e0e57 LoadLibraryA 8710->8711 8712 1e58dd 8711->8712 8713 1e59a6 8712->8713 8714 1e0e57 LoadLibraryA 8712->8714 8715 1e0e57 LoadLibraryA 8713->8715 8714->8713 8716 1e5a2c 8715->8716 8717 1e0e57 LoadLibraryA 8716->8717 8718 1e5b3d 8717->8718 8719 1e0e57 LoadLibraryA 8718->8719 8720 1e5b56 8719->8720 8721 1e0e57 LoadLibraryA 8720->8721 8722 1e5b6f 8721->8722 8723 1e0e57 LoadLibraryA 8722->8723 8728 1e5c08 8723->8728 8724 1e5d09 8725 1e0e57 LoadLibraryA 8724->8725 8726 1e5ddf 8725->8726 8727 1e0e57 LoadLibraryA 8726->8727 8729 1e5dfb 8727->8729 8728->8724 8730 1e0e57 LoadLibraryA 8728->8730 8731 1e4177 LoadLibraryA 8729->8731 8730->8724 8732 1e5e15 8731->8732 8733 1e0e57 LoadLibraryA 8732->8733 8734 1e5efa 8733->8734 8734->8545 8736 1e0e57 LoadLibraryA 8735->8736 8737 1e533f 8736->8737 8738 1e0e57 LoadLibraryA 8737->8738 8739 1e538a 8738->8739 8740 1e0e57 LoadLibraryA 8739->8740 8741 1e5407 8740->8741 8741->8567 8743 1e1557 LoadLibraryA 8742->8743 8744 1e6653 8743->8744 8745 1e66f7 8744->8745 8747 1e0e57 LoadLibraryA 8744->8747 8746 1e0e57 LoadLibraryA 8745->8746 8756 1e673f 8745->8756 8748 1e679b 8746->8748 8747->8745 8749 1e0e57 LoadLibraryA 8748->8749 8750 1e67d2 8749->8750 8751 1e0e57 LoadLibraryA 8750->8751 8750->8756 8752 1e686a 8751->8752 8753 1e0e57 LoadLibraryA 8752->8753 8754 1e690b 8753->8754 8763 1e6397 8754->8763 8756->8574 8758 1e0e57 LoadLibraryA 8757->8758 8759 1e4144 8758->8759 8759->8485 8761 1e40b7 LoadLibraryA 8760->8761 8762 1e6170 8761->8762 8762->8702 8764 1e0e57 LoadLibraryA 8763->8764 8765 1e648b 8764->8765 8766 1e0e57 LoadLibraryA 8765->8766 8767 1e64a2 8766->8767 8768 1e0e57 LoadLibraryA 8767->8768 8771 1e6541 8768->8771 8769 1e6581 8769->8756 8771->8769 8772 1e61f7 8771->8772 8773 1e0e57 LoadLibraryA 8772->8773 8774 1e6252 8773->8774 8775 1e0e57 LoadLibraryA 8774->8775 8776 1e6268 8775->8776 8777 1e0e57 LoadLibraryA 8776->8777 8778 1e627e 8777->8778 8779 1e0e57 LoadLibraryA 8778->8779 8780 1e6294 8779->8780 8780->8771 8782 1e1047 LoadLibraryA 8781->8782 8783 1e22b3 8782->8783 8784 1e1047 LoadLibraryA 8783->8784 8785 1e22c4 8784->8785 8786 1e1047 LoadLibraryA 8785->8786 8787 1e22d5 8786->8787 8788 1e1047 LoadLibraryA 8787->8788 8789 1e22e6 8788->8789 8790 1e1047 LoadLibraryA 8789->8790 8791 1e22f7 8790->8791 8791->8583 8791->8584

        Executed Functions

        Function 001E2917 Relevance: 45.5, APIs: 1, Strings: 25, Instructions: 49COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 20 1e2917-1e29d1 call 1e0e57 GetSystemInfo 23 1e29d7 20->23 24 1e29d3-1e29d5 20->24 25 1e29dc-1e29e3 23->25 24->25
        APIs
          • Part of subcall function 001E0E57: LoadLibraryA.KERNELBASE ref: 001E0EC4
        • GetSystemInfo.KERNELBASE ref: 001E29C2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1829954835.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_1e0000_0urFbKxdvL.jbxd
        Similarity
        • API ID: InfoLibraryLoadSystem
        • String ID: .$2$3$G$I$S$d$e$e$e$e$f$k$l$l$l$m$n$n$o$r$s$t$t$y
        • API String ID: 2528439753-3724200337
        • Opcode ID: 0fc8c04ef61f41a6e734b9a01e1b2a0ac8531192857d5d2a5c7d68ec73663fa1
        • Instruction ID: 6b362cf44f12e077093de3ab036843ab9f696ecefad6c7b416dbd138b25c46d6
        • Opcode Fuzzy Hash: 0fc8c04ef61f41a6e734b9a01e1b2a0ac8531192857d5d2a5c7d68ec73663fa1
        • Instruction Fuzzy Hash: D421B72040C7C0D9E352D628C08875FBED16BA674CF88599DF1C95A292C7BF8658C76B
        Function 001E8517 Relevance: 85.8, APIs: 2, Strings: 47, Instructions: 100memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
          • Part of subcall function 001E0E57: LoadLibraryA.KERNELBASE ref: 001E0EC4
        • VirtualProtect.KERNELBASE ref: 001E866E
        • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E88FB), ref: 001E869D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1829954835.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_1e0000_0urFbKxdvL.jbxd
        Similarity
        • API ID: ProtectVirtual$LibraryLoad
        • String ID: .$.$2$3$E$N$P$T$V$a$a$c$c$d$d$d$e$e$e$e$e$i$k$l$l$l$l$l$l$l$l$n$n$n$o$r$r$r$r$t$t$t$t$t$t$u$v
        • API String ID: 895956442-1938279493
        • Opcode ID: ed663ba51057405492db862212b8c8051be87ab1ea5d60a9a3613037d2cb4a83
        • Instruction ID: 98f3f78f390053dd27d3e82d5d17511d1080963eb83177ceb75fed1409a66346
        • Opcode Fuzzy Hash: ed663ba51057405492db862212b8c8051be87ab1ea5d60a9a3613037d2cb4a83
        • Instruction Fuzzy Hash: 8951702040C7C0CAE312D728C44875FFFE26BA6748F48498CB1C54A2A2C7FB9568C767
        Function 001E86B7 Relevance: 84.1, APIs: 2, Strings: 46, Instructions: 101memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
          • Part of subcall function 001E0E57: LoadLibraryA.KERNELBASE ref: 001E0EC4
        • VirtualProtect.KERNELBASE ref: 001E8813
        • VirtualProtect.KERNELBASE ref: 001E8842
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1829954835.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_1e0000_0urFbKxdvL.jbxd
        Similarity
        • API ID: ProtectVirtual$LibraryLoad
        • String ID: .$.$2$3$A$B$P$S$VeB$a$a$a$c$c$d$d$e$e$e$e$f$f$i$i$k$l$l$l$l$l$l$m$m$n$n$o$r$r$r$s$s$t$t$t$u$u
        • API String ID: 895956442-770127954
        • Opcode ID: a27508a6293d6f97c6c402cb9fb694186acae8492344363b8b6fcf1741269bed
        • Instruction ID: cac2c556508ed36d665c28282d806a2cda75891cce5795edabcebf95a71cf58e
        • Opcode Fuzzy Hash: a27508a6293d6f97c6c402cb9fb694186acae8492344363b8b6fcf1741269bed
        • Instruction Fuzzy Hash: 4551912050C7C0CAE312D728C45875FFFD26BA6748F48499CB1D54A2A2C7FB9668C767
        Function 001E2467 Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 73COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 26 1e2467-1e24f4 call 1e0e57 29 1e2500-1e2505 26->29 30 1e2507-1e2513 SleepEx 29->30 31 1e2515-1e253e 29->31 32 1e24f6-1e24fc 30->32 33 1e2549 31->33 34 1e2540-1e2545 31->34 32->29 35 1e254b-1e254f 33->35 34->35
        APIs
          • Part of subcall function 001E0E57: LoadLibraryA.KERNELBASE ref: 001E0EC4
        • SleepEx.KERNELBASE ref: 001E250E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1829954835.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_1e0000_0urFbKxdvL.jbxd
        Similarity
        • API ID: LibraryLoadSleep
        • String ID: .$2$3$S$d$e$e$e$e$k$l$l$l$l$n$p$r
        • API String ID: 2118945035-1151806120
        • Opcode ID: 3cb603b51f7702b711465f8eee98a85c1f75f823072d7b7383f082aa6f8f4f25
        • Instruction ID: 399c514fb745afbb94ed2f0f68f1bec5567fef2971778998ceb648f0a3c49c15
        • Opcode Fuzzy Hash: 3cb603b51f7702b711465f8eee98a85c1f75f823072d7b7383f082aa6f8f4f25
        • Instruction Fuzzy Hash: 5B21F52010CBC4CEE342D668845875BFFD2ABAA709F440A5DF0C996292C7FAC598C727
        Function 001E0E57 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 36 1e0e57-1e0eb5 call 1e0d97 call 1e0c17 call 1e0d97 call 1e0c17 45 1e0eef 36->45 46 1e0eb7-1e0ebd 36->46 48 1e0ef1-1e0ef5 45->48 46->45 47 1e0ebf-1e0ed3 LoadLibraryA 46->47 49 1e0edb-1e0ee6 47->49 49->45 50 1e0ee8-1e0eed 49->50 50->48
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1829954835.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_1e0000_0urFbKxdvL.jbxd
        Similarity
        • API ID: LibraryLoad
        • String ID:
        • API String ID: 1029625771-0
        • Opcode ID: 235e72a7c4a46574d56536a75a93859d3b0f1fc4ed960766b8425097f384a9d1
        • Instruction ID: 5bd7adb82a24445d6cb924a63fd42b2dd6f4c651f59e9fa04c343e8bf2393fa2
        • Opcode Fuzzy Hash: 235e72a7c4a46574d56536a75a93859d3b0f1fc4ed960766b8425097f384a9d1
        • Instruction Fuzzy Hash: 89119A70528B889FD689EF69C05871E7AE1FB9C345F940A2DF489D3290D7B889C4CB46
        Function 00000001400012B0 Relevance: 1.4, APIs: 1, Instructions: 160memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: AllocVirtual
        • String ID:
        • API String ID: 4275171209-0
        • Opcode ID: e4b512b6c16b9208ec479ad47c4ac0c5910a558e0788372609c665a1a03fa5f5
        • Instruction ID: 704af476db65c0eeef5f6891e4cc0caf001e4bac9f341313fc9b85eee6c6d204
        • Opcode Fuzzy Hash: e4b512b6c16b9208ec479ad47c4ac0c5910a558e0788372609c665a1a03fa5f5
        • Instruction Fuzzy Hash: 5961E4B2611A8192EB1ACF1BE1903EC6760F7CCBC5F549225EB4A07BB1DB38C1A5C700
        Function 0000000140003320 Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 96 140003320-140003334 97 140003336-14000334b 96->97 98 14000334c-1400033a6 96->98 100 1400033a8-1400033e1 98->100 101 1400033eb-1400033fb 98->101 100->101 102 1400034eb 101->102 103 1400034f1-14000361a VirtualAlloc 102->103 104 1400033f8-1400033fb 102->104 106 140003641-14000364c 103->106 107 14000361c-14000361f call 140003624 103->107 104->102 107->106
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: AllocVirtual
        • String ID:
        • API String ID: 4275171209-0
        • Opcode ID: 33e563ba038323b2d255fb3bb1d5b113feda57c36ee0ed1f73719c6469e121ab
        • Instruction ID: 97dfca1c15d198223b395158cb937e2404b45c9ed2e5e2b82091fa29808ce56d
        • Opcode Fuzzy Hash: 33e563ba038323b2d255fb3bb1d5b113feda57c36ee0ed1f73719c6469e121ab
        • Instruction Fuzzy Hash: DF310F72608B8186E722CF56F88078AB7E4F38CB94F544129EB8947B78DF79C555CB00
        Function 00000001400010B0 Relevance: 1.3, APIs: 1, Instructions: 64memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 110 1400010b0-1400010de 111 1400010e5-1400010e7 110->111 112 1400010e0-1400010e3 110->112 114 1400010f7-14000110d call 14000112b 111->114 115 1400010e9-1400010f6 111->115 113 14000110e-140001115 112->113 117 140001117-1400014c3 113->117 118 14000111c-14000112a 113->118 114->113 115->114 121 1400033f8-1400034eb 117->121 123 1400034f1-14000361a VirtualAlloc 121->123 125 140003641-14000364c 123->125 126 14000361c-14000361f call 140003624 123->126 126->125
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: AllocVirtual
        • String ID:
        • API String ID: 4275171209-0
        • Opcode ID: 1b6f53348a68bdd5065bf2f7113c7e9456c11f8837988c6a52245199bcdd0d90
        • Instruction ID: c8a0adb227e65bfff738e68f8c8946a12ff7ea2864567f7c2243dcec2aca9257
        • Opcode Fuzzy Hash: 1b6f53348a68bdd5065bf2f7113c7e9456c11f8837988c6a52245199bcdd0d90
        • Instruction Fuzzy Hash: 1C11907261964090EA27DF77B8407E962A4B78DFC5F988025FF4D4B3A1CE79C892C711
        Function 00000001400035ED Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 129 1400035ed-14000361a VirtualAlloc 131 140003641-14000364c 129->131 132 14000361c-14000361f call 140003624 129->132 132->131
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: AllocVirtual
        • String ID:
        • API String ID: 4275171209-0
        • Opcode ID: 30a1d343fb9a970dba098e6885d91e60a03fd8333c3af810e1cc3c19700e9722
        • Instruction ID: 1ed30be74b7ba8a770c6a65b02b4c7fd82dd013a14b652b9f4c44187bbcdb5f7
        • Opcode Fuzzy Hash: 30a1d343fb9a970dba098e6885d91e60a03fd8333c3af810e1cc3c19700e9722
        • Instruction Fuzzy Hash: D5D052B061264082EB02DF33E0407C822A0A70EFC1F4A8024FA080B3A0DE3A80808B80

        Non-executed Functions

        Function 001E6947 Relevance: 299.8, Strings: 239, Instructions: 1050COMMON
        Download Yara Rule

        Control-flow Graph

        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1829954835.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_1e0000_0urFbKxdvL.jbxd
        Similarity
        • API ID: LibraryLoad
        • String ID: -$-$-$-$-$-$.$.$.$.$.$.$.$.$.$.$.$.$.$.$/$/$/$/$/$/$/$/$/$0$0$0$0$0$0$2$2$3$3$4$4$4$:$:$:$A$A$A$F$F$F$G$G$G$H$H$H$P$P$P$S$S$S$V$a$a$a$a$a$a$a$a$b$c$c$c$c$c$d$d$d$d$d$d$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$f$f$f$f$f$f$f$f$f$g$g$g$g$h$h$i$i$i$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$k$k$k$k$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$n$o$o$o$p$p$p$p$p$p$r$r$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$v$v$v$x$x$x$x$y$y$y$z$z$z$z$z$z$z$z$z$z
        • API String ID: 1029625771-3190796625
        • Opcode ID: c8d79dde74befa2575d9765322aa16e196879dcb8d4840348170a8b8e9b5a32a
        • Instruction ID: a03fc4faadf2aa054ca0613f8f1ac1e15456e016eda1f6c386cf9095bd2f54ca
        • Opcode Fuzzy Hash: c8d79dde74befa2575d9765322aa16e196879dcb8d4840348170a8b8e9b5a32a
        • Instruction Fuzzy Hash: 4DB2173021CBC48AE376DB28C458BDFBBD2ABE6304F44495D90CD87292DBBA5558C763
        Function 001E0000 Relevance: 259.4, APIs: 1, Strings: 147, Instructions: 405COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 345 1e0000-1e000f call 1e8c37 348 1e0015-1e001d 345->348 348->348 349 1e001f-1e048d call 1e0e57 * 3 call 1e8857 call 1e29e7 348->349 361 1e048f-1e0496 call 1e2bb7 349->361 362 1e049c-1e0521 call 1e0e57 349->362 361->362 367 1e0526-1e0532 call 1e2917 361->367 370 1e0b01-1e0b08 362->370 372 1e05bc-1e05cf SleepEx 367->372 373 1e0538-1e05bb call 1e0e57 367->373 377 1e065f call 1e2467 372->377 378 1e05d5-1e065a call 1e0e57 372->378 373->372 383 1e0664-1e0666 377->383 378->370 384 1e066c-1e06f1 call 1e0e57 383->384 385 1e06f6-1e0707 call 1e1cc7 call 1e2e37 383->385 384->370 394 1e070d-1e0790 call 1e0e57 385->394 395 1e0791-1e0798 call 1e1877 385->395 394->395 400 1e079e-1e0823 call 1e0e57 395->400 401 1e0828-1e082f call 1e8957 395->401 400->370 407 1e08bf-1e08d1 call 1e1307 401->407 408 1e0835-1e08ba call 1e0e57 401->408 414 1e08d7-1e0959 call 1e0e57 407->414 415 1e0a52-1e0a7b call 1e2367 call 1e6947 407->415 408->370 421 1e0964-1e096b call 1e1307 414->421 436 1e0a7c-1e0aff call 1e0e57 415->436 426 1e0a17-1e0a2a call 1e1307 421->426 427 1e0971-1e0979 421->427 439 1e0a2c 426->439 440 1e0a37-1e0a50 call 1e6947 426->440 427->426 429 1e097f-1e0987 427->429 431 1e0993-1e0998 429->431 434 1e099a-1e09e4 431->434 435 1e0a02-1e0a12 431->435 444 1e09e8-1e09fc call 1e1307 434->444 445 1e09e6 434->445 435->421 436->370 439->440 440->436 453 1e09fe 444->453 454 1e0a00 444->454 447 1e0989-1e098f 445->447 447->431 453->435 454->447
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1829954835.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_1e0000_0urFbKxdvL.jbxd
        Similarity
        • API ID:
        • String ID: .$.$2$2$3$3$A$B$B$C$E$E$E$E$E$E$E$E$M$MpS$P$P$P$P$P$P$P$P$S$T$W$a$a$a$a$c$c$c$c$c$c$c$c$d$d$d$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$g$g$h$i$i$i$i$i$i$i$i$k$l$l$l$l$l$l$n$o$o$o$o$o$o$o$o$o$o$p$r$r$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$u$x$x$x$x$x$x$x$x$x$x
        • API String ID: 0-1894514983
        • Opcode ID: d5e70fa943472593a328994ccd66b51891a2297826b3c5827c6605f78d733cd1
        • Instruction ID: 0e41bf4517aa08289c9e207e3b9920b6b3dc731a8d376133e1dc102908a8e07e
        • Opcode Fuzzy Hash: d5e70fa943472593a328994ccd66b51891a2297826b3c5827c6605f78d733cd1
        • Instruction Fuzzy Hash: 4322F42050CBC0C9E332D72884597DFBED2ABA6708F484D9DD1CD8A292DBFA4158C763
        Function 00000001400126C4 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 460COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: _errno_invalid_parameter_noinfo
        • String ID: U
        • API String ID: 2959964966-4171548499
        • Opcode ID: af4138025e285e9986c36e09b8c060183f9860ae73059bae6ccddf27b3ebd38c
        • Instruction ID: 1f4b0a45a299a05b7f9b4a85ca433d9c60d4af80b6a1c5da4c5d7ceea22fd39f
        • Opcode Fuzzy Hash: af4138025e285e9986c36e09b8c060183f9860ae73059bae6ccddf27b3ebd38c
        • Instruction Fuzzy Hash: C512D47221468186EB22CF2AE4843DEB7A1F78DBC4F544116FB894B6B8DB3EC555CB10
        Function 0000000140009CA0 Relevance: 42.3, APIs: 20, Strings: 4, Instructions: 260registryCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: Setup$DeviceDriverInfoInstallParams$BuildCloseEnumList
        • String ID: DriverDesc$InfPath$InfSection$ProviderName
        • API String ID: 2620718138-109328823
        • Opcode ID: 004d6d2ef626f72d505bd0cfe8ca2f3722ce6cdb573c0bfad9fad846d2bd928a
        • Instruction ID: eaa9f11f46baee65e037cb275f94c5b721857eada26dcd83acea46d2b9e4ae60
        • Opcode Fuzzy Hash: 004d6d2ef626f72d505bd0cfe8ca2f3722ce6cdb573c0bfad9fad846d2bd928a
        • Instruction Fuzzy Hash: FCB16FB221478586EB61CF62B9443EA73E4F789BC8F404116EB8947A78EF7DC649D700
        Function 000000014000E9D4 Relevance: 37.4, APIs: 19, Strings: 2, Instructions: 687COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
        • String ID: $@
        • API String ID: 3318157856-1077428164
        • Opcode ID: 45b5c7fedf1a9eefa98bdd1f63e44a8914cbe8fbf7a41632d7cb2cf6d8010d5f
        • Instruction ID: 7d32200c846e971a268c8d936c1203293af3f5361ec9625ac4ec6ccc3facf91c
        • Opcode Fuzzy Hash: 45b5c7fedf1a9eefa98bdd1f63e44a8914cbe8fbf7a41632d7cb2cf6d8010d5f
        • Instruction Fuzzy Hash: 3C52E0B26086C486FB66CB16F4443FE6BA1B7497C4F148016FF4667AF5DB79C940AB00
        Function 000000014000D684 Relevance: 26.2, APIs: 17, Instructions: 711COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: DecodePointerwrite_multi_char$Locale_errnowrite_charwrite_string$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_getptd_getptd_noexit_invalid_parameter_noinfo_isleadbyte_l_malloc_crtfree
        • String ID:
        • API String ID: 3710470324-0
        • Opcode ID: bdae5667f47aff7fbbf16576b180cd02ddf0167a7946a581b5586dad3fd4bd6c
        • Instruction ID: 43a8f8d452061ae399d37bafcbd321ed0e944e01b442aff3bca34f360b4d0701
        • Opcode Fuzzy Hash: bdae5667f47aff7fbbf16576b180cd02ddf0167a7946a581b5586dad3fd4bd6c
        • Instruction Fuzzy Hash: 5452B2B260868186FB66CB16F4443EE7BA1F7897D4F25011BFB465BAF4DB39C8418B10
        Function 00000001400049C0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 285COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: Setup$ClassFromGuidsName$DestroyDeviceErrorInfoLastList
        • String ID:
        • API String ID: 1066883911-3916222277
        • Opcode ID: acf5cf9db57d546e807f12668150204679d19d9348a34b666ff6445cb47e287d
        • Instruction ID: 6cb68a191280f32e8ac8d9007d9eb735b98d7561379cab9c10be5878a5506a9f
        • Opcode Fuzzy Hash: acf5cf9db57d546e807f12668150204679d19d9348a34b666ff6445cb47e287d
        • Instruction Fuzzy Hash: B2C18EB270464182EB66CF66B8407EA77A0F78DBE8F504226EF6947BE5DB38C505C704
        Function 0000000140007320 Relevance: 19.9, APIs: 13, Instructions: 363COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: Setup$Device$Info$CharNext$List$ClassEnumErrorLastPropertyRegistrylstrlenwcschr$CreateDestroyDetailDevice_DevsFromGet_GuidsNameOpen
        • String ID:
        • API String ID: 540770659-0
        • Opcode ID: 46bf24fb9aa7e4b08b5476fc35f18a3a98618df8899f880df90351b03a45de3b
        • Instruction ID: 9bb0a2ba3187f6af023c882bec9f8781603e524fe668e13baff9208c86da8899
        • Opcode Fuzzy Hash: 46bf24fb9aa7e4b08b5476fc35f18a3a98618df8899f880df90351b03a45de3b
        • Instruction Fuzzy Hash: B2F18CB2B04A8086EB62CF26F444BDA67A4F789BD8F504115EF5D47BA8EB7DC541C700
        Function 0000000140004230 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 90libraryloaderCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: Library$AddressErrorFreeFullLastLoadNamePathProc
        • String ID: SetupUninstallOEMInfW$setupapi.dll
        • API String ID: 3805412813-3713901415
        • Opcode ID: 2b8d2a49c2dfd8286926f9f007ff0edf5a921fcb8e2036fdb8d59eade46a02c3
        • Instruction ID: c5f5208e2f038bcab60d9a25ef7d8eaa9f3ccf9720b0f20c03119a1375561dbd
        • Opcode Fuzzy Hash: 2b8d2a49c2dfd8286926f9f007ff0edf5a921fcb8e2036fdb8d59eade46a02c3
        • Instruction Fuzzy Hash: 4F4125B1614A8092EB62EB63F8453DA6360FB98BC1F455025FB4E476B6DF3CCA44C744
        Function 0000000140004570 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 89filestringCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: CloseControlCreateDeviceErrorFileFromHandleLastStringlstrlenwsprintf
        • String ID: {b5ffd75f-da40-4353-8ff8-b6daf6f1d8ca}${b5ffd75f-da40-4353-8ff8-b6daf6f1d8ca} Error %X
        • API String ID: 784259077-3618227390
        • Opcode ID: 9371f016894103a274dc2e27b9aaaef3ece1dfa444d2834018c35b0830c51904
        • Instruction ID: 8fe4f8c763be507cc92c7229caa7988853e25a059c82c6f96ecf7034f115f44b
        • Opcode Fuzzy Hash: 9371f016894103a274dc2e27b9aaaef3ece1dfa444d2834018c35b0830c51904
        • Instruction Fuzzy Hash: ED418C72304A4582EB21CF12F44439A7361F7897D4F814215EB8E4BAB8DF3DC649CB40
        Function 0000000140007EB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43shutdownCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSystemValue
        • String ID: SeShutdownPrivilege
        • API String ID: 2036077386-3733053543
        • Opcode ID: 4673438f657a7952c90e644b3e93f6ab33e7a1c3d9f2fcf07acf090e17b56650
        • Instruction ID: 2832a6990ff05d64aafd5fc68365cc9371dba05f77b21c8a77f32dbdad30392f
        • Opcode Fuzzy Hash: 4673438f657a7952c90e644b3e93f6ab33e7a1c3d9f2fcf07acf090e17b56650
        • Instruction Fuzzy Hash: 84110DB2614A8182EB21CF62F41579A77A1F78DB88F915015F78E4BA78DF7EC149CB00
        Function 00000001400043D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: DirectoryWindows
        • String ID: \INF\OEM*.INF
        • API String ID: 3619848164-2728984289
        • Opcode ID: fb27b99ad530845d268da5181d45462764bbd52525ee148a1f1191a07e3b520d
        • Instruction ID: 87ee9946e775dd7b4886b2606f1aab007d27cae620c4916618a5fa30faee4b9c
        • Opcode Fuzzy Hash: fb27b99ad530845d268da5181d45462764bbd52525ee148a1f1191a07e3b520d
        • Instruction Fuzzy Hash: 69416DF2314A8082EB22DB22F8543E962A5FB9D7D4F944121A75A076F6DF3CC509C714
        Function 0000000140003990 Relevance: 3.5, APIs: 2, Instructions: 524COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: CopySetup
        • String ID:
        • API String ID: 3932593008-0
        • Opcode ID: 004d69855c0444492032f3d8e4616cb30d8b0d7fbfa510f7f01e5b8619986469
        • Instruction ID: a60eb4f6eed8400f18e6139215ba9445b2455d60217eaa01b938a98619c129b0
        • Opcode Fuzzy Hash: 004d69855c0444492032f3d8e4616cb30d8b0d7fbfa510f7f01e5b8619986469
        • Instruction Fuzzy Hash: D73269B2604A8486FB66CF27F8943E9B7A4F78DB94F044226EB59477F5DB38C4858700
        Function 000000014000112B Relevance: .0, Instructions: 44COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 9c2d1427acba216a55333da4bf10ffa46f58bb07106e4e162916ce79798d8ef1
        • Instruction ID: cea7d347219e52cdfa1c14992018c1d0d95a95b0b8ead74e5fe2d925432d012c
        • Opcode Fuzzy Hash: 9c2d1427acba216a55333da4bf10ffa46f58bb07106e4e162916ce79798d8ef1
        • Instruction Fuzzy Hash: F6F065B4B3531D09FE998BB72915BE15056475ABE4E44E630AE1CA73D0E43CA8920155
        Function 0000000140009920 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197libraryfileloaderCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: Setup$ErrorFindFirstLastLineString$Field$AddressClassDescriptionFileFromLibraryLoadOpenProc
        • String ID: ClassGUID$DriverVer$Provider$SetupVerifyInfFile$Version$setupapi.dll
        • API String ID: 2815445529-1638047923
        • Opcode ID: 61f6f44b7b042b4ad544f7a4d956d310c75e07ef06f78c2f06c14e127002d5cc
        • Instruction ID: 9356a1399b0e8ba1a1b8bd6b2e6dae40fe7e2ac72bd30a580a453a6ae19e76ec
        • Opcode Fuzzy Hash: 61f6f44b7b042b4ad544f7a4d956d310c75e07ef06f78c2f06c14e127002d5cc
        • Instruction Fuzzy Hash: 539126B2210A8592E762EF63F8047DA23A0FB8DBC5F804016BB4A576B5DF39C649C750
        Function 00000001400061A0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359registryservicestringCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: CloseOpenService$ClassHandleSetupValuelstrlen$CharDeleteErrorFormatFreeFromGuidsLastLocalManagerMessageNamePrev_errno_invalid_parameter_noinfofputws
        • String ID: LowerFilters$UpperFilters$lower$upper
        • API String ID: 2301954639-3449112408
        • Opcode ID: c8de1b8fa281c8ef1b4355dd1fa80e33725943819413b2979065e279466e257b
        • Instruction ID: 7abbcb659f324e3ac446997519a3390d0430b15f0da958f3f74bd2875e4fc4e8
        • Opcode Fuzzy Hash: c8de1b8fa281c8ef1b4355dd1fa80e33725943819413b2979065e279466e257b
        • Instruction Fuzzy Hash: 01E1DFB1600A4082EA26DB27F9503EA63A2F74DBE4F444225FF5A677F5EF3AC5458340
        Function 0000000140006AA0 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 92COMMON
        Download Yara Rule
        APIs
        Strings
        • Error: No active device interfaces found. Is the sample driver loaded?, xrefs: 0000000140006B00
        • Error 0x%x retrieving device interface list size., xrefs: 0000000140006AE4
        • Error allocating memory for device interface list., xrefs: 0000000140006B29
        • Error 0x%x retrieving device interface list., xrefs: 0000000140006B69
        • Warning: More than one device interface instance found. Selecting first matching device., xrefs: 0000000140006B94
        • Error: StringCchCopy failed with HRESULT 0x%x, xrefs: 0000000140006BB5
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: wprintf$Device_Get_Interface_List_Size_errno_invalid_parameter_noinfo
        • String ID: Error 0x%x retrieving device interface list size.$Error 0x%x retrieving device interface list.$Error allocating memory for device interface list.$Error: No active device interfaces found. Is the sample driver loaded?$Error: StringCchCopy failed with HRESULT 0x%x$Warning: More than one device interface instance found. Selecting first matching device.
        • API String ID: 4215907127-1653569444
        • Opcode ID: df84e69d78d16755a989156a712fd83446a12bd72892cdade269fbaae3384414
        • Instruction ID: 65ff07ec2dedabcc05e19b096baed55693e3b94b1f706183af876b608bded32b
        • Opcode Fuzzy Hash: df84e69d78d16755a989156a712fd83446a12bd72892cdade269fbaae3384414
        • Instruction Fuzzy Hash: C33190B160460081FB16EF27B8413EA76E1BB8DBE0F948121BF19977F1EF39C5868600
        Function 0000000140009210 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 116COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: Des_Res_$Get_$Data_Free_HandleNext_wprintf$Size__errno_invalid_parameter_noinfofputs
        • String ID: DMA : %u$IO : %04I64x-%04I64x$IRQ : %u$MEM : %08I64x-%08I64x
        • API String ID: 1897267696-3427375868
        • Opcode ID: f86508c705e05d63a160b50b61966e16536725a36a75a4889040542636781cc1
        • Instruction ID: ddb3a1eb6b80c44e9e95771c1fcad6983c7a0eaa5175376a50ed0be315e634a4
        • Opcode Fuzzy Hash: f86508c705e05d63a160b50b61966e16536725a36a75a4889040542636781cc1
        • Instruction Fuzzy Hash: 8D414AB1208A8082EB66DF57F544BEAB3A5F789BC4F494015BB4A4B7B5DF38C945CB00
        Function 0000000140008AA0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 256timeCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: Setup$DriverInfo$DeviceInstallParamsTime$BuildDateDetailEnumErrorFileFormatLastListSystem
        • String ID:
        • API String ID: 618623176-3916222277
        • Opcode ID: 9cd4087c554e4eac253ba68a21dbc4d99d34ddc71f2c87828bcc5fac513abc1b
        • Instruction ID: ec5508ad97f21095b8260fe81413e34f856c590f93263b3ed450f44e94f4a250
        • Opcode Fuzzy Hash: 9cd4087c554e4eac253ba68a21dbc4d99d34ddc71f2c87828bcc5fac513abc1b
        • Instruction Fuzzy Hash: 8BC15BB161468086F726EB62E805BDA77A1F78CBC4F404415FB8957AEACF3DC644CB60
        Function 0000000140006D30 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 260stringCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: wprintf$DeviceGet_Setup$CharDetailDevice_FormatFreeInfoListLocalMessageNode_PrevPropertyRegistryStatus__errno_invalid_parameter_noinfofputwslstrlen
        • String ID: %-60s:
        • API String ID: 367777426-769737362
        • Opcode ID: f032e8fae677de0da69d302c5c80f20a4f91eef62ad1fc40ac2ef5aea2a327ab
        • Instruction ID: e9abfa25a142b5ff92d8e0d505dbabf69afb4d540efb7fde84babaf60d48a2db
        • Opcode Fuzzy Hash: f032e8fae677de0da69d302c5c80f20a4f91eef62ad1fc40ac2ef5aea2a327ab
        • Instruction Fuzzy Hash: 78B1ADB2610A8582EB62CF26F4407EAA7A5F788BD8F445224FB9A577B5DF3CC451C700
        Function 0000000140008800 Relevance: 16.6, APIs: 11, Instructions: 147COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: Setup$FileQueue$DeviceDriverInstallParams$InfoScan$CallCharClassCloseDestroyDetailErrorFormatFreeInstallerLastListLocalMessageOpenPrevSelectedfputsfputws
        • String ID:
        • API String ID: 3517419612-0
        • Opcode ID: ac74428aa5dd5c35b4bc2e0249f9db39bb6b66f70a776efa6525b73bcb8564c1
        • Instruction ID: d063ca9a16e41564c09959666ef8371de515dc05b799c50b288e8d1683b31fe8
        • Opcode Fuzzy Hash: ac74428aa5dd5c35b4bc2e0249f9db39bb6b66f70a776efa6525b73bcb8564c1
        • Instruction Fuzzy Hash: 0E614CB1214A8086F722DF22E8547DA73A5FB89BD4F404626FB6907AF5DF39C609C740
        Function 0000000140005C10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 134COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID: 0-3916222277
        • Opcode ID: a90501a58383f8471fb478657ccf385f7d3b3128c39c7fbd9fdbb16fd87cd59c
        • Instruction ID: 8939e11e4d63b3d66664be8960c86d4ff965cd3e2d8b9b64c70fef0255db7796
        • Opcode Fuzzy Hash: a90501a58383f8471fb478657ccf385f7d3b3128c39c7fbd9fdbb16fd87cd59c
        • Instruction Fuzzy Hash: 28516E72304AC082EB25DF12F4047DB63A5F789BD5F944116AB8947AA8EF7DC545CB00
        Function 0000000140004710 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 164COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: ClassSetup$BuildInfoList$DescriptionErrorExceptionFromGuidLastNameThrow_callnewhmallocwprintf
        • String ID: %-20s: %s
        • API String ID: 3398164692-1251934994
        • Opcode ID: d6051411c387a46dfcc46221ce026d307689f9695689710c9e8ce05c24461f66
        • Instruction ID: b8fcd1a316e30d656eea867874f6d3a68273eafe061fbe9abbbe1891a3b094d0
        • Opcode Fuzzy Hash: d6051411c387a46dfcc46221ce026d307689f9695689710c9e8ce05c24461f66
        • Instruction Fuzzy Hash: 62618CB232568182EB62CF12B4407DA63A0FB8DBC4F844525FB8A47BA5EF3CC505C744
        Function 00000001400093D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 150registryCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: Setupwprintf$CharClassCloseDetailDeviceFormatFreeInfoListLocalMessageOpenPrevfputsfputws
        • String ID: %s$LowerFilters$UpperFilters
        • API String ID: 205352705-1836264166
        • Opcode ID: 0be0182f719dfb9952726e0c0785eb2e390ae01cca8e94e282cd98b64d68face
        • Instruction ID: 529cbf2e193ed732394b1f7d828ec3daeef0bdc298c3290cedfbf51475d62f3e
        • Opcode Fuzzy Hash: 0be0182f719dfb9952726e0c0785eb2e390ae01cca8e94e282cd98b64d68face
        • Instruction Fuzzy Hash: 9C5169B1614A8042FA17EB23F8197EA6291AB8DBC0F484125BB5D4B3E7DF7DC8418351
        Function 0000000140005A90 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 81COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID:
        • String ID: UpdateDriverForPlugAndPlayDevicesW$newdev.dll
        • API String ID: 0-3767700378
        • Opcode ID: 8806c71b56bc765eddcbc7946bf0cabb6b8bc9be3bac1c222922800c6063ff69
        • Instruction ID: 6bd2540d958761b39ee3454196263a72dfaf786d20ea5a31e2b33f33bc23979a
        • Opcode Fuzzy Hash: 8806c71b56bc765eddcbc7946bf0cabb6b8bc9be3bac1c222922800c6063ff69
        • Instruction Fuzzy Hash: D13159B1208A8082EB62EB62F4883DA63A4F78DBC1F444126EB4947BA5DF39D4858700
        Function 0000000140006BF0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: Setup$ClassDeviceInstallParams$CallDetailDevice_Get_InfoInstallerListwprintf
        • String ID: %-60s: %s
        • API String ID: 1061212145-3470069224
        • Opcode ID: 39421e0781a6c62ba2f951787ac893adc36cd0b67526da7e01083c921b7177f6
        • Instruction ID: 0dec86af3c577e712a98a7b3109412ecac0a40933844ac8a87a4e6dfd11fb277
        • Opcode Fuzzy Hash: 39421e0781a6c62ba2f951787ac893adc36cd0b67526da7e01083c921b7177f6
        • Instruction Fuzzy Hash: 393121B1214AC182F7618F22F8587DA77A2F789BC8F404116EF89576A8DF3DC515CB40
        Function 000000014001250C Relevance: 12.1, APIs: 8, Instructions: 63COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: _errno$BuffersErrorFileFlushLast__lock_fhandle_getptd_noexit_unlock_fhandle
        • String ID:
        • API String ID: 211752500-0
        • Opcode ID: aafe2b3a985552675c15153066ba911b6788134598c82b6409c44e7c12b7c723
        • Instruction ID: 6f9d9d2e137c53e7689b88ca5d0af2c8b064bf5e67caee8433d539d6654ada62
        • Opcode Fuzzy Hash: aafe2b3a985552675c15153066ba911b6788134598c82b6409c44e7c12b7c723
        • Instruction Fuzzy Hash: D321E771310A8045FB17AF67A4E13ED2652AB9C7E0F194118FB564F3F2DE79C8918314
        Function 00000001400081E0 Relevance: 10.6, APIs: 7, Instructions: 140stringCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: CharNext$lstrlen$_errno_invalid_parameter_noinfowcschr
        • String ID:
        • API String ID: 2821222958-0
        • Opcode ID: bef95d78009c089aeea2a6ce3f18c19c5432a3c65cf1d8999f49be06cb53108e
        • Instruction ID: 32f5eaf999c97275e364a4c63c52a64c0c23b4bcc29fa5b9fc78720e62347257
        • Opcode Fuzzy Hash: bef95d78009c089aeea2a6ce3f18c19c5432a3c65cf1d8999f49be06cb53108e
        • Instruction Fuzzy Hash: 1C518DB5601A5181EE76DB63B5143FE62A0BB8DFC0F488426FF8657BA5EF38C6518310
        Function 0000000140008010 Relevance: 10.6, APIs: 7, Instructions: 135COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: CharNext_errno_invalid_parameter_noinfo
        • String ID:
        • API String ID: 1929449741-0
        • Opcode ID: 57fd3ba7d0dc3bba04662302b7b662dfb0eaba2940cf9eae605d080abce027b2
        • Instruction ID: e5514d4ebe63c75b25eea472a4b9a7b07c126955c5f8705adc0d784fca488e60
        • Opcode Fuzzy Hash: 57fd3ba7d0dc3bba04662302b7b662dfb0eaba2940cf9eae605d080abce027b2
        • Instruction Fuzzy Hash: 094180B571565181EB66DB27B9103FA62A4FB4DBC0F484025FF8A57BE5EF38C4A28310
        Function 0000000140013A9C Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: _getptd_noexit$__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
        • String ID:
        • API String ID: 75911684-0
        • Opcode ID: 1715129e0919a1850b4a4de5b21ed77b4c1e29a5ba07b43396ca8edd0cf17bed
        • Instruction ID: b10b0c6338cf677d8ed1d5406abb4dfef6a591b96a03ab56529a241025bd8f4e
        • Opcode Fuzzy Hash: 1715129e0919a1850b4a4de5b21ed77b4c1e29a5ba07b43396ca8edd0cf17bed
        • Instruction Fuzzy Hash: C721F3B261558045FA07AF27A8827ED6650AB88BF1F594718FF790F3F2DB398441C714
        Function 0000000140009810 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: wprintf$DetailDeviceDevice_Get_InfoListSetup
        • String ID: %-60s: %s$%s
        • API String ID: 500149863-1339393084
        • Opcode ID: 58420ff71981e70f0b088cf18948d52def29ba61bff1789f6497cbc26443b0c8
        • Instruction ID: d815fc9da303b41ef93b9c6d4678b871f195b329186b52154e75255d3b88d213
        • Opcode Fuzzy Hash: 58420ff71981e70f0b088cf18948d52def29ba61bff1789f6497cbc26443b0c8
        • Instruction Fuzzy Hash: F22171B171868581FB62DF16F4947EA63A0FB8ABC4F448125EB4D0B7A4DF39C505C700
        Function 0000000140005E60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66libraryloaderCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: Library$AddressFreeLoadProc
        • String ID: SetupSetNonInteractiveMode$setupapi.dll
        • API String ID: 145871493-1268865691
        • Opcode ID: 94f97624f5dac09af30f832d77a35dc926adfb2c0542bc15ea753e67248f1de5
        • Instruction ID: 84aa0ad4c05f19595f6f0cb0327785312e08ad5f4029f5bf74cd787ca5e35ae0
        • Opcode Fuzzy Hash: 94f97624f5dac09af30f832d77a35dc926adfb2c0542bc15ea753e67248f1de5
        • Instruction Fuzzy Hash: 63213976708B9082EB12AF57B8447AAA390B78EFD4F440525BF8917B34DF3CC1418B04
        Function 0000000140013700 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: _getptd_noexit$__lock_fhandle_close_nolock_errno_unlock_fhandle
        • String ID:
        • API String ID: 1789918242-0
        • Opcode ID: cd0c5e2885a051529e2b8990a08f8e249855bcd391e8febec261e9a7fea12117
        • Instruction ID: 527fc7903de6d94cafebed338d17db3d73ae6ebbf5563fcfae0adc79fb118e46
        • Opcode Fuzzy Hash: cd0c5e2885a051529e2b8990a08f8e249855bcd391e8febec261e9a7fea12117
        • Instruction Fuzzy Hash: 641104F261928045F627EF27A8853EC6650A7887F1F654628FB5A0F3F7CA79C8418710
        Function 0000000140009080 Relevance: 9.1, APIs: 6, Instructions: 90COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: Conf_Get_Log_$First_$DetailDeviceFree_HandleInfoListNode_SetupStatus_
        • String ID:
        • API String ID: 950201049-0
        • Opcode ID: a2e0bd01e5d5aa480d3cc991309868edf8cbe1ceb55d54a243f334fb4bcb990a
        • Instruction ID: 6af4d3e925e2d7f0f9bc8d1bcdc9ddc98766f1539d03e36d6a6539f7e7af98da
        • Opcode Fuzzy Hash: a2e0bd01e5d5aa480d3cc991309868edf8cbe1ceb55d54a243f334fb4bcb990a
        • Instruction Fuzzy Hash: 03415B7232468286EB91DF62F4847DA73A0F788BC4F405015FB8A47AA9DF3CD459CB50
        Function 00000001400125E4 Relevance: 9.1, APIs: 6, Instructions: 67COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: _getptd_noexit$__lock_fhandle_errno_unlock_fhandle
        • String ID:
        • API String ID: 1756211493-0
        • Opcode ID: f21935d3972bad399e818c089660db3031781d0e2c4ccb26f942fd882b222533
        • Instruction ID: 647ed5fa019ca88172cc81a66e8da66ecb732046a6aefd4dead0957879e25fe8
        • Opcode Fuzzy Hash: f21935d3972bad399e818c089660db3031781d0e2c4ccb26f942fd882b222533
        • Instruction Fuzzy Hash: BD21E4727206804AFB07AF67A8417ED7A50AB88BE1F594514FB190F3F2CF798891CB10
        Function 000000014000AEBC Relevance: 7.6, APIs: 5, Instructions: 122COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
        • String ID:
        • API String ID: 1573762532-0
        • Opcode ID: e92b10341d8fdd7dfca5fe718ddef3a7398a5a471f3b54b454817d12f8827c49
        • Instruction ID: 6609a30aa4cf3393d92ddf3bb2956f3420ba20a1f9d389a3212d390fe0e2dc09
        • Opcode Fuzzy Hash: e92b10341d8fdd7dfca5fe718ddef3a7398a5a471f3b54b454817d12f8827c49
        • Instruction Fuzzy Hash: FC4125F2A1129686FF66EB23B1403FA72E0E759BD4F944126FB99476E5D73CC9818300
        Function 000000014000A288 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
        • String ID:
        • API String ID: 781512312-0
        • Opcode ID: 97ceef5abbfc478cb36941b4f4966c8d6de80c2938c1c831e00e3e21b6c0c3dd
        • Instruction ID: 8fac1346d1b894dbe6228735086dc04d5ee8932f7cf276c59b5d6265866b3863
        • Opcode Fuzzy Hash: 97ceef5abbfc478cb36941b4f4966c8d6de80c2938c1c831e00e3e21b6c0c3dd
        • Instruction Fuzzy Hash: 1E41FEF2A142A082EB66EB17A5503FD33E0E759BE4F948126BB94076E4DB3CCA51C700
        Function 0000000140012FD0 Relevance: 7.6, APIs: 5, Instructions: 93COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
        • String ID:
        • API String ID: 2998201375-0
        • Opcode ID: 741d118cd70e220190e4bb691a5021469b15d54b4cde05510503b4749c4145a7
        • Instruction ID: be0636770cc254fb24b2b61a7092ef18000d969c6bf9c0bb47e9775d6fb6f0d8
        • Opcode Fuzzy Hash: 741d118cd70e220190e4bb691a5021469b15d54b4cde05510503b4749c4145a7
        • Instruction Fuzzy Hash: EA41937221478086E7628F16E5507A9BBE5F78DBC4F184125FBC95BBB5CB3AC4818700
        Function 0000000140006720 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: Setup$Class$InstallParams$CallDeviceInstaller$DetailDevice_Get_InfoListwprintf
        • String ID:
        • API String ID: 1966150667-0
        • Opcode ID: 9e948d31ab438f15699dcec5241440013ac89f9c856d05fa3685d17348867dfd
        • Instruction ID: e77259fa737ca3a44b1553b610878a15bf1f23e6ef38c20c59c9e02be9d66c37
        • Opcode Fuzzy Hash: 9e948d31ab438f15699dcec5241440013ac89f9c856d05fa3685d17348867dfd
        • Instruction Fuzzy Hash: 28311CB120468486F725CF62F9483EAB6A5F789FC8F40811AAF495BBA5CF3CC505CB00
        Function 0000000140007D40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85registryCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: QueryValue$ErrorLastmalloc
        • String ID: LowerFilters
        • API String ID: 1675453543-1260524392
        • Opcode ID: b646b932c804e92da479334267234a5eade005bc3186fd2fd4d52ffbfb171c98
        • Instruction ID: b148fc0544ec94f13facd909defaf699cef75644d0b323d5e7628174600a6393
        • Opcode Fuzzy Hash: b646b932c804e92da479334267234a5eade005bc3186fd2fd4d52ffbfb171c98
        • Instruction Fuzzy Hash: B1318F72205A8082EA11DB12F9107AAA391FB8DBE0F440124FB9C47BF5EF3CD4428700
        Function 000000014000A130 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON
        Download Yara Rule
        APIs
        • _callnewh.LIBCMT ref: 000000014000A13E
        • malloc.LIBCMT ref: 000000014000A14A
          • Part of subcall function 000000014000A43C: _FF_MSGBANNER.LIBCMT ref: 000000014000A46C
          • Part of subcall function 000000014000A43C: _NMSG_WRITE.LIBCMT ref: 000000014000A476
          • Part of subcall function 000000014000A43C: HeapAlloc.KERNEL32(?,?,00000000,000000014000D4AC,?,?,?,000000014000D320,?,?,?,000000014000D21F), ref: 000000014000A491
          • Part of subcall function 000000014000A43C: _callnewh.LIBCMT ref: 000000014000A4AA
          • Part of subcall function 000000014000A43C: _errno.LIBCMT ref: 000000014000A4B5
          • Part of subcall function 000000014000A43C: _errno.LIBCMT ref: 000000014000A4C0
        • _CxxThrowException.LIBCMT ref: 000000014000A193
          • Part of subcall function 000000014000B4EC: RtlPcToFileHeader.KERNEL32(?,?,BFFFFC18,000000014000A198), ref: 000000014000B57B
          • Part of subcall function 000000014000B4EC: RaiseException.KERNEL32(?,?,BFFFFC18,000000014000A198), ref: 000000014000B5BA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: Exception_callnewh_errno$AllocFileHeaderHeapRaiseThrowmalloc
        • String ID: bad allocation
        • API String ID: 1214304046-2104205924
        • Opcode ID: fddd8a609d162bc89f9e8555dba05befc6ca794d4df5c22690dcb180c715d3fa
        • Instruction ID: 00394f6e29a52a294704bd01fcc06cfe4e28e17ddc6fc69541490e775216bdc4
        • Opcode Fuzzy Hash: fddd8a609d162bc89f9e8555dba05befc6ca794d4df5c22690dcb180c715d3fa
        • Instruction Fuzzy Hash: 59016DB1705B4A80EE26DB57F4413E963A4EB8D3C4F584020BB4D0BBB6EE7CC2558B00
        Function 00000001400078C0 Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: CharFormatFreeLocalMessagePrevfputws
        • String ID:
        • API String ID: 578739846-0
        • Opcode ID: dd6f502a9c501a50b8c5893e1ccc19445fd9336d712e31972eb5573a7e85d718
        • Instruction ID: 0317abda768b4f82498e3985b6f84318e84164464ede2f8f6a7c7405a7638442
        • Opcode Fuzzy Hash: dd6f502a9c501a50b8c5893e1ccc19445fd9336d712e31972eb5573a7e85d718
        • Instruction Fuzzy Hash: CA215772714B4082E712CF1AE4947ADB3A5FB99B80F654229EB9D47774EF3AC851C700
        Function 00000001400060E0 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1830110169.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
        • Associated: 00000000.00000002.1830094398.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830134247.0000000140014000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830150505.000000014001D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.000000014001E000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830164046.0000000140024000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1830203802.0000000140031000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_140000000_0urFbKxdvL.jbxd
        Similarity
        • API ID: MachineNode_$Connect_Disconnect_Locate_Reenumerate_
        • String ID:
        • API String ID: 218754429-0
        • Opcode ID: 103f8b5516ebc72930eefc0d42e045731fdfda955b2280b4edec869cd7c41709
        • Instruction ID: a978d63058804bec8c228a9804c1d47a874a525bd408d6d7e3fa542ccfbe5fae
        • Opcode Fuzzy Hash: 103f8b5516ebc72930eefc0d42e045731fdfda955b2280b4edec869cd7c41709
        • Instruction Fuzzy Hash: 50114C71614A4182EB15DB62F84079AA3B1FB98BC8F458521FB8857A79DF38C5018B00